jdelic/openssl.ini

## openssl.ini
#
# OpenSSL CA config
#
# see https://jamielinux.com/docs/openssl-certificate-authority/
#
# useful commands =============================================================
# (this config file is referred to as openssl.cnf)
# Create a self-signed CA in one command
#     openssl req -x509 -out casserver-ca.crt -key casserver-ca.key
#         -config openssl.cnf -extensions app_ca_root_cert -days 3650
#         -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority"
#
# Create a CSR and sign it (unlike the openssl ca tool this will NOT
# create or maintain a certificate database)
#     openssl req -new -out cas-ca-2.req -config openssl.cnf -key cas-ca-2.key
#         -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Parent Authority 2/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Parent Authority 2"
#     openssl x509 -req -in cas-ca-2.req -out cas-ca-2.crt
#         -extfile openssl.cnf -extensions intermediate_appca_certs
#         -CA ../casserver-ca.crt -CAkey ../casserver-ca.key
#         -CAserial ../serial.txt
#
# Update an existing certificate with a new expiry date or new X.509
# extensions or even a new subject:
#     openssl x509 -in casserver-ca.crt -out test.crt -signkey casserver-ca.key
#         -extfile openssl.cnf -extensions app_ca_root_cert -days 3650
#         -clrext -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Build Authority/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority"
#
# Sign a CSR using the openssl ca tool:
#     openssl ca -config openssl.cnf -name build_ca_certs -in reqs/x1.req
#         -out certs/x1.crt -notext -days 180 -CAkey casserver-ca.key -CAfile
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = c:/jm/ca
RANDFILE = $HOME/rnd.state

#
# the CA configuration
#
[ ca ]
default_ca = use -name!

#
# This CA issues intermediate CAs making them easy to revoke
#
[ rootca ]
certs=$HOME/root-ca/certs
crl_dir=$HOME/root-ca/crl
certificate=$HOME/root-ca/ca.crt
serial=$HOME/root-ca/serial.txt
database=$HOME/root-ca/certificate.db
new_certs_dir=$HOME/root-ca/certs
private_key=$HOME/root-ca/ca.key

default_md=sha256
policy=ca_policy
string_mask=utf8only
email_in_dn=no

#
# This CA is used for issuing internal server certificates
# and S/MIME certificates
#
[ maurusnetca ]
# use this if you specify SANs when signing the request
certs=$HOME/minion-ca/certs
crl_dir=$HOME/minion-ca/crl
certificate=$HOME/minion-ca/intermediate.crt
serial=$HOME/minion-ca/serial.txt
database=$HOME/minion-ca/certificate.db
new_certs_dir=$HOME/minion-ca/certs
private_key=$HOME/minion-ca/intermediate.key

default_md=sha256
policy=ca_policy
string_mask=utf8only
email_in_dn=no

[ maurusnetca_copyext ]
# uset this to copy SANs from the request
certs=$HOME/minion-ca/certs
crl_dir=$HOME/minion-ca/crl
certificate=$HOME/minion-ca/intermediate.crt
serial=$HOME/minion-ca/serial.txt
database=$HOME/minion-ca/certificate.db
new_certs_dir=$HOME/minion-ca/certs
private_key=$HOME/minion-ca/intermediate.key

default_md=sha256
policy=ca_policy
string_mask=utf8only
copy_extensions=copy
email_in_dn=no

#
# This sub-CA signs BUILD CAs which in turn create certificates for
# Continuous Delivery builds
#
[appsca]
certs=./certs
crl_dir=./crl
certificate=./apps-ca.crt
serial=./serial.txt
database=./certificate.db
new_certs_dir=./certs
private_key=./ca.key

default_md=sha256
policy=ca_build_policy
string_mask=utf8only
email_in_dn=no


[ ca_policy ]
countryName = supplied
localityName = supplied
organizationName = match
organizationalUnitName = supplied
commonName = optional  # latest recommendation is no CN, SAN only
emailAddress = supplied
unstructuredName = supplied

[ ca_user_policy ]
countryName = supplied
localityName = supplied
organizationName = match
organizationalUnitName = supplied
commonName = supplied  # latest recommendation is no CN, SAN only
title = supplied
unstructuredName = optional

[ ca_build_policy ]
commonName = supplied

#
# request
#
[ req ]
distinguished_name = dn_sect
prompt = yes
default_md = sha256
default_bits = 2048
string_mask = utf8only
req_extensions = req_exts

[ alternate_names ]
# modify this section below when creating CSRs (in case you have set
# copy_extensions=copy) OR include alternate_names when signing the CSR
# if copy_extensions is NOT set.

# one or more DNS names for server certificates (SANs)
DNS.1=*.maurusnet.test
DNS.2=maurusnet.test
#DNS.3=debian.saltstack.com
#DNS.4=httpredir.debian.org
# one or more email addresses for user certificates
#email.1 = info@maurus.net
#email.2 =
#email.3 =
# DNS.3
# ...

[ req_exts ]
subjectAltName = @alternate_names

#
# X.509 extensions for various uses
# Use them when signing a CSR like this:
#
#openssl ca -config ..\openssl.cnf -name maurusnetca -policy ca_user_policy -in reqs\jonas.req -out certs\jonas.crt -days 3650 -extensions user_email_certs
#
[ user_email_certs ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = emailProtection
subjectAltName=@alternate_names
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

[ user_client_certs ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
# http://security.stackexchange.com/questions/68491/recommended-key-usage-for-a-client-certificate
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
#subjectAltName=email:info@maurus.net


[ server_certs ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

[ server_certs_with_sans ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName=@alternate_names
crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

[ ca_certs ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# crlDistributionPoints=URI:http://myhost.com/myca.crl

[ intermediate_ca_certs ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl

[ intermediate_appca_certs ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
# but this one has pathlen:1, so these sub-CAs can sign CAs
# This is useful to give individual developers their own DEV CAs that can
# issue Vault-based application CAs
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl

[ app_ca_root_cert ]
# Extensions for the App root CAs which may have 2 levels of sub CAs
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:2
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ build_ca_certs ]
# Extensions for the Build CAs which are issued by each App CA for each build server
# The CSRs for these intermediates are created by Vault
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
# most local services require CRLs to be pushed, not pulled, so this configuration really doesn't matter
#crlDistributionPoints = URI:https://crl.maurus.net/apps/EDITME/envs/EDITME/revocations.crl

[ ocsp_signing_certs ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

#
# Distinguished name combinations for our uses
#
[ dn_sect ]
countryName = Country Name
countryName_default = DE
localityName = Locality Name
localityName_default = Munich
organizationName = Organization Name
organizationName_default = maurus.networks GmbH
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default =
commonName = Common Name
commonName_default =
emailAddress = Email Address
emailAddress_default = info@maurus.net
unstructuredName = Unstructured Name
unstructuredName_default =

[ dn_user_sect ]
countryName = Country Name
countryName_default = DE
localityName = Locality Name
localityName_default = Munich
organizationName = Organization Name
organizationName_default = maurus.networks GmbH
organizationalUnitName = Organizational Unit Name
organizationalUnitName_default =
commonName = Common Name
commonName_default =
title = Title
title_default = organizationalUnitName


#
# special sections for the CA request
#   set prompt to "no" in [ req ] and set distinguished_name to dn_ca_sect
#
[ dn_ca_sect ]
countryName = Country Name
localityName = Locality Name
organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
unstructuredName = Unstructured Name

countryName_default = DE
localityName_default = Munich
organizationName_default = maurus.networks GmbH
organizationalUnitName_default = Internet Server CA
commonName_default = maurus.networks Internet Server CA
emailAddress_default = ca@maurus.net
unstructuredName_default = maurus.networks Internet Server CA

#
# PKCS#12 settings for exporting S/MIME certs to clients
# This is tricky because we must enforce PBKDF2 and AES-256-CBC (GCM is not supported, yet)
# otherwise openssl will use RC2 with a 40 bit key :((
#  openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \
#    -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC
# MOST SECURE ACTUALLY WORKING VERSION (on Windows 10 and iOS9) is:
#  openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \
#    -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES
	#
	# OpenSSL CA config
	#
	# see https://jamielinux.com/docs/openssl-certificate-authority/
	#
	# useful commands =============================================================
	# (this config file is referred to as openssl.cnf)
	# Create a self-signed CA in one command
	# openssl req -x509 -out casserver-ca.crt -key casserver-ca.key
	# -config openssl.cnf -extensions app_ca_root_cert -days 3650
	# -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority"
	#
	# Create a CSR and sign it (unlike the openssl ca tool this will NOT
	# create or maintain a certificate database)
	# openssl req -new -out cas-ca-2.req -config openssl.cnf -key cas-ca-2.key
	# -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Org Lineage/CN=CASSERVER DEV Parent Authority 2/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Parent Authority 2"
	# openssl x509 -req -in cas-ca-2.req -out cas-ca-2.crt
	# -extfile openssl.cnf -extensions intermediate_appca_certs
	# -CA ../casserver-ca.crt -CAkey ../casserver-ca.key
	# -CAserial ../serial.txt
	#
	# Update an existing certificate with a new expiry date or new X.509
	# extensions or even a new subject:
	# openssl x509 -in casserver-ca.crt -out test.crt -signkey casserver-ca.key
	# -extfile openssl.cnf -extensions app_ca_root_cert -days 3650
	# -clrext -subj "/C=DE/L=Munich/O=maurus.networks GmbH/OU=CASSERVER DEV Build Authority/CN=CASSERVER DEV Grand-parent Authority/emailAddress=ca@maurus.net/unstructuredName=CASSERVER DEV Grand-parent Authority"
	#
	# Sign a CSR using the openssl ca tool:
	# openssl ca -config openssl.cnf -name build_ca_certs -in reqs/x1.req
	# -out certs/x1.crt -notext -days 180 -CAkey casserver-ca.key -CAfile
	#
	# This definition stops the following lines choking if HOME isn't
	# defined.
	HOME = c:/jm/ca
	RANDFILE = $HOME/rnd.state

	#
	# the CA configuration
	#
	[ ca ]
	default_ca = use -name!

	#
	# This CA issues intermediate CAs making them easy to revoke
	#
	[ rootca ]
	certs=$HOME/root-ca/certs
	crl_dir=$HOME/root-ca/crl
	certificate=$HOME/root-ca/ca.crt
	serial=$HOME/root-ca/serial.txt
	database=$HOME/root-ca/certificate.db
	new_certs_dir=$HOME/root-ca/certs
	private_key=$HOME/root-ca/ca.key

	default_md=sha256
	policy=ca_policy
	string_mask=utf8only
	email_in_dn=no

	#
	# This CA is used for issuing internal server certificates
	# and S/MIME certificates
	#
	[ maurusnetca ]
	# use this if you specify SANs when signing the request
	certs=$HOME/minion-ca/certs
	crl_dir=$HOME/minion-ca/crl
	certificate=$HOME/minion-ca/intermediate.crt
	serial=$HOME/minion-ca/serial.txt
	database=$HOME/minion-ca/certificate.db
	new_certs_dir=$HOME/minion-ca/certs
	private_key=$HOME/minion-ca/intermediate.key

	default_md=sha256
	policy=ca_policy
	string_mask=utf8only
	email_in_dn=no

	[ maurusnetca_copyext ]
	# uset this to copy SANs from the request
	certs=$HOME/minion-ca/certs
	crl_dir=$HOME/minion-ca/crl
	certificate=$HOME/minion-ca/intermediate.crt
	serial=$HOME/minion-ca/serial.txt
	database=$HOME/minion-ca/certificate.db
	new_certs_dir=$HOME/minion-ca/certs
	private_key=$HOME/minion-ca/intermediate.key

	default_md=sha256
	policy=ca_policy
	string_mask=utf8only
	copy_extensions=copy
	email_in_dn=no

	#
	# This sub-CA signs BUILD CAs which in turn create certificates for
	# Continuous Delivery builds
	#
	[appsca]
	certs=./certs
	crl_dir=./crl
	certificate=./apps-ca.crt
	serial=./serial.txt
	database=./certificate.db
	new_certs_dir=./certs
	private_key=./ca.key

	default_md=sha256
	policy=ca_build_policy
	string_mask=utf8only
	email_in_dn=no


	[ ca_policy ]
	countryName = supplied
	localityName = supplied
	organizationName = match
	organizationalUnitName = supplied
	commonName = optional # latest recommendation is no CN, SAN only
	emailAddress = supplied
	unstructuredName = supplied

	[ ca_user_policy ]
	countryName = supplied
	localityName = supplied
	organizationName = match
	organizationalUnitName = supplied
	commonName = supplied # latest recommendation is no CN, SAN only
	title = supplied
	unstructuredName = optional

	[ ca_build_policy ]
	commonName = supplied

	#
	# request
	#
	[ req ]
	distinguished_name = dn_sect
	prompt = yes
	default_md = sha256
	default_bits = 2048
	string_mask = utf8only
	req_extensions = req_exts

	[ alternate_names ]
	# modify this section below when creating CSRs (in case you have set
	# copy_extensions=copy) OR include alternate_names when signing the CSR
	# if copy_extensions is NOT set.

	# one or more DNS names for server certificates (SANs)
	DNS.1=*.maurusnet.test
	DNS.2=maurusnet.test
	#DNS.3=debian.saltstack.com
	#DNS.4=httpredir.debian.org
	# one or more email addresses for user certificates
	#email.1 = info@maurus.net
	#email.2 =
	#email.3 =
	# DNS.3
	# ...

	[ req_exts ]
	subjectAltName = @alternate_names

	#
	# X.509 extensions for various uses
	# Use them when signing a CSR like this:
	#
	#openssl ca -config ..\openssl.cnf -name maurusnetca -policy ca_user_policy -in reqs\jonas.req -out certs\jonas.crt -days 3650 -extensions user_email_certs
	#
	[ user_email_certs ]
	# Extensions for client certificates (`man x509v3_config`).
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = emailProtection
	subjectAltName=@alternate_names
	crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
	# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

	[ user_client_certs ]
	# Extensions for client certificates (`man x509v3_config`).
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	# http://security.stackexchange.com/questions/68491/recommended-key-usage-for-a-client-certificate
	keyUsage = critical, digitalSignature
	extendedKeyUsage = clientAuth
	#subjectAltName=email:info@maurus.net


	[ server_certs ]
	# Extensions for server certificates (`man x509v3_config`).
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
	# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

	[ server_certs_with_sans ]
	# Extensions for server certificates (`man x509v3_config`).
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer:always
	keyUsage = critical, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName=@alternate_names
	crlDistributionPoints = URI:https://crl.maurus.net/minion_revocations.crl
	# authorityInfoAccess = OCSP;URI:http://ocsp.example.com

	[ ca_certs ]
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	# crlDistributionPoints=URI:http://myhost.com/myca.crl

	[ intermediate_ca_certs ]
	# Extensions for a typical intermediate CA (`man x509v3_config`).
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl

	[ intermediate_appca_certs ]
	# Extensions for a typical intermediate CA (`man x509v3_config`).
	# but this one has pathlen:1, so these sub-CAs can sign CAs
	# This is useful to give individual developers their own DEV CAs that can
	# issue Vault-based application CAs
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:1
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	crlDistributionPoints = URI:https://crl.maurus.net/ca_revocations.crl

	[ app_ca_root_cert ]
	# Extensions for the App root CAs which may have 2 levels of sub CAs
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:2
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign

	[ build_ca_certs ]
	# Extensions for the Build CAs which are issued by each App CA for each build server
	# The CSRs for these intermediates are created by Vault
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid:always,issuer
	basicConstraints = critical, CA:true, pathlen:0
	keyUsage = critical, digitalSignature, cRLSign, keyCertSign
	# most local services require CRLs to be pushed, not pulled, so this configuration really doesn't matter
	#crlDistributionPoints = URI:https://crl.maurus.net/apps/EDITME/envs/EDITME/revocations.crl

	[ ocsp_signing_certs ]
	# Extension for OCSP signing certificates (`man ocsp`).
	basicConstraints = critical, CA:FALSE
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	keyUsage = critical, digitalSignature
	extendedKeyUsage = critical, OCSPSigning

	[ crl_ext ]
	# Extension for CRLs (`man x509v3_config`).
	authorityKeyIdentifier=keyid:always

	#
	# Distinguished name combinations for our uses
	#
	[ dn_sect ]
	countryName = Country Name
	countryName_default = DE
	localityName = Locality Name
	localityName_default = Munich
	organizationName = Organization Name
	organizationName_default = maurus.networks GmbH
	organizationalUnitName = Organizational Unit Name
	organizationalUnitName_default =
	commonName = Common Name
	commonName_default =
	emailAddress = Email Address
	emailAddress_default = info@maurus.net
	unstructuredName = Unstructured Name
	unstructuredName_default =

	[ dn_user_sect ]
	countryName = Country Name
	countryName_default = DE
	localityName = Locality Name
	localityName_default = Munich
	organizationName = Organization Name
	organizationName_default = maurus.networks GmbH
	organizationalUnitName = Organizational Unit Name
	organizationalUnitName_default =
	commonName = Common Name
	commonName_default =
	title = Title
	title_default = organizationalUnitName


	#
	# special sections for the CA request
	# set prompt to "no" in [ req ] and set distinguished_name to dn_ca_sect
	#
	[ dn_ca_sect ]
	countryName = Country Name
	localityName = Locality Name
	organizationName = Organization Name
	organizationalUnitName = Organizational Unit Name
	commonName = Common Name
	emailAddress = Email Address
	unstructuredName = Unstructured Name

	countryName_default = DE
	localityName_default = Munich
	organizationName_default = maurus.networks GmbH
	organizationalUnitName_default = Internet Server CA
	commonName_default = maurus.networks Internet Server CA
	emailAddress_default = ca@maurus.net
	unstructuredName_default = maurus.networks Internet Server CA

	#
	# PKCS#12 settings for exporting S/MIME certs to clients
	# This is tricky because we must enforce PBKDF2 and AES-256-CBC (GCM is not supported, yet)
	# otherwise openssl will use RC2 with a 40 bit key :((
	# openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \
	# -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe AES-256-CBC -keypbe AES-256-CBC
	# MOST SECURE ACTUALLY WORKING VERSION (on Windows 10 and iOS9) is:
	# openssl pkcs12 -export -chain -CAfile ca-chain.crt -inkey keys\jonas.key -name "Jonas Maurus S/MIME" \
	# -in certs\jonas.crt -out c:\jm\jonas.p12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES