certificate_authorities: {
    test_ca: {
        ca_cert: {
            cert: 'spec/fixtures/test_ca.cer',
            key: 'spec/fixtures/test_ca.key'
        },
        ocsp_cert: {
            :pkcs12: 'spec/fixtures/test_ca_ocsp.p12',
            :password: 'r509'
        },
        ocsp_location: 'URI:http://ocsp.domain.com',
        ocsp_chain: 'spec/fixtures/test_ca_ocsp_chain.txt',
        ocsp_start_skew_seconds: 3600,
        ocsp_validity_hours: 168,
        cdp_location: 'URI:http://crl.domain.com/test_ca.crl',
        crl_list: 'spec/fixtures/test_ca_crl_list.txt',
        crl_number: 'spec/fixtures/test_ca_crl_number.txt',
        crl_validity_hours: 168, #7 days
        message_digest: 'SHA1', #SHA1, SHA256, SHA512 supported. MD5 too, but you really shouldn't use that unless you have a good reason
        profiles: {
            server: {
                basic_constraints: "CA:FALSE",
                key_usage: [digitalSignature,keyEncipherment],
                extended_key_usage: [serverAuth],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.1", "CPS.1=http://example.com/cps"] ],
                subject_item_policy: {
                    CN: "required",
                    O:  "required",
                    OU: "optional",
                    ST: "required",
                    C:  "required",
                    L:  "required"
                }
            },
            client: {
                basic_constraints: "CA:FALSE",
                key_usage: [digitalSignature,keyEncipherment],
                extended_key_usage: [clientAuth],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.2", "CPS.1=http://example.com/cps"] ]
            },
            email: {
                basic_constraints: "CA:FALSE",
                key_usage: [digitalSignature,keyEncipherment],
                extended_key_usage: [emailProtection],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.3", "CPS.1=http://example.com/cps"] ]
            },
            clientserver: {
                basic_constraints:  "CA:FALSE",
                key_usage: [digitalSignature,keyEncipherment],
                extended_key_usage: [serverAuth,clientAuth],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.4", "CPS.1=http://example.com/cps"] ]
            },
            codesigning: {
                basic_constraints:  "CA:FALSE",
                key_usage: [digitalSignature],
                extended_key_usage: [codeSigning],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.5", "CPS.1=http://example.com/cps"] ]
            },
            timestamping: {
                basic_constraints:  "CA:FALSE",
                key_usage: [digitalSignature],
                extended_key_usage: [timeStamping],
                certificate_policies: [ [ "policyIdentifier=2.16.840.1.9999999999.1.2.3.4.6", "CPS.1=http://example.com/cps"] ]
            },
            subroot: {
                basic_constraints:  "CA:TRUE,pathlen:0",
                key_usage: [keyCertSign,cRLSign],
                extended_key_usage: [],
                certificate_policies: [ ]
            }
        }
    }
}