[thirdparty/openssl.git] / test / CAtsa.cnf


#
# This config is used by the Time Stamp Authority tests.
#

# Extra OBJECT IDENTIFIER info:
oid_section		= new_oids

TSDNSECT		= ts_cert_dn
INDEX			= 1

[ new_oids ]

# Policies used by the TSA tests.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

#----------------------------------------------------------------------
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= ./demoCA
certs		= $dir/certs		# Where the issued certs are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
private_key	= $dir/private/cakey.pem# The private key

default_days	= 365			# how long to certify for
default_md	= sha256			# which md to use.
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= supplied
organizationName	= supplied
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

#----------------------------------------------------------------------
[ req ]
default_bits		= 2048
default_md		= sha1
distinguished_name	= $ENV::TSDNSECT
encrypt_rsa_key		= no
prompt 			= no
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extensions to add to the self signed cert

string_mask = nombstr

[ ts_ca_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Budapest
organizationName		= Gov-CA Ltd.
commonName			= ca1

[ ts_cert_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Buda
organizationName		= Hun-TSA Ltd.
commonName			= tsa$ENV::INDEX

[ tsa_cert ]

# TSA server cert is not a CA cert.
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ non_tsa_cert ]

# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
# timeStamping is not supported by this certificate
# extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature

[ v3_ca ]

# Extensions for a typical CA

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign

#----------------------------------------------------------------------
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/tsaca.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
signer_digest  = sha256             # Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
				# (optional, default: no)
ess_cert_id_alg		= sha256	# algorithm to compute certificate
					# identifier (optional, default: sha1)

[ tsa_config2 ]

# This configuration uses a certificate which doesn't have timeStamping usage.
# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
signer_digest  = sha256             # Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
Commit	Line	Data
8573552e UM	1
	2	#
	3	# This config is used by the Time Stamp Authority tests.
	4	#
	5
8573552e UM	6	# Extra OBJECT IDENTIFIER info:
	7	oid_section = new_oids
	8
cf32ad7f DSH	9	TSDNSECT = ts_cert_dn
	10	INDEX = 1
	11
8573552e UM	12	[ new_oids ]
	13
	14	# Policies used by the TSA tests.
	15	tsa_policy1 = 1.2.3.4.1
	16	tsa_policy2 = 1.2.3.4.5.6
	17	tsa_policy3 = 1.2.3.4.5.7
	18
	19	#----------------------------------------------------------------------
	20	[ ca ]
	21	default_ca = CA_default # The default ca section
	22
	23	[ CA_default ]
	24
	25	dir = ./demoCA
	26	certs = $dir/certs # Where the issued certs are kept
	27	database = $dir/index.txt # database index file.
	28	new_certs_dir = $dir/newcerts # default place for new certs.
	29
	30	certificate = $dir/cacert.pem # The CA certificate
	31	serial = $dir/serial # The current serial number
	32	private_key = $dir/private/cakey.pem# The private key
8573552e UM	33
8573552e UM	34	default_days = 365 # how long to certify for
2cc7acd2	35	default_md = sha256 # which md to use.
8573552e UM	36	preserve = no # keep passed DN ordering
	37
	38	policy = policy_match
	39
	40	# For the CA policy
	41	[ policy_match ]
	42	countryName = supplied
	43	stateOrProvinceName = supplied
	44	organizationName = supplied
	45	organizationalUnitName = optional
	46	commonName = supplied
	47	emailAddress = optional
	48
	49	#----------------------------------------------------------------------
	50	[ req ]
fec66938	51	default_bits = 2048
8573552e	52	default_md = sha1
cf32ad7f	53	distinguished_name = $ENV::TSDNSECT
8573552e	54	encrypt_rsa_key = no
cf32ad7f	55	prompt = no
8573552e	56	# attributes = req_attributes
478b50cf	57	x509_extensions = v3_ca # The extensions to add to the self signed cert
8573552e UM	58
	59	string_mask = nombstr
	60
cf32ad7f DSH	61	[ ts_ca_dn ]
	62	countryName = HU
	63	stateOrProvinceName = Budapest
	64	localityName = Budapest
	65	organizationName = Gov-CA Ltd.
	66	commonName = ca1
8573552e	67
cf32ad7f DSH	68	[ ts_cert_dn ]
	69	countryName = HU
	70	stateOrProvinceName = Budapest
	71	localityName = Buda
	72	organizationName = Hun-TSA Ltd.
	73	commonName = tsa$ENV::INDEX
8573552e UM	74
	75	[ tsa_cert ]
	76
	77	# TSA server cert is not a CA cert.
	78	basicConstraints=CA:FALSE
	79
	80	# The following key usage flags are needed for TSA server certificates.
	81	keyUsage = nonRepudiation, digitalSignature
	82	extendedKeyUsage = critical,timeStamping
	83
	84	# PKIX recommendations harmless if included in all certificates.
	85	subjectKeyIdentifier=hash
	86	authorityKeyIdentifier=keyid,issuer:always
	87
	88	[ non_tsa_cert ]
	89
	90	# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
	91	basicConstraints=CA:FALSE
	92
	93	# The following key usage flags are needed for TSA server certificates.
	94	keyUsage = nonRepudiation, digitalSignature
	95	# timeStamping is not supported by this certificate
	96	# extendedKeyUsage = critical,timeStamping
	97
	98	# PKIX recommendations harmless if included in all certificates.
	99	subjectKeyIdentifier=hash
	100	authorityKeyIdentifier=keyid,issuer:always
	101
	102	[ v3_req ]
	103
	104	# Extensions to add to a certificate request
	105	basicConstraints = CA:FALSE
	106	keyUsage = nonRepudiation, digitalSignature
	107
	108	[ v3_ca ]
	109
	110	# Extensions for a typical CA
	111
	112	subjectKeyIdentifier=hash
	113	authorityKeyIdentifier=keyid:always,issuer:always
	114	basicConstraints = critical,CA:true
	115	keyUsage = cRLSign, keyCertSign
	116
	117	#----------------------------------------------------------------------
	118	[ tsa ]
	119
	120	default_tsa = tsa_config1 # the default TSA section
	121
	122	[ tsa_config1 ]
	123
	124	# These are used by the TSA reply generation only.
	125	dir = . # TSA root directory
	126	serial = $dir/tsa_serial # The current serial number (mandatory)
	127	signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
	128	# (optional)
cf32ad7f	129	certs = $dir/tsaca.pem # Certificate chain to include in reply
8573552e UM	130	# (optional)
8573552e UM	131	signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
2cc7acd2	132	signer_digest = sha256 # Signing digest to use. (Optional)
8573552e UM	133	default_policy = tsa_policy1 # Policy if request did not specify it
	134	# (optional)
	135	other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
2cc7acd2	136	digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
8573552e UM	137	accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
	138	ordering = yes # Is ordering defined for timestamps?
	139	# (optional, default: no)
	140	tsa_name = yes # Must the TSA name be included in the reply?
	141	# (optional, default: no)
	142	ess_cert_id_chain = yes # Must the ESS cert id chain be included?
	143	# (optional, default: no)
f0ef20bf MK	144	ess_cert_id_alg = sha256 # algorithm to compute certificate
f0ef20bf MK	145	# identifier (optional, default: sha1)
8573552e UM	146
	147	[ tsa_config2 ]
	148
	149	# This configuration uses a certificate which doesn't have timeStamping usage.
	150	# These are used by the TSA reply generation only.
	151	dir = . # TSA root directory
	152	serial = $dir/tsa_serial # The current serial number (mandatory)
	153	signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
	154	# (optional)
	155	certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
	156	# (optional)
	157	signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
2cc7acd2	158	signer_digest = sha256 # Signing digest to use. (Optional)
8573552e UM	159	default_policy = tsa_policy1 # Policy if request did not specify it
	160	# (optional)
	161	other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
2cc7acd2	162	digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)