####################################################################
# This is where we define how to generate CSRs.
[ req ]
default_bits       = 2048
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name  # where to get DN for reqs.
attributes         = req_attributes          # req attributes.
x509_extensions    = v3_ca   # The extensions to add to self signed certs.
req_extensions     = v3_req  # The extensions to add to req's.
prompt = no

####################################################################
# Per "req" section, this is where we define DN info.
[ req_distinguished_name ]
countryName            = AU
stateOrProvinceName    = Queensland
localityName           = Brisbane
0.organizationName     = Griffith University
organizationalUnitName = INS
commonName             = www.domain
emailAddress           = security@griffith.edu.au

####################################################################
# We don't want these, but the section must exist.
[ req_attributes ]
#challengePassword     = A challenge password
#challengePassword_min = 4
#challengePassword_max = 20
#unstructuredName      = An optional company name

####################################################################
# Extension for requests.
[ v3_req ]
subjectAltName=@alt_names

[alt_names]
DNS.1 = www.domain
DNS.2 = altwww.domain
DNS.2 = www.domain2

####################################################################
# An alternative section of extensions, not referred to anywhere
# else in the config. We'll use this via '-extensions v3_ca' when
# using ca(8) to sign another CA.
#
[ v3_ca ]
# PKIX recommendation.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
# basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName = email:move
# Copy issuer details
# issuerAltName = issuer:copy