##
##
DEST     = /opt/xkms/openssl
RANDFILE = $DEST/.rnd


###
###   THE TYPES OF CERTIFICATION AUTHORITIES
###

##
##  This is our "root" CA.  It only creates sub-CA's.
[ root_ca ]
dir              = $DEST/root-ca    # Where everything is kept
RANDFILE         = $dir/.rand       # private random number file
serial           = $dir/serial      # The current serial number
database         = $dir/index.txt   # database index file.
certificate      = $dir/cert.pem    # The CA certificate
private_key      = $dir/key.pem     # The private key
crl              = $dir/crl.pem     # The current CRL
new_certs_dir    = $dir/certs       # default place for new certs.
crl_dir          = $dir/crls        # Where the issued crl are kept
x509_extensions  = ca_cert          # The extensions to add to the cert
default_days     = 1460             # Lifetime; four years
default_crl_days = 30               # how long before next CRL
default_md       = sha1             # which md to use.
preserve         = yes              # keep passed DN ordering
policy           = root_name_policy # Policy for building the DN's
email_in_dn      = no               # Self-explanatory

#  Root DN naming policy.  Require C and O; email is optional
[ root_name_policy ]
countryName            = match
organizationName       = match
organizationalUnitName =  optional
commonName             =  optional
emailAddress           =  optional

##
##  The CA that creates internal servers, and SSL certificates.
[ level1_ca ]
dir              = $DEST/level1-ca
RANDFILE         = $dir/.rand
serial           = $dir/serial
database         = $dir/index.txt
certificate      = $dir/cert.pem
private_key      = $dir/key.pem
crl              = $dir/crl.pem
new_certs_dir    = $dir/certs
crl_dir          = $dir/crls
x509_extensions  = ca_cert
default_days     = 730
default_crl_days = 30
default_md       = sha1
preserve         = yes
policy           = level1_name_policy
email_in_dn      = no

[ level1_name_policy ]
countryName            = match
organizationName       = match
organizationalUnitName =  optional
commonName             = supplied
emailAddress           =  optional

[ xkms_ca ]
dir              = $DEST/xkms-ca
RANDFILE         = $dir/.rand
serial           = $dir/serial
database         = $dir/index.txt
certificate      = $dir/cert.pem
private_key      = $dir/key.pem
crl              = $dir/crl.pem
new_certs_dir    = $dir/certs
crl_dir          = $dir/crls
x509_extensions  = user_cert
default_days     = 365
default_crl_days = 30
default_md       = sha1
preserve         = yes
policy           = xkms_name_policy
email_in_dn      = no

[ xkms_name_policy ]
countryName            = match
organizationName       = match
organizationalUnitName =  optional
commonName             = supplied
emailAddress           = supplied


###
###   EXTENSIONS FOR CERTIFICATE TYPES
###

[ ca_cert ]
subjectKeyIdentifier   = hash
# If you run into broken software, turn off the "critical" bit
basicConstraints       = critical,CA:true
#basicConstraints      = CA:true
keyUsage               = cRLSign, keyCertSign

[ ssl_cert ]
subjectKeyIdentifier   = hash
basicConstraints       = CA:FALSE
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth
subjectAltName         = email:move

[ user_cert ]
subjectKeyIdentifier   = hash
basicConstraints       = CA:FALSE
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName         = email:move