[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_ca ]
subjectKeyIdentifier = hash
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign

[ v3_server ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:false
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical, serverAuth
subjectAltName = @server_alt_names

[ server_alt_names ]
DNS.1 = server.tunneler

[ v3_client ]
subjectKeyIdentifier = hash
basicConstraints = critical,CA:false
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical, clientAuth