keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
# It's a CA certificate
basicConstraints = CA:true
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true