]>
Commit | Line | Data |
---|---|---|
8573552e UM |
1 | |
2 | # | |
3 | # This config is used by the Time Stamp Authority tests. | |
4 | # | |
5 | ||
2d851ab9 | 6 | RANDFILE = ./.rnd |
8573552e UM |
7 | |
8 | # Extra OBJECT IDENTIFIER info: | |
9 | oid_section = new_oids | |
10 | ||
cf32ad7f DSH |
11 | TSDNSECT = ts_cert_dn |
12 | INDEX = 1 | |
13 | ||
8573552e UM |
14 | [ new_oids ] |
15 | ||
16 | # Policies used by the TSA tests. | |
17 | tsa_policy1 = 1.2.3.4.1 | |
18 | tsa_policy2 = 1.2.3.4.5.6 | |
19 | tsa_policy3 = 1.2.3.4.5.7 | |
20 | ||
21 | #---------------------------------------------------------------------- | |
22 | [ ca ] | |
23 | default_ca = CA_default # The default ca section | |
24 | ||
25 | [ CA_default ] | |
26 | ||
27 | dir = ./demoCA | |
28 | certs = $dir/certs # Where the issued certs are kept | |
29 | database = $dir/index.txt # database index file. | |
30 | new_certs_dir = $dir/newcerts # default place for new certs. | |
31 | ||
32 | certificate = $dir/cacert.pem # The CA certificate | |
33 | serial = $dir/serial # The current serial number | |
34 | private_key = $dir/private/cakey.pem# The private key | |
35 | RANDFILE = $dir/private/.rand # private random number file | |
36 | ||
37 | default_days = 365 # how long to certify for | |
2cc7acd2 | 38 | default_md = sha256 # which md to use. |
8573552e UM |
39 | preserve = no # keep passed DN ordering |
40 | ||
41 | policy = policy_match | |
42 | ||
43 | # For the CA policy | |
44 | [ policy_match ] | |
45 | countryName = supplied | |
46 | stateOrProvinceName = supplied | |
47 | organizationName = supplied | |
48 | organizationalUnitName = optional | |
49 | commonName = supplied | |
50 | emailAddress = optional | |
51 | ||
52 | #---------------------------------------------------------------------- | |
53 | [ req ] | |
fec66938 | 54 | default_bits = 2048 |
8573552e | 55 | default_md = sha1 |
cf32ad7f | 56 | distinguished_name = $ENV::TSDNSECT |
8573552e | 57 | encrypt_rsa_key = no |
cf32ad7f | 58 | prompt = no |
8573552e | 59 | # attributes = req_attributes |
478b50cf | 60 | x509_extensions = v3_ca # The extensions to add to the self signed cert |
8573552e UM |
61 | |
62 | string_mask = nombstr | |
63 | ||
cf32ad7f DSH |
64 | [ ts_ca_dn ] |
65 | countryName = HU | |
66 | stateOrProvinceName = Budapest | |
67 | localityName = Budapest | |
68 | organizationName = Gov-CA Ltd. | |
69 | commonName = ca1 | |
8573552e | 70 | |
cf32ad7f DSH |
71 | [ ts_cert_dn ] |
72 | countryName = HU | |
73 | stateOrProvinceName = Budapest | |
74 | localityName = Buda | |
75 | organizationName = Hun-TSA Ltd. | |
76 | commonName = tsa$ENV::INDEX | |
8573552e UM |
77 | |
78 | [ tsa_cert ] | |
79 | ||
80 | # TSA server cert is not a CA cert. | |
81 | basicConstraints=CA:FALSE | |
82 | ||
83 | # The following key usage flags are needed for TSA server certificates. | |
84 | keyUsage = nonRepudiation, digitalSignature | |
85 | extendedKeyUsage = critical,timeStamping | |
86 | ||
87 | # PKIX recommendations harmless if included in all certificates. | |
88 | subjectKeyIdentifier=hash | |
89 | authorityKeyIdentifier=keyid,issuer:always | |
90 | ||
91 | [ non_tsa_cert ] | |
92 | ||
93 | # This is not a CA cert and not a TSA cert, either (timeStamping usage missing) | |
94 | basicConstraints=CA:FALSE | |
95 | ||
96 | # The following key usage flags are needed for TSA server certificates. | |
97 | keyUsage = nonRepudiation, digitalSignature | |
98 | # timeStamping is not supported by this certificate | |
99 | # extendedKeyUsage = critical,timeStamping | |
100 | ||
101 | # PKIX recommendations harmless if included in all certificates. | |
102 | subjectKeyIdentifier=hash | |
103 | authorityKeyIdentifier=keyid,issuer:always | |
104 | ||
105 | [ v3_req ] | |
106 | ||
107 | # Extensions to add to a certificate request | |
108 | basicConstraints = CA:FALSE | |
109 | keyUsage = nonRepudiation, digitalSignature | |
110 | ||
111 | [ v3_ca ] | |
112 | ||
113 | # Extensions for a typical CA | |
114 | ||
115 | subjectKeyIdentifier=hash | |
116 | authorityKeyIdentifier=keyid:always,issuer:always | |
117 | basicConstraints = critical,CA:true | |
118 | keyUsage = cRLSign, keyCertSign | |
119 | ||
120 | #---------------------------------------------------------------------- | |
121 | [ tsa ] | |
122 | ||
123 | default_tsa = tsa_config1 # the default TSA section | |
124 | ||
125 | [ tsa_config1 ] | |
126 | ||
127 | # These are used by the TSA reply generation only. | |
128 | dir = . # TSA root directory | |
129 | serial = $dir/tsa_serial # The current serial number (mandatory) | |
130 | signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate | |
131 | # (optional) | |
cf32ad7f | 132 | certs = $dir/tsaca.pem # Certificate chain to include in reply |
8573552e UM |
133 | # (optional) |
134 | signer_key = $dir/tsa_key1.pem # The TSA private key (optional) | |
2cc7acd2 | 135 | signer_digest = sha256 # Signing digest to use. (Optional) |
8573552e UM |
136 | default_policy = tsa_policy1 # Policy if request did not specify it |
137 | # (optional) | |
138 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
2cc7acd2 | 139 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |
8573552e UM |
140 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
141 | ordering = yes # Is ordering defined for timestamps? | |
142 | # (optional, default: no) | |
143 | tsa_name = yes # Must the TSA name be included in the reply? | |
144 | # (optional, default: no) | |
145 | ess_cert_id_chain = yes # Must the ESS cert id chain be included? | |
146 | # (optional, default: no) | |
f0ef20bf MK |
147 | ess_cert_id_alg = sha256 # algorithm to compute certificate |
148 | # identifier (optional, default: sha1) | |
8573552e UM |
149 | |
150 | [ tsa_config2 ] | |
151 | ||
152 | # This configuration uses a certificate which doesn't have timeStamping usage. | |
153 | # These are used by the TSA reply generation only. | |
154 | dir = . # TSA root directory | |
155 | serial = $dir/tsa_serial # The current serial number (mandatory) | |
156 | signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate | |
157 | # (optional) | |
158 | certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply | |
159 | # (optional) | |
160 | signer_key = $dir/tsa_key2.pem # The TSA private key (optional) | |
2cc7acd2 | 161 | signer_digest = sha256 # Signing digest to use. (Optional) |
8573552e UM |
162 | default_policy = tsa_policy1 # Policy if request did not specify it |
163 | # (optional) | |
164 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
2cc7acd2 | 165 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |