test/CAtsa.cnf

   1
   2 #
   3 # This config is used by the Time Stamp Authority tests.
   4 #
   5
   6 # This definition stops the following lines choking if HOME isn't
   7 # defined.
   8 HOME                    = .
   9 RANDFILE                = $ENV::HOME/.rnd
  10
  11 # Extra OBJECT IDENTIFIER info:
  12 oid_section             = new_oids
  13
  14 TSDNSECT                = ts_cert_dn
  15 INDEX                   = 1
  16
  17 [ new_oids ]
  18
  19 # Policies used by the TSA tests.
  20 tsa_policy1 = 1.2.3.4.1
  21 tsa_policy2 = 1.2.3.4.5.6
  22 tsa_policy3 = 1.2.3.4.5.7
  23
  24 #----------------------------------------------------------------------
  25 [ ca ]
  26 default_ca      = CA_default            # The default ca section
  27
  28 [ CA_default ]
  29
  30 dir             = ./demoCA
  31 certs           = $dir/certs            # Where the issued certs are kept
  32 database        = $dir/index.txt        # database index file.
  33 new_certs_dir   = $dir/newcerts         # default place for new certs.
  34
  35 certificate     = $dir/cacert.pem       # The CA certificate
  36 serial          = $dir/serial           # The current serial number
  37 private_key     = $dir/private/cakey.pem# The private key
  38 RANDFILE        = $dir/private/.rand    # private random number file
  39
  40 default_days    = 365                   # how long to certify for
  41 default_md      = sha1                  # which md to use.
  42 preserve        = no                    # keep passed DN ordering
  43
  44 policy          = policy_match
  45
  46 # For the CA policy
  47 [ policy_match ]
  48 countryName             = supplied
  49 stateOrProvinceName     = supplied
  50 organizationName        = supplied
  51 organizationalUnitName  = optional
  52 commonName              = supplied
  53 emailAddress            = optional
  54
  55 #----------------------------------------------------------------------
  56 [ req ]
  57 default_bits            = 1024
  58 default_md              = sha1
  59 distinguished_name      = $ENV::TSDNSECT
  60 encrypt_rsa_key         = no
  61 prompt                  = no
  62 # attributes            = req_attributes
  63 x509_extensions = v3_ca # The extentions to add to the self signed cert
  64
  65 string_mask = nombstr
  66
  67 [ ts_ca_dn ]
  68 countryName                     = HU
  69 stateOrProvinceName             = Budapest
  70 localityName                    = Budapest
  71 organizationName                = Gov-CA Ltd.
  72 commonName                      = ca1
  73
  74 [ ts_cert_dn ]
  75 countryName                     = HU
  76 stateOrProvinceName             = Budapest
  77 localityName                    = Buda
  78 organizationName                = Hun-TSA Ltd.
  79 commonName                      = tsa$ENV::INDEX
  80
  81 [ tsa_cert ]
  82
  83 # TSA server cert is not a CA cert.
  84 basicConstraints=CA:FALSE
  85
  86 # The following key usage flags are needed for TSA server certificates.
  87 keyUsage = nonRepudiation, digitalSignature
  88 extendedKeyUsage = critical,timeStamping
  89
  90 # PKIX recommendations harmless if included in all certificates.
  91 subjectKeyIdentifier=hash
  92 authorityKeyIdentifier=keyid,issuer:always
  93
  94 [ non_tsa_cert ]
  95
  96 # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  97 basicConstraints=CA:FALSE
  98
  99 # The following key usage flags are needed for TSA server certificates.
 100 keyUsage = nonRepudiation, digitalSignature
 101 # timeStamping is not supported by this certificate
 102 # extendedKeyUsage = critical,timeStamping
 103
 104 # PKIX recommendations harmless if included in all certificates.
 105 subjectKeyIdentifier=hash
 106 authorityKeyIdentifier=keyid,issuer:always
 107
 108 [ v3_req ]
 109
 110 # Extensions to add to a certificate request
 111 basicConstraints = CA:FALSE
 112 keyUsage = nonRepudiation, digitalSignature
 113
 114 [ v3_ca ]
 115
 116 # Extensions for a typical CA
 117
 118 subjectKeyIdentifier=hash
 119 authorityKeyIdentifier=keyid:always,issuer:always
 120 basicConstraints = critical,CA:true
 121 keyUsage = cRLSign, keyCertSign
 122
 123 #----------------------------------------------------------------------
 124 [ tsa ]
 125
 126 default_tsa = tsa_config1       # the default TSA section
 127
 128 [ tsa_config1 ]
 129
 130 # These are used by the TSA reply generation only.
 131 dir             = .                     # TSA root directory
 132 serial          = $dir/tsa_serial       # The current serial number (mandatory)
 133 signer_cert     = $dir/tsa_cert1.pem    # The TSA signing certificate
 134                                         # (optional)
 135 certs           = $dir/tsaca.pem        # Certificate chain to include in reply
 136                                         # (optional)
 137 signer_key      = $dir/tsa_key1.pem     # The TSA private key (optional)
 138
 139 default_policy  = tsa_policy1           # Policy if request did not specify it
 140                                         # (optional)
 141 other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
 142 digests         = md5, sha1             # Acceptable message digests (mandatory)
 143 accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
 144 ordering                = yes   # Is ordering defined for timestamps?
 145                                 # (optional, default: no)
 146 tsa_name                = yes   # Must the TSA name be included in the reply?
 147                                 # (optional, default: no)
 148 ess_cert_id_chain       = yes   # Must the ESS cert id chain be included?
 149                                 # (optional, default: no)
 150
 151 [ tsa_config2 ]
 152
 153 # This configuration uses a certificate which doesn't have timeStamping usage.
 154 # These are used by the TSA reply generation only.
 155 dir             = .                     # TSA root directory
 156 serial          = $dir/tsa_serial       # The current serial number (mandatory)
 157 signer_cert     = $dir/tsa_cert2.pem    # The TSA signing certificate
 158                                         # (optional)
 159 certs           = $dir/demoCA/cacert.pem# Certificate chain to include in reply
 160                                         # (optional)
 161 signer_key      = $dir/tsa_key2.pem     # The TSA private key (optional)
 162
 163 default_policy  = tsa_policy1           # Policy if request did not specify it
 164                                         # (optional)
 165 other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
 166 digests         = md5, sha1             # Acceptable message digests (mandatory)