# See ../../doth/CA/ca.cfg for more information

# certificate authority configuration
[ca]
default_ca      = CA_default               # The default ca section

[CA_default]
dir            = .
new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
certificate    = $dir/CA.pem           # The CA cert
private_key    = $dir/private/CA.key   # CA private key

serial         = $dir/serial           # serial number file for the next certificate
                                       # Update before issuing it:
                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
database = $dir/index.txt                 # (must be created manually: touch ./index.txt)

default_days   = 1                 # how long to certify for

#default_crl_days = 30                 # the number of days before the
default_crl_days = 10950               # next CRL is due. That is the
                                       # days from now to place in the
                                       # CRL nextUpdate field.  If CRL
                                       # is expired, certificate
                                       # verifications will fail even
                                       # for otherwise valid
                                       # certificates. Clients might
                                       # cache the CRL, so the expiry
                                       # period should normally be
                                       # relatively short (default:
                                       # 30) for production CAs.

default_md     = sha256                # digest to use

policy         = policy_default        # default policy
email_in_dn    = no                    # Don't add the email into cert DN

name_opt       = ca_default            # Subject name display option
cert_opt       = ca_default            # Certificate display option

# We need the following in order to copy Subject Alt Name(s) from a
# request to the certificate.
copy_extensions = copy                 # copy extensions from request

[policy_default]
countryName            = optional
stateOrProvinceName    = optional
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

# default certificate requests settings
[req]
# Options for the `req` tool (`man req`).
default_bits        = 3072 # for RSA only
distinguished_name  = req_default
string_mask         = utf8only
# SHA-1 is deprecated, so use SHA-256 instead.
default_md          = sha256
# do not encrypt the private key file
encrypt_key         = no

[req_default]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (e.g., city)
0.organizationName              = Organization Name (e.g., company)
organizationalUnitName          = Organizational Unit Name (e.g. department)
commonName                      = Common Name (e.g. server FQDN or YOUR name)
emailAddress                    = Email Address
# defaults
countryName_default                     = UA
stateOrProvinceName_default             = Kharkiv Oblast
localityName_default                    = Kharkiv
0.organizationName_default              = ISC
organizationalUnitName_default          = Software Engeneering (BIND 9)