Add script for generating certificates that require an explicit policy

net/data/ssl/scripts/policy.cnf

Index: net/data/ssl/scripts/policy.cnf
diff --git a/net/data/ssl/scripts/aia-test.cnf b/net/data/ssl/scripts/policy.cnf
similarity index 74%
copy from net/data/ssl/scripts/aia-test.cnf
copy to net/data/ssl/scripts/policy.cnf
index f89d68a8842ab778de325c2c1b2cb24071fac896..f5f1e0b1f17252c4b72d68610017dbddbe5996f6 100644
--- a/net/data/ssl/scripts/aia-test.cnf
+++ b/net/data/ssl/scripts/policy.cnf
@@ -1,6 +1,5 @@
 CA_DIR=out
-CA_NAME=aia-test-root
-AIA_URL=http://aia-test.invalid
+CA_NAME=policy-root
 
 [ca]
 default_ca = CA_root
@@ -26,11 +25,17 @@ copy_extensions  = copy
 [user_cert]
 basicConstraints       = critical, CA:false
 extendedKeyUsage       = serverAuth, clientAuth
-authorityInfoAccess    = caIssuers;URI:${ENV::AIA_URL}
+certificatePolicies    = 1.2.3.4
 
 [ca_cert]
 basicConstraints       = critical, CA:true
-keyUsage               = critical, keyCertSign, cRLSign
+keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
+
+[intermediate_cert]
+basicConstraints       = critical, CA:true
+keyUsage               = critical, digitalSignature, keyCertSign, cRLSign
+policyConstraints      = requireExplicitPolicy:0
+certificatePolicies    = 1.2.3.4, 1.2.3.4.5, 1.2.3.5
 
 [policy_anything]
 # Default signing policy
@@ -51,5 +56,5 @@ encrypt_key        = no
 distinguished_name = req_env_dn
 
 [req_env_dn]
-CN = ${ENV::CA_COMMON_NAME}
+CN = ${ENV::COMMON_NAME}