# Configuration file generated by pki-authority

[ default ]
name                    = root-ca
domain_suffix           = ecogood.org
aia_url                 = http://$name.$domain_suffix/crt/
crl_url                 = http://$name.$domain_suffix/crl/
ocsp_url                = http://$name.$domain_suffix/ocsp/
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ ca_default ]
home                    = .
database                = $home/database/index
serial                  = $home/database/serial
crlnumber               = $home/database/crlnumber
certificate             = $home/subject/cert.pem
private_key             = $home/private/key.pem
RANDFILE                = $home/private/random
new_certs_dir           = $home/certs
unique_subject          = no
policy                  = policy_default
x509_extensions         = extension_default
copy_extensions         = none
default_days            = 3650
default_crl_days        = 365
default_md              = sha256

[ crl_info ]
URI.0                   = $crl_url

[ issuer_info ]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[ extension_ocsp ]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical, CA:false
extendedKeyUsage        = OCSPSigning
keyUsage                = critical, digitalSignature
subjectKeyIdentifier    = hash

[ policy_default ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ extension_default ]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical, CA:TRUE, pathlen:0
crlDistributionPoints   = @crl_info
keyUsage                = critical, keyCertSign, cRLSign
subjectKeyIdentifier    = hash
nameConstraints         = critical, permitted;DNS:ecogood.org,permitted;DNS:.ecogood.org