# OpenSSL example configuration file.
# CACAnet Fukuoka 2002/06/11
# server certificate configuration file
################################################################
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids
[ new_oids ]
#0.2.440.200092．証明書とCRLプロファイル．CA識別．RAA識別 .データ識別
#分類

#証明書とCRLプロファイルのオブジェクト（0が証明書CRLプロファイル）
#CA識別（0がCACAnet Class A CA)
#RAA（0がCACAnet Fukuokaで，その後はシリアル番号）
#データ種別（CPS＝0，CRL＝1）

policyConstraints=2.5.29.36
CACAnetOID=0.2.440.200092

CACAnetTestACACPS=${CACAnetOID}.0.1.0.0
CACAnetTestACACRL=${CACAnetOID}.0.1.0.1

#2002/02/10 CACAnet Fukuoka Members RAA のRAA識別=1

CACAnetTestAMembersRAACPS=${CACAnetOID}.0.1.1.0
CACAnetTestAMembersRAACRL=${CACAnetOID}.0.1.1.1


[ ca ]
default_ca	= CA_default		# The default ca section
[ CA_default ]
dir		= /CACAnet/CA/CACAnetTestACA/CACAnetMembersRAA # Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		  # default place for new certs.

certificate	= $dir/cacert.pem	# The CA certificate
serial		  = $dir/serial		  # The current serial number
crl		    = $dir/crl.pem	    # The current CRL
private_key	    = $dir/private/cakey.pem# The private key
RANDFILE	    = $dir/private/.rand      # private random number file

x509_extensions	= v3_server		# The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions       = crl_ext

default_days	       = 365		# how long to certify for
default_crl_days= 1			# how long before next CRL
default_md	  = md5			# which md to use.
preserve	  = no			# keep passed DN ordering

policy		= policy_match

[ policy_match ]
countryName	 = optional
organizationName = optional
organizationalUnitName	= optional
commonName		  = supplied
emailAddress		    = supplied

[ policy_anything ]
countryName	 = optional
organizationName  = optional
organizationalUnitName	= optional
commonName		  = supplied
emailAddress		    = supplied

[ req ]
default_bits		= 1024
default_keyfile		= cakey.pem
distinguished_name	= req_distinguished_name
attributes		  = req_attributes
x509_extensions		  = v3_server	# 

[ req_distinguished_name ]

countryName			= Country name
countryName_default		= JP

0.organizationName              = Organization Name
0.organizationName_default      = CACAnet Fukuoka

1.organizationName              = RAA Name (eg, company)
1.organizationName_default      = CACAnet Fukuoka Members RAA

0.organizationalUnitName	= Organizational Unit Name (eg, section)
0.organizationalUnitName_default	= member

1.organizationalUnitName          = Entity Type
1.organizationalUnitName_default  = server

2.organizationalUnitName          = RA serial
2.organizationalUnitName_default  = 

commonName                      = Server Name
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

[ req_attributes ]

[ usr_cert ]

[ v3_server ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
#basicConstraints = critical,CA:false
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyAgreement,dataEncipherment
extendedKeyUsage= serverAuth,timeStamping

#RAA分割対応
#"http://www.cacanet.org/CACAnetClassACA/RAA名.crl"

crlDistributionPoints=URI:"http://www.cacanet.org/CACAnetTestACA/CACAnetMembersRAA.crl"

policyConstraints=DER:3005A003020103
certificatePolicies=ia5org,@polsect1,@polsect2

[polsect1]
#CACAnet Test A CA のポリシー

policyIdentifier =CACAnetTestACACPS

#CACAnet Test A CA のCPS
CPS="http://www.cacanet.org/CACAnetTestACA/CACAnetTestACACPS.html"
userNotice=@notice1

[ notice1 ]
explicitText="This certificate is issued for your PKI as a non-profit public service."
organization="Citizen's Association for Certification Authority Network Fukuoka"
noticeNumbers=1

[polsect2]
# CACAnet Members RAAのポリシー
#
policyIdentifier =CACAnetTestAMembersRAACPS


#RAA分割対応
CPS="http://www.cacanet.org/CACAnetTestACA/CACAnetTestAMembersRAACPS.html"
userNotice=@notice2

[ notice2 ]
explicitText="This certificate is issued for your PKI as a non-profit public service."
organization="Citizen's Association for Certification Authority Network Fukuoka"
noticeNumbers=1

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a
# CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always