Implement LoadTemporaryRoot for Windows

net/data/ssl/certificates/openssl_ca.cnf

Index: net/data/ssl/certificates/openssl_ca.cnf
diff --git a/net/data/ssl/certificates/openssl_ca.cnf b/net/data/ssl/certificates/openssl_ca.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..82a66bb7274a8794c096a07f3295c279e6830ccb
--- /dev/null
+++ b/net/data/ssl/certificates/openssl_ca.cnf
@@ -0,0 +1,42 @@
+[ca]
+default_ca = CA_root
+
+# The default test root, used to generate certificates and CRLs.
+[CA_root]
+dir           = ./root_ca
+database      = $dir/index.txt
+new_certs_dir = $dir/newcerts
+serial        = $dir/serial
+certificate   = $dir/cacert.pem
+private_key   = $dir/private/cacert.key
+RANDFILE      = $dir/private/.rand
+
+default_days     = 365
+default_crl_days = 30
+default_md       = sha1
+policy           = policy_anything
+
+[user_cert]
+# Extensions to add when signing a request for an EE cert
+basicConstraints       = CA:false
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always

[wtc, 2010/11/23 00:30:11]

We probably should not include 'issuer'.  Having 'keyid'
should be enough.

This comment also applies to lines 29 and 33 below in the
ca_cert and crl_extensions sections.

I suggest looking at certificates and CRLs issued by a real
CA such as VeriSign as examples.

+
+[ca_cert]
+# Extensions to add when signing a request for an intermediate/CA cert
+basicConstraints       = CA:true
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+[crl_extensions]
+# Extensions to add when signing a CRL
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[policy_anything]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional