-keyUsage = keyCertSign, cRLSign
-crlDistributionPoints=URI:http://g2.crl.cacert.org/g2/$2.crl
-authorityInfoAccess = OCSP;URI:http://g2.ocsp.cacert.org,caIssuers;URI:http://g2.crt.cacert.org/$2.crt
+authorityKeyIdentifier = keyid:always
+
+crlDistributionPoints=URI:http://g2.crl.${DOMAIN}/g2/$2.crl
+authorityInfoAccess = OCSP;URI:http://g2.ocsp.${DOMAIN},caIssuers;URI:http://g2.crt.${DOMAIN}/g2/$2.crt
+
+certificatePolicies=@polsect
+
+[polsect]
+policyIdentifier = 1.3.6.1.4.1.18506.9.${CPSID}
+CPS.1="http://g2.cps.${DOMAIN}/g2/${KNAME}.cps"
+