# OpenSSL example configuration file for IPsec certificates.
# 2002 by Andreas Steffen, Zuercher Hochschule Winterthur


####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /usr/ssl		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crls		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crl		= $dir/crls/crl.pem	# The current CRL
private_key	= $dir/private/cakey.pem # The private key

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= md5			# which md to use.

x509_extensions = usr_cert              # The extentions to add to the cert

policy          = policy_match          # default policy

[ policy_match ]
countryName		= match
localityName		= optional
organizationName	= supplied
organizationalUnitName	= optional
commonName		= supplied

####################################################################
[ req ]

default_bits		= 1024
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= DE
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State

localityName			= Locality Name (eg, city)
localityName_default		=

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Kool AG

organizationalUnitName		= Organizational Unit Name (eg, section)
organizationalUnitName_default	=

commonName			= Common Name (eg, YOUR name)
commonName_max			= 64

[ req_attributes ]

##################################################################
[ usr_cert ]

# These extensions are added when 'ca' signs a request.

basicConstraints = critical, CA:FALSE

# This is typical for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# Specifies a URI where a CRL can be retrieved from 
#crlDistributionPoints = URI:http://www.kool.de/ca/cert.crl

# Alternate Host ID (FQDN) <uncomment and edit>
#subjectAltName = critical, DNS:gateway.kool.de

# Alternate User ID (USER_FQDN) <uncomment and edit>
#subjectAltName = critical, email:antje@kool.de

#################################################################
[ v3_ca ]

# Extensions for a typical CA

basicConstraints = critical, CA:true

# This is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign