[ ca ]
default_ca = myca

[ myca ]
dir           = gen
certs         = $dir # Where the issued certs are kept
crl_dir       = $dir # Where the issued crls are kept
database      = $dir/certindex # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate   = $dir/ca_intermediate.crt # The CA certificate
private_key   = $dir/ca_intermediate.key
serial        = $dir/certserial # The current serial number
crlnumber     = $dir/crlnumber # the current crl number

unique_subject   = no
default_days     = 36525
default_md       = sha1
x509_extensions  = myca_extensions
default_crl_days = 36525 # this is required to generate CRL from this config
policy           = myca_policy

[ myca_policy ]
countryName            = optional
stateOrProvinceName    = optional
localityName           = optional
organizationName       = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional


[ myca_extensions ]
basicConstraints       = CA:false
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
keyUsage               = digitalSignature,keyEncipherment
extendedKeyUsage       = serverAuth
#crlDistributionPoints = URI:localhost/root.crl # will make certificate revocation fail if this endpoint does not exist

[ req ]
default_bits        = 4096
default_md          = sha256
distinguished_name  = req_distinguished_name
encrypt_key         = no
prompt              = no
x509_extensions     = req_v3_ca

[ req_distinguished_name ]
countryName         = DK
localityName        = Copenhagen
organizationName    = WinTLS
commonName          = WinTLS Intermediate Certificate Authority

[ req_v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = cRLSign, keyCertSign