# OpenSSL configuration file used to create a new Testserver root certificate.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

oid_section		= new_oids

[ new_oids ]
# Referred by the polsect section
my_policy_oid   = 1.3.6.1.4.1.18506.2.3.1

####################################################################
# This section contains parameters for the openssl req command
####################################################################
[ req ]
# Openssl 1.0.1 complains if it does not find distinguished_name,
# even if its content is used nowhere
distinguished_name	= req_distinguished_name

# Section which contains the extensions for the new root
x509_extensions	= testserver_root

[ req_distinguished_name ]
# Empty section to keep OpenSSL 1.0.1 from complaining

[ testserver_root ]
# The extensions for the testserver root certificate

# Obviously this is essential
basicConstraints                = critical, CA:true

# Adjust OCSP links to testserver
authorityInfoAccess             = OCSP;URI:http://ocsp.test.CAcert.org/
# Policies are the same as in the production system
certificatePolicies             = @polsect
# Use the testserver for CRL
crlDistributionPoints   =  URI:http://test.cacert.org/test-revoke.crl

# Not sure if these are necessary/sensible in the root certificate. 
# They don't seem to hurt though
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always

[ polsect ]
# The same policy as in the production environment
CPS				= "http://www.CAcert.org/cps.php"
policyIdentifier		= my_policy_oid