[ certificate_authority ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, {{ certificate_authority_basic_constraints | join(', ') }}
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
{% if certificate_authority_name_constraints is defined %}
nameConstraints = critical, {{ certificate_authority_name_constraints | join(',') }}
{% endif %}