+# Minimal openssl configuration needed to be a CA for domtool
+
+# intentionally not setting RANDFILE, because it is useless on modern
+# machines.
+
+[ ca ]
+default_ca = Domtool_CA
+
+[ Domtool_CA ]
+dir = ${Domtool_Defaults::ca_dir}
+
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index
+
+# Needed because domtool does not revoke certs before
+# reissuing. Possibly bad behavior, if a private key were to leak.
+unique_subject = no
+
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/ca-cert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+
+crl = $dir/crl.pem
+private_key = $dir/private/ca-key.pem
+RANDFILE = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+crl_extensions = crl_ext
+
+default_days = 365
+default_crl_days= 30
+default_md = sha1
+preserve = no
+
+policy = policy_domtool
+
+[ policy_domtool ]
+# Domtool doesn't care where you claim to live
+#countryName = optional
+#stateOrProvinceName = optional
+#localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = supplied
+
+# req section is only used when generating the request for the CA to sign itself!
+[ req ]
+default_bits = 4096
+default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem
+default_md = sha1
+
+prompt = no
+distinguished_name = root_ca_distinguished_name
+string_mask = nombstr
+
+# Extensions to add to the self-signed cert generated to certificate the CA
+x509_extensions = v3_ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+# leaving nsCaRevocationUrl unset, since domtool isn't checking revocations
+#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
+
+[ v3_ca ]
+# These extensions are added when the CA signs itself
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+# Ensure only user certificates and not another ca can be signed
+basicConstraints = critical,CA:true,pathlen:0
+
+[ root_ca_distinguished_name ]
+commonName = ${Domtool_Defaults::org_name}
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Berkeley
+0.organizationName = ${Domtool_Defaults::org_domain}
+emailAddress = ca@${Domtool_Defaults::org_domain}
+
+[ crl_ext ]
+authorityKeyIdentifier=keyid:always,issuer:always