[ ca ]
default_ca		= CA_default

[ CA_default ]
dir			= ./
certs			= $dir
crl_dir			= $dir/crl
database		= $dir/index.txt
new_certs_dir		= $dir
certificate		= $dir/server.pem
serial			= $dir/serial
crl			= $dir/crl.pem
private_key		= $dir/server.key
RANDFILE		= $dir/.rand
name_opt		= ca_default
cert_opt		= ca_default
default_days		= 60
default_crl_days	= 30
default_md		= sha256
preserve		= no
policy			= policy_match
copy_extensions		= copy

[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
prompt			= no
distinguished_name	= server
default_bits		= 2048
input_password		= whatever
output_password		= whatever
#req_extensions		= v3_req

[server]
countryName		= FR
stateOrProvinceName	= Radius
localityName		= Somewhere
organizationName	= Example Inc.
emailAddress		= admin@example.org
commonName		= "Example Server Certificate"

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always

#  This should be a host name of the RADIUS server.
#  Note that the host name is exchanged in EAP *before*
#  the user machine has network access.  So the host name
#  here doesn't really have to match anything in DNS.
[alt_names]
DNS.1 = radius.example.com

# NAIRealm from RFC 7585
otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com