rynop/openssl.cnf

## openssl.cnf
...

####################################################################
[ testconfg ]

dir             = /etc/ssl/testconfg              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
#crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha1               # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

...
	...

	####################################################################
	[ testconfg ]

	dir = /etc/ssl/testconfg # Where everything is kept
	certs = $dir/certs # Where the issued certs are kept
	crl_dir = $dir/crl # Where the issued crl are kept
	database = $dir/index.txt # database index file.
	#unique_subject = no # Set to 'no' to allow creation of
	# several ctificates with same subject.
	new_certs_dir = $dir/newcerts # default place for new certs.

	certificate = $dir/cacert.pem # The CA certificate
	serial = $dir/serial # The current serial number
	#crlnumber = $dir/crlnumber # the current crl number
	# must be commented out to leave a V1 CRL
	#crl = $dir/crl.pem # The current CRL
	private_key = $dir/private/cakey.pem# The private key
	RANDFILE = $dir/private/.rand # private random number file

	x509_extensions = usr_cert # The extentions to add to the cert

	# Comment out the following two lines for the "traditional"
	# (and highly broken) format.
	name_opt = ca_default # Subject Name options
	cert_opt = ca_default # Certificate field options

	# Extension copying option: use with caution.
	# copy_extensions = copy

	# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
	# so this is commented out by default to leave a V1 CRL.
	# crlnumber must also be commented out to leave a V1 CRL.
	# crl_extensions = crl_ext

	default_days = 365 # how long to certify for
	default_crl_days= 30 # how long before next CRL
	default_md = sha1 # use public key default MD
	preserve = no # keep passed DN ordering

	# A few difference way of specifying how similar the request should look
	# For type CA, the listed attributes must be the same, and the optional
	# and supplied fields are just that :-)
	policy = policy_match

	...