key:
  alg:
    - rsa
    - ec
    - dsa

  enc:
    - aes256
    - _3des
    - idea

  generate: both

  rsa:
    key_length:
      - _1024
      - 2048
      - 4096

  ec:
    curve_name:
      - prime256v1
      - secp384r1
      - secp521r1

  dsa:
    key_length:
      - 2048
      - 4096

  validity:
    notafter: +01

digest: sha256
increasing_serials: 1
randomized_serial_bytes: 8

publish:
  - disk

extensions:
  copy: copy

  basic_constraints:
    critical: 1
    ca: 0

  subject_key_identifier:
    critical: 0
    hash: 1

  authority_key_identifier:
    critical: 0
    keyid:  1
    issuer: 1

  issuer_alt_name:
    critical: 0
    copy: 1

  crl_distribution_points:
    critical: 0
    uri:
      - {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl

  authority_info_access:
    critical: 0
    ca_issuers: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/ca
    ocsp: {{ pki_base_url }}

  policy_identifier:
    critical: 0

  netscape:
    comment:
      critical: 0
      text: This is a generic certificate. Generated with OpenXPKI trustcenter software.
    certificate_type:
      critical: 0
      ssl_client: 0
      smime_client: 0
      object_signing: 0
      ssl_client_ca: 0
      smime_client_ca: 0
      object_signing_ca: 0

    cdp:
      critical: 0
      uri: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl
      ca_uri: {{ pki_base_url }}{{ (pki_base_url is search('/^')) | ternary('','/') }}pub/[% ISSUER.CN.0 %]/crl