heimdal/lib/hx509/data/openssl.cnf

oid_section             = new_oids

[ new_oids ]
pkkdcekuoid = 1.3.6.1.5.2.3.5

[ca]

default_ca = user

[usr]
database	= index.txt
serial		= serial
x509_extensions = usr_cert
default_md=sha1
policy		= policy_match
certs		= .

[ocsp]
database	= index.txt
serial		= serial
x509_extensions = ocsp_cert
default_md=sha1
policy		= policy_match
certs		= .

[usr_ke]
database	= index.txt
serial		= serial
x509_extensions = usr_cert_ke
default_md=sha1
policy		= policy_match
certs		= .

[usr_ds]
database	= index.txt
serial		= serial
x509_extensions = usr_cert_ds
default_md=sha1
policy		= policy_match
certs		= .

[pkinit_client]
database	= index.txt
serial		= serial
x509_extensions = pkinit_client_cert
default_md=sha1
policy		= policy_match
certs		= .

[pkinit_kdc]
database	= index.txt
serial		= serial
x509_extensions = pkinit_kdc_cert
default_md=sha1
policy		= policy_match
certs		= .

[subca]
database	= index.txt
serial		= serial
x509_extensions = v3_ca
default_md=sha1
policy		= policy_match
certs		= .


[ req ]
distinguished_name	= req_distinguished_name
x509_extensions		= v3_ca	# The extentions to add to the self signed cert

string_mask = utf8only

[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign, keyEncipherment, nonRepudiation, digitalSignature

[ usr_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier	= hash

[ usr_cert_ke ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, keyEncipherment
subjectKeyIdentifier	= hash

[ proxy_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier	= hash
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:foo

[pkinitc_princ_name] 
realm = EXP:0, GeneralString:EXAMPLE.ORG
principal_name = EXP:1, SEQUENCE:pkinitc_principal_seq

[ pkinit_client_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier	= hash
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitc_princ_name

[pkinitc_principal_seq] 
name_type = EXP:0, INTEGER:1 
name_string = EXP:1, SEQUENCE:pkinitc_principals

[pkinitc_principals] 
princ1 = GeneralString:bar

[ pkinit_kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = pkkdcekuoid
subjectKeyIdentifier	= hash
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:pkinitkdc_princ_name 

[pkinitkdc_princ_name] 
realm = EXP:0, GeneralString:EXAMPLE.ORG
principal_name = EXP:1, SEQUENCE:pkinitkdc_principal_seq

[pkinitkdc_principal_seq] 
name_type = EXP:0, INTEGER:1 
name_string = EXP:1, SEQUENCE:pkinitkdc_principals

[pkinitkdc_principals] 
princ1 = GeneralString:krbtgt
princ2 = GeneralString:EXAMPLE.ORG

[ proxy10_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier	= hash
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:10,policy:text:foo

[ usr_cert_ds ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature
subjectKeyIdentifier	= hash

[ ocsp_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# ocsp-nocheck and kp-OCSPSigning
extendedKeyUsage	= 1.3.6.1.5.5.7.48.1.5, 1.3.6.1.5.5.7.3.9
subjectKeyIdentifier	= hash

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= SE
countryName_min			= 2
countryName_max			= 2

organizationalName		= Organizational Unit Name (eg, section)

commonName			= Common Name (eg, YOUR name)
commonName_max			= 64

#[ req_attributes ]
#challengePassword              = A challenge password
#challengePassword_min          = 4
#challengePassword_max          = 20

[ policy_match ]
countryName		= match
commonName		= supplied