]>
Commit | Line | Data |
---|---|---|
8573552e UM |
1 | |
2 | # | |
3 | # This config is used by the Time Stamp Authority tests. | |
4 | # | |
5 | ||
8573552e UM |
6 | # Extra OBJECT IDENTIFIER info: |
7 | oid_section = new_oids | |
8 | ||
cf32ad7f DSH |
9 | TSDNSECT = ts_cert_dn |
10 | INDEX = 1 | |
11 | ||
8573552e UM |
12 | [ new_oids ] |
13 | ||
14 | # Policies used by the TSA tests. | |
15 | tsa_policy1 = 1.2.3.4.1 | |
16 | tsa_policy2 = 1.2.3.4.5.6 | |
17 | tsa_policy3 = 1.2.3.4.5.7 | |
18 | ||
19 | #---------------------------------------------------------------------- | |
20 | [ ca ] | |
21 | default_ca = CA_default # The default ca section | |
22 | ||
23 | [ CA_default ] | |
24 | ||
25 | dir = ./demoCA | |
26 | certs = $dir/certs # Where the issued certs are kept | |
27 | database = $dir/index.txt # database index file. | |
28 | new_certs_dir = $dir/newcerts # default place for new certs. | |
29 | ||
30 | certificate = $dir/cacert.pem # The CA certificate | |
31 | serial = $dir/serial # The current serial number | |
32 | private_key = $dir/private/cakey.pem# The private key | |
8573552e UM |
33 | |
34 | default_days = 365 # how long to certify for | |
2cc7acd2 | 35 | default_md = sha256 # which md to use. |
8573552e UM |
36 | preserve = no # keep passed DN ordering |
37 | ||
38 | policy = policy_match | |
39 | ||
40 | # For the CA policy | |
41 | [ policy_match ] | |
42 | countryName = supplied | |
43 | stateOrProvinceName = supplied | |
44 | organizationName = supplied | |
45 | organizationalUnitName = optional | |
46 | commonName = supplied | |
47 | emailAddress = optional | |
48 | ||
49 | #---------------------------------------------------------------------- | |
50 | [ req ] | |
fec66938 | 51 | default_bits = 2048 |
8573552e | 52 | default_md = sha1 |
cf32ad7f | 53 | distinguished_name = $ENV::TSDNSECT |
8573552e | 54 | encrypt_rsa_key = no |
cf32ad7f | 55 | prompt = no |
8573552e | 56 | # attributes = req_attributes |
478b50cf | 57 | x509_extensions = v3_ca # The extensions to add to the self signed cert |
8573552e UM |
58 | |
59 | string_mask = nombstr | |
60 | ||
cf32ad7f DSH |
61 | [ ts_ca_dn ] |
62 | countryName = HU | |
63 | stateOrProvinceName = Budapest | |
64 | localityName = Budapest | |
65 | organizationName = Gov-CA Ltd. | |
66 | commonName = ca1 | |
8573552e | 67 | |
cf32ad7f DSH |
68 | [ ts_cert_dn ] |
69 | countryName = HU | |
70 | stateOrProvinceName = Budapest | |
71 | localityName = Buda | |
72 | organizationName = Hun-TSA Ltd. | |
73 | commonName = tsa$ENV::INDEX | |
8573552e UM |
74 | |
75 | [ tsa_cert ] | |
76 | ||
77 | # TSA server cert is not a CA cert. | |
78 | basicConstraints=CA:FALSE | |
79 | ||
80 | # The following key usage flags are needed for TSA server certificates. | |
81 | keyUsage = nonRepudiation, digitalSignature | |
82 | extendedKeyUsage = critical,timeStamping | |
83 | ||
84 | # PKIX recommendations harmless if included in all certificates. | |
85 | subjectKeyIdentifier=hash | |
86 | authorityKeyIdentifier=keyid,issuer:always | |
87 | ||
88 | [ non_tsa_cert ] | |
89 | ||
90 | # This is not a CA cert and not a TSA cert, either (timeStamping usage missing) | |
91 | basicConstraints=CA:FALSE | |
92 | ||
93 | # The following key usage flags are needed for TSA server certificates. | |
94 | keyUsage = nonRepudiation, digitalSignature | |
95 | # timeStamping is not supported by this certificate | |
96 | # extendedKeyUsage = critical,timeStamping | |
97 | ||
98 | # PKIX recommendations harmless if included in all certificates. | |
99 | subjectKeyIdentifier=hash | |
100 | authorityKeyIdentifier=keyid,issuer:always | |
101 | ||
102 | [ v3_req ] | |
103 | ||
104 | # Extensions to add to a certificate request | |
105 | basicConstraints = CA:FALSE | |
106 | keyUsage = nonRepudiation, digitalSignature | |
107 | ||
108 | [ v3_ca ] | |
109 | ||
110 | # Extensions for a typical CA | |
111 | ||
112 | subjectKeyIdentifier=hash | |
113 | authorityKeyIdentifier=keyid:always,issuer:always | |
114 | basicConstraints = critical,CA:true | |
115 | keyUsage = cRLSign, keyCertSign | |
116 | ||
117 | #---------------------------------------------------------------------- | |
118 | [ tsa ] | |
119 | ||
120 | default_tsa = tsa_config1 # the default TSA section | |
121 | ||
122 | [ tsa_config1 ] | |
123 | ||
124 | # These are used by the TSA reply generation only. | |
125 | dir = . # TSA root directory | |
126 | serial = $dir/tsa_serial # The current serial number (mandatory) | |
127 | signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate | |
128 | # (optional) | |
cf32ad7f | 129 | certs = $dir/tsaca.pem # Certificate chain to include in reply |
8573552e UM |
130 | # (optional) |
131 | signer_key = $dir/tsa_key1.pem # The TSA private key (optional) | |
2cc7acd2 | 132 | signer_digest = sha256 # Signing digest to use. (Optional) |
8573552e UM |
133 | default_policy = tsa_policy1 # Policy if request did not specify it |
134 | # (optional) | |
135 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
2cc7acd2 | 136 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |
8573552e UM |
137 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
138 | ordering = yes # Is ordering defined for timestamps? | |
139 | # (optional, default: no) | |
140 | tsa_name = yes # Must the TSA name be included in the reply? | |
141 | # (optional, default: no) | |
142 | ess_cert_id_chain = yes # Must the ESS cert id chain be included? | |
143 | # (optional, default: no) | |
f0ef20bf MK |
144 | ess_cert_id_alg = sha256 # algorithm to compute certificate |
145 | # identifier (optional, default: sha1) | |
8573552e UM |
146 | |
147 | [ tsa_config2 ] | |
148 | ||
149 | # This configuration uses a certificate which doesn't have timeStamping usage. | |
150 | # These are used by the TSA reply generation only. | |
151 | dir = . # TSA root directory | |
152 | serial = $dir/tsa_serial # The current serial number (mandatory) | |
153 | signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate | |
154 | # (optional) | |
155 | certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply | |
156 | # (optional) | |
157 | signer_key = $dir/tsa_key2.pem # The TSA private key (optional) | |
2cc7acd2 | 158 | signer_digest = sha256 # Signing digest to use. (Optional) |
8573552e UM |
159 | default_policy = tsa_policy1 # Policy if request did not specify it |
160 | # (optional) | |
161 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
2cc7acd2 | 162 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |