[ ca ]
default_ca = {{ organization_ou }} 

[ CA_default ]
dir                 = {{ pki_dir }}
certs               = $dir/certs
crl_dir             = $dir/crl
new_certs_dir       = $dir/newcerts
database            = $dir/index.txt
serial              = $dir/serial
private_key			= $dir/private/root_ca.key
RANDFILE			= $dir/private/.rand

default_md          = sha512

name_opt            = ca_default
cert_opt            = ca_default
default_days        = {{ default_cert_duration }}
preserve            = no
policy              = policy_strict

[ policy_strict ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
defaults_bits       = 4096
distinguished_name  = req_distinguished_name
string_mask         = utf8only
prompt              = no

default_md          = sha512

[ req_distinguished_name ]
C                   = {{ country }}
ST                  = {{ state }}
L                   = {{ city }}
O                   = {{ organization_name }}
OU                  = {{ organization_ou }}
CN                  = {{ organization_cn }}

[ v3_ca ]
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer
basicConstraints            = critical, CA:true
keyUsage                    = critical, digitalSignature, cRLSign, keyCertSign

crlDistributionPoints       = {{ crl_uri }}