#
# Based on the OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME            = .
RANDFILE        = $ENV::HOME/.rnd

#CRLDISTPT       = [CRL Distribution Point; e.g., http://crl-list.base/w4edom-l4.base.crl]
CRLDISTPT       = @@CRL_HTTP_BASE@@/CA-@@DNS_DOMAIN@@-crl.crl

# Extra OBJECT IDENTIFIER info:
oid_section     = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions        = 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used as a login credential
scardLogin=1.3.6.1.4.1.311.20.2.2
# Used in a smart card login certificate's subject alternative name
msUPN=1.3.6.1.4.1.311.20.2.3
# Ordinarily, certificates must have this oid as an enhanced key usage in order for Windows to allow them to be used to identify a domain controller
msKDC=1.3.6.1.5.2.3.5
# Identifies the AD GUID
msADGUID=1.3.6.1.4.1.311.25.1

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir         = @@CA_DIR@@         # Where everything is kept
certs       = $dir/_none_certs        # Where the issued certs are kept
crl_dir     = $dir/_none_crl          # Where the issued crl are kept
database    = $dir/Private/CA-@@DNS_DOMAIN@@-index.txt    # database index file.
unique_subject  = yes           # Set to 'no' to allow creation of
                                # several certificates with same subject.
new_certs_dir   = $dir/NewCerts     # default place for new certs.

certificate = $dir/Public/CA-@@DNS_DOMAIN@@-cert.pem   # The CA certificate
serial      = $dir/Private/CA-@@DNS_DOMAIN@@-serial.txt       # The current serial number
crlnumber   = $dir/Private/CA-@@DNS_DOMAIN@@-crlnumber.txt    # the current crl number
                                # must be commented out to leave a V1 CRL

#crl         = $dir/Public/CA-@@DNS_DOMAIN@@-crl.pem           # The current CRL
crl         = $dir/Public/CA-@@DNS_DOMAIN@@-crl.crl           # The current CRL
private_key = $dir/Private/CA-@@DNS_DOMAIN@@-private-key.pem    # The private key
RANDFILE    = $dir/Private/CA-@@DNS_DOMAIN@@.rand        # private random number file

#x509_extensions    =   # The extensions to add to the cert
x509_extensions = template_x509_extensions

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt    = ca_default        # Subject Name options
cert_opt    = ca_default        # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions  = crl_ext

default_days    = @@DEFAULT_DAYS@@           # how long to certify for
default_crl_days= @@DEFAULT_CRL_DAYS@@            # how long before next CRL
default_md  = sha256            # use public key default MD
preserve    = no                # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy      = policy_match

# For the CA policy
[ policy_match ]
countryName     = match
stateOrProvinceName = match
organizationName    = match
organizationalUnitName  = optional
commonName      = supplied
emailAddress        = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName     = match
stateOrProvinceName = match
localityName        = match
organizationName    = match
organizationalUnitName  = match
commonName      = supplied
emailAddress        = supplied

####################################################################
[ req ]
default_bits        = @@DEFAULT_BITS@@
distinguished_name  = req_distinguished_name
attributes      = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default     = @@COUNTRY_NAME@@
countryName_min         = 2
countryName_max         = 2

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = @@STATE_NAME@@

localityName            = Locality Name (eg, city)
localityName_default    = @@LOCALITY_NAME@@

organizationName        = Organization Name (eg, company)
organizationName_default    = @@ORGANIZATION_NAME@@

organizationalUnitName      = Organizational Unit Name (eg, section)
organizationalUnitName_default = @@ORGANIZATIONAL_UNIT_NAME@@

commonName          = Common Name (eg, YOUR name)
commonName_default  = @@COMMON_NAME@@
commonName_max          = 64

emailAddress            = Email Address
emailAddress_default    = @@EMAIL_ADDRESS@@
emailAddress_max        = 64

# SET-ex3           = SET extension number 3

[ req_attributes ]
#challengePassword       = A challenge password
#challengePassword_min       = 4
#challengePassword_max       = 20
#
#unstructuredName        = An optional company name

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. 
keyUsage = cRLSign, keyCertSign

crlDistributionPoints=URI:$CRLDISTPT

# Some might want this also
nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
subjectAltName=email:copy
# Copy issuer details
issuerAltName=issuer:copy

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always