# Config for intermediate CA

[req]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name

[req_distinguished_name ]
commonName = Tcllib PKI Intermediate CA2
countryName = US
organizationName = Tcllib
organizationalUnitName = PKI

[req_ext]
# These extensions for the CSR, not the certificate
keyUsage=critical,digitalSignature,keyCertSign,cRLSign
basicConstraints=critical,CA:true,pathlen:0
subjectAltName = @alt_names

[cert_ext]
# These extensions go in the certificate
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage=critical,digitalSignature,keyCertSign,cRLSign
basicConstraints=critical,CA:true,pathlen:0
subjectAltName = @alt_names
policyMappings = @policy_mappings
nameConstraints=critical, permitted;email:.somedomain.com,excluded;DNS:deny.com,permitted;IP:192.168.0.0/255.255.0.0
policyConstraints = critical, requireExplicitPolicy:3, inhibitPolicyMapping:2
inhibitAnyPolicy = critical, 2
subjectInfoAccess = 1.3.6.1.5.5.7.48.3;URI:http//timestamp.test.tcllib, 1.3.6.1.5.5.7.48.5;URI:http//repository.test.tcllib

[alt_names]
DNS = ca2.test.tcllib

[policy_mappings]
# issuerOID = subjectOID
1.2.3.4.5.6.99 = 1.2.3.4.5.6.7.99
1.2.3.4.5.6.100 = 1.2.3.4.5.6.7.100