oid_section            = cacert_oids

[ ca ]
default_ca             = CA_root

[ CA_root ]
dir                    = CA                  # Where everything is kept
certs                  = $dir/certs          # Where the issued certs are kept
crl_dir                = $dir/crl            # Where the issued crl are kept
database               = $dir/index.txt      # database index file.
new_certs_dir          = $dir/newcerts       # default place for new certs.
certificate            = $dir/cacert.crt     # The CA certificate
serial                 = $dir/serial         # The current serial number
private_key            = $dir/cacert.pem     # The private key
RANDFILE               = $dir/private/.rand  # private random number file
x509_extensions        = sub_ca_ext          # The extentions to add to the cert
default_days           = 3650                # how long to certify for
default_md             = sha256              # which md to use.
preserve               = yes                 # keep passed DN ordering
policy                 = policy_sub_ca
unique_subject         = no
create_serial          = yes

[ cacert_oids ]
# see https://wiki.cacert.org/OidAllocation and
# http://oid-info.com/get/1.3.6.1.4.1.18506
cacert_base_oid        = 1.3.6.1.4.1.18506

[ policy_sub_ca ]
organizationName       = optional
organizationalUnitName = optional
commonName             = optional

[ sub_ca_ext ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always
basicConstraints       = critical, CA:true
authorityInfoAccess    = OCSP;URI:http://ocsp.CAcert.org/,caIssuers;URI:http://www.CAcert.org/ca.crt
certificatePolicies    = @polsect
nsCaPolicyUrl          = http://www.CAcert.org/index.php?id=10
nsComment              = "To get your own certificate for FREE, go to http://www.CAcert.org"

[ polsect ]
CPS                    = "http://www.CAcert.org/index.php?id=10"
policyIdentifier       = cacert_base_oid