-# openssl.cnf - OpenSSL configuration file
-#
-
-# This definitions were set by the ca_init script DO NOT change
-# them manually.
-CAHOME = /etc/openssl/rfc3779
-RANDFILE = $CAHOME/.rand
-
-####################################################################
-
-[ ca ]
-default_ca = root_ca # The default ca section
-
-####################################################################
-
-[ root_ca ]
-
-dir = $CAHOME
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir/newcerts # default place for new certs.
-
-certificate = $dir/strongswanCert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crl = $dir/crl.pem # The current CRL
-crlnumber = $dir/crlnumber # The current CRL serial number
-private_key = $dir/strongswanKey.pem # The private key
-RANDFILE = $dir/.rand # private random number file
-
-x509_extensions = host_ext # The extensions to add to the cert
-
-crl_extensions = crl_ext # The extensions to add to the CRL
-
-default_days = 1820 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = sha256 # which md to use.
-preserve = no # keep passed DN ordering
-email_in_dn = no # allow/forbid EMail in DN
-
-policy = policy_match # specifying how similar the request must look
-
-####################################################################
-
-# the 'match' policy
-[ policy_match ]
-countryName = match
-stateOrProvinceName = optional
-localityName = optional
-organizationName = match
-organizationalUnitName = optional
-userId = optional
-serialNumber = optional
-commonName = supplied
-emailAddress = optional
-
-# the 'anything' policy
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = supplied
-emailAddress = optional
-
-####################################################################
-
-[ req ]
-default_bits = 1024
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = ca_ext # The extensions to add to the self signed cert
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-
-# This sets a mask for permitted string types. There are several options.
-# default: PrintableString, T61String, BMPString.
-# pkix : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
-# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
-# MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
-string_mask = nombstr
-
-# req_extensions = v3_req # The extensions to add to a certificate request
-
-####################################################################
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_default = CH
-countryName_min = 2
-countryName_max = 2
-
-#stateOrProvinceName = State or Province Name (full name)
-#stateOrProvinceName_default = ZH
-
-#localityName = Locality Name (eg, city)
-#localityName_default = Winterthur
-
-organizationName = Organization Name (eg, company)
-organizationName_default = Linux strongSwan
-
-0.organizationalUnitName = Organizational Unit Name (eg, section)
-0.organizationalUnitName_default = RFC3779
-
-#1.organizationalUnitName = Type (eg, Staff)
-#1.organizationalUnitName_default = Staff
-
-#userId = UID
-
-commonName = Common Name (eg, YOUR name)
-commonName_default = $ENV::COMMON_NAME
-commonName_max = 64
-
-#0.emailAddress = Email Address (eg, foo@bar.com)
-#0.emailAddress_min = 0
-#0.emailAddress_max = 40
-
-#1.emailAddress = Second Email Address (eg, foo@bar.com)
-#1.emailAddress_min = 0
-#1.emailAddress_max = 40
-
-####################################################################
-
-[ req_attributes ]
-
-####################################################################
-
-[ host_ext ]
-
-basicConstraints = CA:FALSE
-keyUsage = digitalSignature, keyEncipherment, keyAgreement
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = DNS:$ENV::COMMON_NAME
-#extendedKeyUsage = OCSPSigning
-extendedKeyUsage = serverAuth
-crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
-
-sbgp-ipAddrBlock = critical, @host-addr-section
-
-[host-addr-section]
-
-#moon networks
-#IPv4.0 = 192.168.0.1
-#IPv4.1 = 10.1.0.0/16
-#IPv6.0 = fec0::1
-#IPv6.1 = fec1::/16
-
-#sun networks
-IPv4.0 = 192.168.0.2
-IPv4.1 = 10.2.0.0/16
-IPv6.0 = fec0::2
-IPv6.1 = fec2::/16
-
-####################################################################
-
-[ user_ext ]
-
-basicConstraints = CA:FALSE
-keyUsage = digitalSignature, keyEncipherment, keyAgreement
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid, issuer:always
-subjectAltName = email:$ENV::COMMON_NAME
-#authorityInfoAccess = OCSP;URI:http://ocsp.strongswan.org:8880
-crlDistributionPoints = URI:http://crl.strongswan.org/strongswan_rfc3779.crl
-
-#sbgp-ipAddrBlock = critical, IPv4:192.168.0.0/24, IPv6:inherit
-
-sbgp-ipAddrBlock = critical, @user-addr-section
-
-[user-addr-section]
-
-#carol networks
-#IPv4.0 = 192.168.0.100
-#IPv4.1 = 10.3.0.1
-#IPv6.0 = fec0::10
-
-#dave networks
-IPv4.0 = 192.168.0.200
-IPv4.1 = 10.3.0.2
-IPv6.0 = fec0::20
-
-####################################################################
-
-[ ca_ext ]
-
-basicConstraints = critical, CA:TRUE, pathlen:1
-keyUsage = cRLSign, keyCertSign
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid, issuer:always
-
-sbgp-ipAddrBlock = critical, @ca-addr-section
-
-[ca-addr-section]
-
-IPv4.0 = 192.168.0.0/24
-IPv4.1 = 10.1.0.0/16
-IPv4.2 = 10.2.0.0/16
-IPv4.3 = 10.3.0.1 - 10.3.3.232
-IPv6.0 = fec0::/16
-IPv6.1 = fec1::/16
-IPv6.2 = fec2::/16
-
-####################################################################
-
-[ crl_ext ]
-
-# CRL extensions.
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-#issuerAltName = issuer:copy
-authorityKeyIdentifier = keyid:always, issuer:always
-
-# eof