-dir = ./CA # Where everything is kept
-
-[ ca ]
-default_ca = CA_default # The default ca section
-
-[ CA_default ]
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir/newcerts # default place for new certs.
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem # The private key
-x509_extensions = usr_cert # The extentions to add to the cert
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-crl_extensions = crl_ext
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-policy = policy_match
-
-[ policy_match ]
-countryName = optional
-stateOrProvinceName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ req ]
-default_bits = 4096
-default_md = sha1
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-input_password = demo
-output_password = demo
-
-string_mask = utf8only
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_min = 2
-countryName_max = 2
-#stateOrProvinceName = State or Province Name (full name)
-#localityName = Locality Name (eg, city)
-0.organizationName = Organization Name (eg, company)
-organizationalUnitName = Organizational Unit Name (eg, section)
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-emailAddress = Email Address
-emailAddress_max = 64
-# SET-ex3 = SET extension number 3
-
-##
-## DEFAULT VALUES
-##
-countryName_default = DE
-#stateOrProvinceName_default = Berlin
-#localityName_default = Berlin
-0.organizationName_default = Example
-organizationalUnitName_default = Certificate Authorities
-commonName_default = Intermediate CA
-
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 4
-#challengePassword_max = 20
-#unstructuredName = An optional company name
-
-[ usr_cert ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-subjectAltName=email:move
-issuerAltName=issuer:copy
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ crl_ext ]
-issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ server_ext ]
-extendedKeyUsage=serverAuth
-
-[ user_ext ]
-extendedKeyUsage=clientAuth,emailProtection