#
# ca options
#

[ca]
default_ca = osbuild_ca

[osbuild_ca]
database        = ./index.txt
new_certs_dir   = ./certs
rand_serial     = yes

certificate     = ca.cert.pem
private_key     = private/ca.key.pem

default_days    = 3650
default_md      = sha256

x509_extensions = osbuild_ca_ext

# See WARNINGS in `man openssl ca`. This is ok, becasue it only copies
# extensions that are not already specified in `osbuild_ca_ext`.
copy_extensions = copy

preserve        = no
policy          = osbuild_ca_policy

# We want to issue multiple certificates with the same subject in the
# testing environment.
unique_subject  = no


[osbuild_ca_ext]
basicConstraints       = critical, CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign


[osbuild_ca_policy]
commonName   = supplied
emailAddress = supplied


#
# Extensions for server certificates
#

[osbuild_server_ext]
basicConstraints       = critical, CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid, issuer:always
keyUsage               = critical, digitalSignature, keyEncipherment
extendedKeyUsage       = serverAuth


#
# Extensions for client certificates
#

[osbuild_client_ext]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage       = clientAuth


#
# req options
#

[req]
default_md         = sha256
default_bits       = 2048
distinguished_name = osbuild_distinguished_name


#
# Only prompt for CN
#

[osbuild_distinguished_name]
CN = Common Name
emailAddress = E-Mail Address