# Config for intermediate CA [req] default_md = sha256 prompt = no req_extensions = req_ext distinguished_name = req_distinguished_name [req_distinguished_name ] commonName = Tcllib PKI Intermediate CA2 countryName = US organizationName = Tcllib organizationalUnitName = PKI [req_ext] # These extensions for the CSR, not the certificate keyUsage=critical,digitalSignature,keyCertSign,cRLSign basicConstraints=critical,CA:true,pathlen:0 subjectAltName = @alt_names [cert_ext] # These extensions go in the certificate subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage=critical,digitalSignature,keyCertSign,cRLSign basicConstraints=critical,CA:true,pathlen:0 subjectAltName = @alt_names policyMappings = @policy_mappings nameConstraints=critical, permitted;email:.somedomain.com,excluded;DNS:deny.com,permitted;IP:192.168.0.0/255.255.0.0 policyConstraints = critical, requireExplicitPolicy:3, inhibitPolicyMapping:2 inhibitAnyPolicy = critical, 2 subjectInfoAccess = 1.3.6.1.5.5.7.48.3;URI:http//timestamp.test.tcllib, 1.3.6.1.5.5.7.48.5;URI:http//repository.test.tcllib [alt_names] DNS = ca2.test.tcllib [policy_mappings] # issuerOID = subjectOID 1.2.3.4.5.6.99 = 1.2.3.4.5.6.7.99 1.2.3.4.5.6.100 = 1.2.3.4.5.6.7.100