#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
RANDFILE		= $ENV::STORE_PATH/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::STORE_PATH/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir				= $ENV::STORE_PATH		# Where everything is kept
certs			= $dir/certs		# Where the issued certs are kept
crl_dir			= $dir/crl		# Where the issued crl are kept
database		= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/certs		# default place for new certs.

certificate		= $dir/ca_cert.pem 	# The CA certificate
serial			= $dir/serial 		# The current serial number
crlnumber		= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl				= $dir/crl.pem 		# The current CRL
private_key		= $dir/private/ca_private_key.pem# The private key
RANDFILE		= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
copy_extensions = copy

default_days	= $ENV::REQDAYS		# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256			# which md to use.
preserve	= no			# keep passed DN ordering
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= supplied
organizationName	= supplied
organizationalUnitName	= supplied
commonName		= supplied
#localityName		= supplied
emailAddress		= optional
DC			= optional

####################################################################

[ req ]
 default_bits           = 1024
 default_keyfile        = keyfile.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = mypass
 req_extensions         = v3_req
 x509_extensions        = v3_ca

[ req_distinguished_name ]
 C                      = JP
 ST                     = Aichi
 #L                      = Agui
 O                      = DENSO WAVE
 OU                     = DEV
 CN                     = ORiN2 OPC UA CA
 emailAddress           = xxx@xxx.xxx
 DC                     = localhost


[ req_attributes ]
challengePassword			= A challenge password
unstructuredName			= An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
subjectAltName=$ENV::SOFTING_CERT_GENERATION_URI
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth

[ v3_req_self_signed ]

# Extensions to add to a certificate request for a self-signed certificate

basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = serverAuth, clientAuth

[ v3_ca ]

#
# Extensions to add to a CA certificate
#

# PKIX recommendation.

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF