##
## This is a prototype extension specification file
## which is processed using a macro language similar
## to transarc mpp. Do not delete the "[ extensions ]"
## section header.
##

[ extensions ]

##
## Extensions by certificate type
##

%ifdef TYPE_CA
basicConstraints        = critical,CA:TRUE
keyUsage 		= critical,cRLSign, keyCertSign
nsCertType              = sslCA, emailCA, objCA
%endif

%ifdef TYPE_USER
nsCertType              = client, email
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth,emailProtection
%endif

%ifdef TYPE_OBJSIGN
nsCertType              = objsign
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage	= codeSigning
%endif

%ifdef TYPE_SERVER
nsCertType              = server
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth
%endif

##
## These extensions are always present 
##

nsCaRevocationUrl	= http://ca.example.com/crl-v1.crl
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid,issuer:always
authorityInfoAccess 	= caIssuers;URI:http://ca.example.com/ca.crt
crlDistributionPoints   = URI:http://ca.example.com/crl-v2.crl
certificatePolicies     = ia5org,@certpolicy
issuerAltName		= email:ca@example.com,URI:http://ca.example.com
subjectAltName          = @altnames 

[ altnames ]

%ifdef EMAIL 
email.1			= %{EMAIL}
%endif
%ifdef URI
URI.1			= %{URL}
%endif
%ifdef DNS
DNS.1			= %{DNS}
%endif
%ifdef IP
IP.1			= %{IP}
%endif

[certpolicy]

policyIdentifier	= 1.1.1.1.1
## Map this to a real document in your webserver configuration
CPS.1			= http://ca.example.com/CPS
userNotice.1		= @notice

[notice]

explicitText="Limited Liability, see http://ca.example.com/CP"