[ ca ]

default_ca          = CA_default

[ CA_default ]
dir                 = {{ pki_dir }}
certs               = $dir/certs
crl_dir             = $dir/crl
new_certs_dir       = $dir/newcerts
database            = $dir/index.txt
serial              = $dir/serial

private_key         = {{ root_ca_keyfile }}
certificate         = {{ root_ca_certfile }}

default_md          = sha512

name_opt            = ca_default
cert_opt            = ca_default
default_days        = 1825
preserve            = no
policy              = policy_loose
default_crl_days    = {{ default_crl_duration }}

[ policy_loose ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ v3_intermediate_ca ]
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer
basicConstraints            = critical, CA:true, pathlen:0
keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign

crlDistributionPoints       = {{ intermediate_crl_uri }}
nsCertType                  = sslCA, emailCA
issuerAltName               = issuer:copy