Sample file
# x509_extensions = v3_ca_extensions
# x509_extensions = v3_issuing_extensions
# x509_extensions = v3_datavault_extensions
# x509_extensions = v3_scep_extensions
# x509_extensions = v3_web_extensions
# x509_extensions = v3_ca_reqexts # not for root self-signed, only for issuing
## x509_extensions = v3_datavault_reqexts # not required self-signed
# x509_extensions = v3_scep_reqexts
# x509_extensions = v3_web_reqexts
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
domainComponent = Domain Component
commonName = Common Name
[ v3_ca_reqexts ]
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyCertSign, cRLSign
[ v3_datavault_reqexts ]
subjectKeyIdentifier = hash
keyUsage = keyEncipherment
extendedKeyUsage = emailProtection
[ v3_scep_reqexts ]
subjectKeyIdentifier = hash
[ v3_web_reqexts ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
[ v3_ca_extensions ]
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyCertSign, cRLSign
basicConstraints = critical,CA:TRUE
authorityKeyIdentifier = keyid:always,issuer
[ v3_issuing_extensions ]
subjectKeyIdentifier = hash
keyUsage = digitalSignature, keyCertSign, cRLSign
basicConstraints = critical,CA:TRUE
authorityKeyIdentifier = keyid:always,issuer:always
crlDistributionPoints = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crl
authorityInfoAccess = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
[ v3_datavault_extensions ]
subjectKeyIdentifier = hash
keyUsage = keyEncipherment
extendedKeyUsage = emailProtection
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid:always,issuer
[ v3_scep_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
authorityKeyIdentifier = keyid,issuer
[ v3_web_extensions ]
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
basicConstraints = critical,CA:FALSE
subjectAltName = DNS:stlopenxpki.lexmark.com
crlDistributionPoints = URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crl
authorityInfoAccess = caIssuers;URI:http://FQDN of the server/CertEnroll/MYOPENXPKI_ISSUINGCA.crt