HOME		= .
RANDFILE	= $ENV::HOME/.rnd
oid_section	= new_oids

[ new_oids ]

[ ca ]
default_ca	= openvpn

[ openvpn ]
dir		= /etc/openvpn/ca/
certs		= $dir
crl_dir		= $dir
database	= $dir/index.txt
new_certs_dir	= $dir
certificate	= $dir/cacert.pem
serial		= $dir/serial
crl		= $dir/crl.pem
private_key	= $dir/cakey.pem
RANDFILE	= $dir/.rand
x509_extensions	= usr_cert
default_days	= 999999
default_crl_days= 30
default_md	= sha256
preserve	= no
policy		= policy_match
email_in_dn	= no
extendedKeyUsage= serverAuth
keyUsage        = digitalSignature, keyEncipherment

[ policy_match ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= 2048
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	        = v3_ca
string_mask             = nombstr
x509_extensions		= usr_cert

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= DE
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Niedersachsen

localityName			= Locality Name (eg, city)
#localityName_default		= Loxstedt

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Lox-Web-Service

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 40

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20
unstructuredName		= An optional company name

[ usr_cert ]
basicConstraints=CA:FALSE
nsComment			= "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
keyUsage			= nonRepudiation, digitalSignature, 
keyEncipherment
extendedKeyUsage		= serverAuth, clientAuth, codeSigning, 
emailProtection

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage		= serverAuth, clientAuth, codeSigning, 
emailProtection

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always

[ engine ]
default = openssl