[req]
default_bits       = 4096
distinguished_name = req_distinguished_name

[ca]
default_ca       = ca_default

[ca_default]
dir             = ./store
certificate     = $dir/ca.crt
private_key     = $dir/ca.key
serial          = $dir/serial
crlnumber       = $dir/crlnumber
crl             = $dir/crl.pem
database        = $dir/index.txt
certs           = $dir/certs
new_certs_dir   = $dir/newcerts
crl_dir         = $dir/crl
policy          = policy_match

copy_extensions = copy

default_days     = 365
default_crl_days = 30
default_md       = default
preserve         = no

[policy_match]
countryName		         = optional
stateOrProvinceName	   = optional
organizationName	      = optional
organizationalUnitName	= optional
surname                 = optional
givenName               = optional
commonName		         = supplied
emailAddress		      = optional

[req_distinguished_name]
countryName                 = Pais (2 letras)
countryName_default         = ES
stateOrProvinceName         = Provincia (nombre completo)
stateOrProvinceName_default = CADIZ
localityName                = Localidad
localityName_default        = ROTA
organizationName            = Organización
organizationName_default    = IESCDL
organizationalUnitName      = Unidad organizativa
commonName                  = Nombre (del servidor o suyo propio)
commonName_max              = 64

[e_ca]
# Extensiones para certificado de la CA.
nsComment              = "Certificado RAIZ --- IESCDL"
keyUsage               = critical, cRLSign, keyCertSign
basicConstraints       = CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always

[e_inter]
# Extensiones para certificado de una CA intermedia
# que no puede firmar certificado de CA (pathlen:0)
nsComment              = "Certificado INTERMEDIO --- DPTOINFO"
keyUsage               = critical, cRLSign, keyCertSign
basicConstraints       = CA:TRUE, pathlen:0
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always

[e_personal]
# Extensiones para certificado personal.
nsComment              = "Certificado personal"
keyUsage               = critical,digitalSignature,keyEncipherment,nonRepudiation
extendedKeyUsage       = emailProtection,clientAuth
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = email:copy

[e_server]
# Extensiones para certificado de servidor.
nsComment              = "Certificado de servidor"
keyUsage               = critical,digitalSignature,keyEncipherment
extendedKeyUsage       = serverAuth,clientAuth
basicConstraints       = critical,CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer:always
#subjectAltName	       = ${ENV::ALT}