root-ca.conf

[ default ]
ca                      = rootCA               # CA name
aia_url                 = _TOKEN_/any_path.cer?any=params     # CA certificate URL
crl_url                 = _TOKEN_/any_path.crl?any=params      # CRL distribution point
ocsp_url                = _TOKEN_/any_path.oscp?any=params    # OCSP responder URL
name_opt                = multiline,-esc_msb,utf8 # Display UTF-8 characters

# CA certificate request
[ req ]
default_bits            = 2048                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha256                  # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = no                    # Don't prompt for DN
distinguished_name      = ca_dn                 # DN section
req_extensions          = ca_reqext             # Desired extensions

[ ca_dn ]
countryName             = "ZA"
organizationName        = "Thinkst Applied Research"
organizationalUnitName  = "Thinkst Applied Research CA"
commonName              = "Thinkst Root CA"

[ ca_reqext ]
keyUsage                = critical,keyCertSign,cRLSign
basicConstraints        = critical,CA:true
subjectKeyIdentifier    = hash

# CA operational settings
[ ca ]
default_ca              = root_ca               # The default CA section

[ root_ca ]
certificate             = $ca.crt       # The CA cert
private_key             = $ca.key # CA private key
new_certs_dir		= TMPDIR
database		 = TMPDIR/db
serial			= TMPDIR/ser
default_days            = 3652                  # How long to certify for
unique_subject = no
default_md              = sha256                  # MD to use
policy                  = match_pol             # Default naming policy
email_in_dn             = no                    # Add email to cert DN
preserve                = no                    # Keep passed DN ordering
name_opt                = $name_opt             # Subject DN display options
cert_opt                = ca_default            # Certificate display options
copy_extensions         = copy                  # Copy extensions from CSR
x509_extensions         = ca_ext   # Default cert extensions
default_crl_days        = 1                    # How long before next CRL
crl_extensions          = crl_ext               # CRL extensions

[ match_pol ]
countryName             = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied

# Extensions

[ ca_ext ]
keyUsage                = critical,digitalSignature,keyEncipherment,keyAgreement,dataEncipherment
basicConstraints        = CA:false
extendedKeyUsage        = serverAuth,clientAuth,codeSigning
subjectKeyIdentifier    = hash
#authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @ocsp_info
crlDistributionPoints   = @crl_info

[ crl_ext ]
authorityKeyIdentifier  = keyid:always
authorityInfoAccess     = @issuer_info

[ ocsp_info ]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[ issuer_info ]
caIssuers;URI.0         = $aia_url

[ crl_info ]
URI.0                   = $crl_url