SmartAudio/target/allwinner/generic/sign_config/cnf_base.cnf

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= ./demoCA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem	# The CA certificate
serial		= $dir/serial		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt	= ca_default		# Subject Name options
cert_opt	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 365			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha1			# which md to use.
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 1024
default_keyfile		= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= AU
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
stateOrProvinceName_default	= Some-State

localityName			= Locality Name (eg, city)

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Internet Widgits Pty Ltd

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, YOUR name)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

# SET-ex3			= SET extension number 3

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name

[ usr_cert ]

TrustedFirmwareNVCounter	="8"
PrimaryDebugCertificatePK	="c79bab3b5194dcb156ddbb065a44e9ec959770a0f1d02a7f09ef95fc8028ed8803794422a2620892083d2cdfee53d43c3ae65f8d1ef31f490567de9c15f23a858409a2944225ffaef01aca94bf2cf3705f54ae5c37195353d8228bac67794b01c40e4a6ec71bb17b6c120f13bcbea5574a30b86ba691173e14fa60abd5a2c1f30ca890732357a377fc77ed7822c1c4b5ed1d8ca02bcffbfa9be11d14bab4ff0b6a17479a98fef715008e9e4bb20e912594b073fb5e57e6ef627f8ee503ce5cae3b3b4a320d7227d97a3655859af3956989696b43d2c6130696a16166ab1aa5d2549e59209b9825ce5fbaf3cb65eec4e261af607417a7d3b5b440f774f6fece1b10001"
NonTrustedWorldPK						="be2878a4730f378686a0c34c61512e111da071a810ccd2f1dae4522784ba95705718b27e4072c3ec918e9eb95dc8b70af59634468aa1dd1608e67adbf7fe76bbdd3339928f023b90e25cfa459d00648659c6356f197efcc4d0e5b8708c30d76cc0037593d9ef50e0d189f12afa4135db206733be2a4926e7cbace02a6336beec471c985b938ab8f3cedd1f30e2248e5cf8580655aba5e46628c0ac70cf213b3bdda7e1c91359cc5e6ece020405ff2465364a8ef3e46bfb535e77dc60056528e1ec55f299cbf6dee6424664c6d4a41d88600b7b0767ed29088b575db63946c33ac58cadb118f20a17d01b70ba3c71150d4d5f1c31976acac797066c1e239e417d10001dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001"
TrustedWorldPK						="dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001"

#DebugScenario_0130		=1
#SoCSpecific_0130			=2
#SecondaryDebugCertPK	=3

#DebugScenario_0131	=4
#SoC_ID							=5
#SoCSpecific_0131		=6

#TrustedFirmareNVCounter_0220	=7
#SCPFirmareContentCertPK				=8

#TrustedFirmareNVCounter_0221	=9
#SCPRomPatchHash								=10
#SCPFirmwareHash								=11

#TrustedFirmareNVCounter_0230	=12
#TrustedOSFirmwareContentCertPK=13

#TrustedFirmareNVCounter_0231	=14
#NonTrustedFirmareNVCounter_0320=16
#NonTrustedOSFirmwareContentCertPK=17

#NonTrustedFirmareNVCounter_0321=18
#VirtualizationFirmwareHash			=19
#NonTrustedWorldBootloaderHash		=20
[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
init 2018-07-13 01:31:50 +00:00			`#`
			`# OpenSSL example configuration file.`
			`# This is mostly being used for generation of certificate requests.`
			`#`

			`# This definition stops the following lines choking if HOME isn't`
			`# defined.`
			`HOME = .`
			`RANDFILE = $ENV::HOME/.rnd`

			`# Extra OBJECT IDENTIFIER info:`
			`#oid_file = $ENV::HOME/.oid`
			`oid_section = new_oids`

			`# To use this configuration file with the "-extfile" option of the`
			`# "openssl x509" utility, name here the section containing the`
			`# X.509v3 extensions to use:`
			`# extensions =`
			`# (Alternatively, use a configuration file that has only`
			`# X.509v3 extensions in its main [= default] section.)`

			`[ new_oids ]`

			`# We can add new OIDs in here for use by 'ca' and 'req'.`
			`# Add a simple OID like this:`
			`# testoid1=1.2.3.4`
			`# Or use config file substitution like this:`
			`# testoid2=${testoid1}.5.6`

			`####################################################################`
			`[ ca ]`
			`default_ca = CA_default # The default ca section`

			`####################################################################`
			`[ CA_default ]`

			`dir = ./demoCA # Where everything is kept`
			`certs = $dir/certs # Where the issued certs are kept`
			`crl_dir = $dir/crl # Where the issued crl are kept`
			`database = $dir/index.txt # database index file.`
			`#unique_subject = no # Set to 'no' to allow creation of`
			`# several ctificates with same subject.`
			`new_certs_dir = $dir/newcerts # default place for new certs.`

			`certificate = $dir/cacert.pem # The CA certificate`
			`serial = $dir/serial # The current serial number`
			`crlnumber = $dir/crlnumber # the current crl number`
			`# must be commented out to leave a V1 CRL`
			`crl = $dir/crl.pem # The current CRL`
			`private_key = $dir/private/cakey.pem# The private key`
			`RANDFILE = $dir/private/.rand # private random number file`

			`x509_extensions = usr_cert # The extentions to add to the cert`

			`# Comment out the following two lines for the "traditional"`
			`# (and highly broken) format.`
			`name_opt = ca_default # Subject Name options`
			`cert_opt = ca_default # Certificate field options`

			`# Extension copying option: use with caution.`
			`# copy_extensions = copy`

			`# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs`
			`# so this is commented out by default to leave a V1 CRL.`
			`# crlnumber must also be commented out to leave a V1 CRL.`
			`# crl_extensions = crl_ext`

			`default_days = 365 # how long to certify for`
			`default_crl_days= 30 # how long before next CRL`
			`default_md = sha1 # which md to use.`
			`preserve = no # keep passed DN ordering`

			`# A few difference way of specifying how similar the request should look`
			`# For type CA, the listed attributes must be the same, and the optional`
			`# and supplied fields are just that :-)`
			`policy = policy_match`

			`# For the CA policy`
			`[ policy_match ]`
			`countryName = match`
			`stateOrProvinceName = match`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`# For the 'anything' policy`
			`# At this point in time, you must list all acceptable 'object'`
			`# types.`
			`[ policy_anything ]`
			`countryName = optional`
			`stateOrProvinceName = optional`
			`localityName = optional`
			`organizationName = optional`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`

			`####################################################################`
			`[ req ]`
			`default_bits = 1024`
			`default_keyfile = privkey.pem`
			`distinguished_name = req_distinguished_name`
			`attributes = req_attributes`
			`x509_extensions = v3_ca # The extentions to add to the self signed cert`

			`# Passwords for private keys if not present they will be prompted for`
			`# input_password = secret`
			`# output_password = secret`

			`# This sets a mask for permitted string types. There are several options.`
			`# default: PrintableString, T61String, BMPString.`
			`# pkix : PrintableString, BMPString.`
			`# utf8only: only UTF8Strings.`
			`# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).`
			`# MASK:XXXX a literal mask value.`
			`# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings`
			`# so use this option with caution!`
			`string_mask = nombstr`

			`# req_extensions = v3_req # The extensions to add to a certificate request`

			`[ req_distinguished_name ]`
			`countryName = Country Name (2 letter code)`
			`countryName_default = AU`
			`countryName_min = 2`
			`countryName_max = 2`

			`stateOrProvinceName = State or Province Name (full name)`
			`stateOrProvinceName_default = Some-State`

			`localityName = Locality Name (eg, city)`

			`0.organizationName = Organization Name (eg, company)`
			`0.organizationName_default = Internet Widgits Pty Ltd`

			`# we can do this but it is not needed normally :-)`
			`#1.organizationName = Second Organization Name (eg, company)`
			`#1.organizationName_default = World Wide Web Pty Ltd`

			`organizationalUnitName = Organizational Unit Name (eg, section)`
			`#organizationalUnitName_default =`

			`commonName = Common Name (eg, YOUR name)`
			`commonName_max = 64`

			`emailAddress = Email Address`
			`emailAddress_max = 64`

			`# SET-ex3 = SET extension number 3`

			`[ req_attributes ]`
			`challengePassword = A challenge password`
			`challengePassword_min = 4`
			`challengePassword_max = 20`

			`unstructuredName = An optional company name`

			`[ usr_cert ]`

			`TrustedFirmwareNVCounter ="8"`
			PrimaryDebugCertificatePK ="c79bab3b5194dcb156ddbb065a44e9ec959770a0f1d02a7f09ef95fc8028ed8803794422a2620892083d2cdfee53d43c3ae65f8d1ef31f490567de9c15f23a858409a2944225ffaef01aca94bf2cf3705f54ae5c37195353d8228bac67794b01c40e4a6ec71bb17b6c120f13bcbea5574a30b86ba691173e14fa60abd5a2c1f30ca890732357a377fc77ed7822c1c4b5ed1d8ca02bcffbfa9be11d14bab4ff0b6a17479a98fef715008e9e4bb20e912594b073fb5e57e6ef627f8ee503ce5cae3b3b4a320d7227d97a3655859af3956989696b43d2c6130696a16166ab1aa5d2549e59209b9825ce5fbaf3cb65eec4e261af607417a7d3b5b440f774f6fece1b10001"
			NonTrustedWorldPK ="be2878a4730f378686a0c34c61512e111da071a810ccd2f1dae4522784ba95705718b27e4072c3ec918e9eb95dc8b70af59634468aa1dd1608e67adbf7fe76bbdd3339928f023b90e25cfa459d00648659c6356f197efcc4d0e5b8708c30d76cc0037593d9ef50e0d189f12afa4135db206733be2a4926e7cbace02a6336beec471c985b938ab8f3cedd1f30e2248e5cf8580655aba5e46628c0ac70cf213b3bdda7e1c91359cc5e6ece020405ff2465364a8ef3e46bfb535e77dc60056528e1ec55f299cbf6dee6424664c6d4a41d88600b7b0767ed29088b575db63946c33ac58cadb118f20a17d01b70ba3c71150d4d5f1c31976acac797066c1e239e417d10001dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001"
			TrustedWorldPK ="dbbaa8ff9c32464bb2e39cc2341a9b5d31c7b56cdf1a18434b7b539002670816195c622d126747bb5bf499ceae72857d2e897d4416f604b60f7dde718ebce1f6825895f4cbc59e3d44f14b6b54159fde9561ca905143c21ebba6ec203a1183744f758e8bf1dded1244aed913a51d71189b4a254674274e0d3b656c218a555d96f8d8ee8d29d74129b1091dc98c256744896b1b927cd99609dd2f06dbb5e5eee4e5bc845d543747af2585c2db4cafbba7ccf668607e0dce22ffaf9716b2e949b67f5c0d751e670a5eea1a71819145cf06afc85dfba52ce9dae6f00772f9859a7a804fa1b7f9a6639484d7ceba12dcd57717800ad4bc0b1434475a3f2571433fe110001"

			`#DebugScenario_0130 =1`
			`#SoCSpecific_0130 =2`
			`#SecondaryDebugCertPK =3`

			`#DebugScenario_0131 =4`
			`#SoC_ID =5`
			`#SoCSpecific_0131 =6`

			`#TrustedFirmareNVCounter_0220 =7`
			`#SCPFirmareContentCertPK =8`

			`#TrustedFirmareNVCounter_0221 =9`
			`#SCPRomPatchHash =10`
			`#SCPFirmwareHash =11`

			`#TrustedFirmareNVCounter_0230 =12`
			`#TrustedOSFirmwareContentCertPK=13`

			`#TrustedFirmareNVCounter_0231 =14`
			`#NonTrustedFirmareNVCounter_0320=16`
			`#NonTrustedOSFirmwareContentCertPK=17`

			`#NonTrustedFirmareNVCounter_0321=18`
			`#VirtualizationFirmwareHash =19`
			`#NonTrustedWorldBootloaderHash =20`
			`[ v3_req ]`

			`# Extensions to add to a certificate request`

			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`

			`[ v3_ca ]`


			`# Extensions for a typical CA`


			`# PKIX recommendation.`

			`subjectKeyIdentifier=hash`

			`authorityKeyIdentifier=keyid:always,issuer:always`

			`# This is what PKIX recommends but some broken software chokes on critical`
			`# extensions.`
			`#basicConstraints = critical,CA:true`
			`# So we do this instead.`
			`basicConstraints = CA:true`

			`# Key usage: this is typical for a CA certificate. However since it will`
			`# prevent it being used as an test self-signed certificate it is best`
			`# left out by default.`
			`# keyUsage = cRLSign, keyCertSign`

			`# Some might want this also`
			`# nsCertType = sslCA, emailCA`

			`# Include email address in subject alt name: another PKIX recommendation`
			`# subjectAltName=email:copy`
			`# Copy issuer details`
			`# issuerAltName=issuer:copy`

			`# DER hex encoding of an extension: beware experts only!`
			`# obj=DER:02:03`
			`# Where 'obj' is a standard or added object`
			`# You can even override a supported extension:`
			`# basicConstraints= critical, DER:30:03:01:01:FF`

			`[ crl_ext ]`

			`# CRL extensions.`
			`# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.`

			`# issuerAltName=issuer:copy`
			`authorityKeyIdentifier=keyid:always,issuer:always`

			`[ proxy_cert_ext ]`
			`# These extensions should be added when creating a proxy certificate`

			`# This goes against PKIX guidelines but some CAs do it and some software`
			`# requires this to avoid interpreting an end user certificate as a CA.`

			`basicConstraints=CA:FALSE`

			`# Here are some examples of the usage of nsCertType. If it is omitted`
			`# the certificate can be used for anything except object signing.`

			`# This is OK for an SSL server.`
			`# nsCertType = server`

			`# For an object signing certificate this would be used.`
			`# nsCertType = objsign`

			`# For normal client use this is typical`
			`# nsCertType = client, email`

			`# and for everything including object signing:`
			`# nsCertType = client, email, objsign`

			`# This is typical in keyUsage for a client certificate.`
			`# keyUsage = nonRepudiation, digitalSignature, keyEncipherment`

			`# This will be displayed in Netscape's comment listbox.`
			`nsComment = "OpenSSL Generated Certificate"`

			`# PKIX recommendations harmless if included in all certificates.`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid,issuer:always`

			`# This stuff is for subjectAltName and issuerAltname.`
			`# Import the email address.`
			`# subjectAltName=email:copy`
			`# An alternative to produce certificates that aren't`
			`# deprecated according to PKIX.`
			`# subjectAltName=email:move`

			`# Copy subject details`
			`# issuerAltName=issuer:copy`

			`#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem`
			`#nsBaseUrl`
			`#nsRevocationUrl`
			`#nsRenewalUrl`
			`#nsCaPolicyUrl`
			`#nsSslServerName`

			`# This really needs to be in place for it to be a proxy certificate.`
			`proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo`