[ ca ]
default_ca = CA_default
[ CA_default ] # Default settings for the CA
dir = . # CA directory
certs = $dir # Certificates directory
crl_dir = $dir # CRL directory
new_certs_dir = $dir # New certificates directory
database = $dir\\index.txt # Certificate index file
serial = $dir\\serial # Serial number file
RANDFILE = $dir\\.rand # Random number file
private_key = $dir\\ca.key # Root CA private key
certificate = $dir\\ca.crt # Root CA certificate
crl = $dir\\ca.crl.pem # Root CA CRL
crlnumber = $dir\\crlnumber # Root CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 3000 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_strict # Certificate policy
unique_subject = no
x509_extensions = extensions_section
[ req_distinguished_name ]
C = SE
O = virot.eu
CN = Evil Virot
[ extensions_section ]
crlDistributionPoints=URI:https://tools.virot.eu/test2.crl
subjectKeyIdentifier=D0:F4:E3:2B:DF:5B:86:29:D3:B8:28:96:70:95:32:63:AC:53:BC:4C
extendedKeyUsage = serverAuth, clientAuth, 1.3.6.1.4.1.311.20.2.2
keyUsage = critical, digitalSignature
[ policy_strict ] # Policy for stricter validation
countryName = optional # Must match the issuer s country
stateOrProvinceName = optional # Must match the issuer s state
organizationName = optional # Must match the issuer s org
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ v3_ca ] # Root CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign