[req]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name

[req_distinguished_name]
0.commonName = PKI Tester
1.commonName = PKI Developer
countryName = US
organizationName = Tcllib
organizationalUnitName = Developers Group
emailAddress = developers@test.tcllib

[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly
extendedKeyUsage=critical,serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,OCSPSigning,msCodeInd,msCodeCom,msCTLSign,msEFS,ipsecIKE,ipsecEndSystem,ipsecTunnel,ipsecUser
basicConstraints=critical,CA:false
subjectAltName = @alt_names
issuerAltName = @issuer_alt_names
crlDistributionPoints = crldp0,crldp1,crldp2
freshestCRL = crldp2

[cert_ext]
keyUsage=critical,digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment,keyAgreement,keyCertSign,cRLSign,encipherOnly,decipherOnly
extendedKeyUsage=critical,serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,OCSPSigning,msCodeInd,msCodeCom,msCTLSign,msEFS,ipsecIKE,ipsecEndSystem,ipsecTunnel,ipsecUser
basicConstraints=critical,CA:false
subjectAltName = @alt_names
issuerAltName = @issuer_alt_names
crlDistributionPoints = crldp0,crldp1,crldp2
subjectKeyIdentifier = hash
authorityKeyIdentifier = issuer
freshestCRL = crldp2
authorityInfoAccess = OCSP;URI:http://ocsp.test.tcllib/, 1.2.3.4;RID:1.2.3.4.5

[alt_names]
DNS.0 = test.tcllib.nosuchdomain
DNS.1 = www.test.tcllib.nosuchdomain
IP.0 = 192.168.1.1
IP.1 = 13::17
URI.0 = http://test.tcllib
email.0 = noone@test.tcllib
RID.0 = 1.6.7.8.11
dirName = dir_name_ext
otherName = 1.2.3.4;UTF8:String in utf8 format

[issuer_alt_names]
DNS = ca.test.tcllib

[dir_name_ext]
C=UK
CN=PKI Developer


[crldp0]
# All three fields
fullname=URI:http://test.tcllib/my.crl
CRLissuer=dirName:crl_issuer_sect
reasons=keyCompromise, CACompromise, privilegeWithdrawn, AACompromise

[crl_issuer_sect]
C = US
O = Tcllib
CN = Tcllib CRL Issuer

[crldp1]
# relativename, crlissuer field missing
relativename = crldn
reasons=affiliationChanged, superseded, cessationOfOperation, certificateHold

[crldn]
CN = Tcllib CRL DP

[crldp2]
# fullname, reasons field missing
fullname=URI:http://crl.test.tcllib
CRLissuer=dirName:crl_issuer_sect