+[ v3_ca]
+
+# Extensions for a typical CA
+
+# It's a CA certificate
+basicConstraints = CA:true
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+
+# Key usage: again this should really be critical.
+keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA