# OpenSSL config: certificate authority (CA)
# Default value
[ default ]
ca_name                 = _CA_NAME_            # CA name
home                    = .                    # Top dir
default_ca              = ca                   # Default CA section
name_opt                = utf8,esc_ctrl,multiline,lname,align    # Display UTF-8 characters

# Certificate request
[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = yes                   # Encrypted CA private key
default_md              = sha256                # Message Digest to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_ext                # Desired extensions

# CA certificate info
[ ca_dn ]
countryName             = "US"                  # CA cert info
stateOrProvinceName     = "Wahington"           # CA cert info
organizationName        = "Seattle"             # CA cert info
localityName            = "WOLFSSL"             # CA cert info
organizationalUnitName  = "_CA_DEPART_"         # CA cert info
commonName              = "www.wolfssl.com"     # Replaced during build proceduce

# Extensions for signing CA certificate
[ ca_ext ]
keyUsage                = critical,keyCertSign,cRLSign,digitalSignature # Limit key usage
basicConstraints        = critical,CA:true      # Dont allow intermediary CA
subjectKeyIdentifier    = hash                  # SKI validation

# CA operational settings
[ ca ]
default_ca              = _CA_NAME_             # Default CA section

# CA Section
[ _CA_NAME_ ]
certificate             = $home/$ca_name.crt                # CA certificate
private_key             = $home/private/$ca_name.key        # CA private key
new_certs_dir           = $home/certs                       # Generated certificates
database                = $home/db/index                    # Index file of generated crt
serial                  = $home/db/serial                   # Serial number file
RANDFILE                = $home/ca/private/random           # Random file
unique_subject          = no                                # Dont require unique subject
default_days            = 3650                              # How long to certify for
default_md              = sha256                            # Message Digest to use
policy                  = match_pol                         # Default naming policy
email_in_dn             = no                                # Dont add email to cert DN
copy_extensions         = copy                              # Copy extensions from CSR (!)
x509_extensions         = server_ext                        # Default cert extensions

# Matching policy
# Enforce that all cert issued by the CA match criteria
# Useful for CA used internally with limited scope
[ match_pol ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# Extension used when signing server cert
[ _CERT_NAME_ ]
basicConstraints        = critical,CA:false             # Dont allow intermediary CA
nsCertType              = server                        # Certificate type
subjectKeyIdentifier    = hash                          # SKI validation
keyUsage                = critical,digitalSignature,keyEncipherment    # Define key usage
extendedKeyUsage        = clientAuth,serverAuth         # key usage continued