# For details on what can go here, see:
#
# https://github.com/OpenSC/libp11/README.md
# https://www.nlnetlabs.nl/downloads/publications/hsm/hsm_node18.html

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id	= pkcs11
dynamic_path	= ${ENV::ENGINE_MODULE}
init		= 0

# For convenience while testing, we use environment variables to pass
# in the PIN and the path to the PKCS #11 module.  You would NOT
# want to do this in production, particularly with the PIN.

MODULE_PATH	= ${ENV::PKCS11_MODULE}
PIN		= ${ENV::PKCS11_PIN}

# From here down is OpenSSL voodoo for issuing certificates.

[req]
distinguished_name      = dn
default_md              = sha256
x509_extensions		= ext_ca

[dn]
C                       = PV
O                       = Pottsylvanian Ministry of Offense

[ext_ca]
basicConstraints        = critical, CA:true
keyUsage                = critical, cRLSign, keyCertSign
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always

[ext_ee]
keyUsage                = critical, digitalSignature, nonRepudiation
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always