basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:127.0.0.1

# CanSignHttpExchanges extension
# https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req
1.3.6.1.4.1.11129.2.1.22 = ASN1:NULL