# Root CA

[ req ]
# Use SHA-1 to verify that it does not affect the trust of root certificates.
default_md              = sha1
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = req_dn
req_extensions          = req_ext
x509_extensions         = v3_req_ext 

[ req_dn ]
0.domainComponent       = "COM"
1.domainComponent       = "EXAMPLE"
organizationalUnitName	= "Certificate Authority"
commonName              = "ca.example.com"
emailAddress            = "ca@example.com"

[ req_ext ]
subjectKeyIdentifier    = hash
#authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign

[ v3_req_ext ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectAltName          = email:ca@example.com
issuerAltName           = issuer:copy