# This file is managed by puppet.
# https://opendev.org/opendev/system-config

[ca]
default_ca = CA_default

[CA_default]
dir = .
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_md = default
preserve = no
policy = ca_policy

[ca_policy]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied

[policy_anything]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied

[req]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = utf8only
prompt = no

[req_distinguished_name]
C = US
ST = Texas
L = Austin
O = OpenStack Foundation
OU = Infrastructure
CN = $ENV::CN
emailAddress = openstack-infra@lists.openstack.org

[usr_cert]
basicConstraints = CA:FALSE
nsComment = "client certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

[server]
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "server certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true