[thirdparty/openssl.git] / test / CAtsa.cnf


#
# This config is used by the Time Stamp Authority tests.
#

RANDFILE		= ./.rnd

# Extra OBJECT IDENTIFIER info:
oid_section		= new_oids

TSDNSECT		= ts_cert_dn
INDEX			= 1

[ new_oids ]

# Policies used by the TSA tests.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

#----------------------------------------------------------------------
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= ./demoCA
certs		= $dir/certs		# Where the issued certs are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 365			# how long to certify for
default_md	= sha256			# which md to use.
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= supplied
organizationName	= supplied
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

#----------------------------------------------------------------------
[ req ]
default_bits		= 2048
default_md		= sha1
distinguished_name	= $ENV::TSDNSECT
encrypt_rsa_key		= no
prompt 			= no
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extensions to add to the self signed cert

string_mask = nombstr

[ ts_ca_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Budapest
organizationName		= Gov-CA Ltd.
commonName			= ca1

[ ts_cert_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Buda
organizationName		= Hun-TSA Ltd.
commonName			= tsa$ENV::INDEX

[ tsa_cert ]

# TSA server cert is not a CA cert.
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ non_tsa_cert ]

# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
# timeStamping is not supported by this certificate
# extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature

[ v3_ca ]

# Extensions for a typical CA

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign

#----------------------------------------------------------------------
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/tsaca.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
signer_digest  = sha256             # Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
				# (optional, default: no)
ess_cert_id_alg		= sha256	# algorithm to compute certificate
					# identifier (optional, default: sha1)

[ tsa_config2 ]

# This configuration uses a certificate which doesn't have timeStamping usage.
# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
signer_digest  = sha256             # Signing digest to use. (Optional)
default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
Commit	Line	Data
8573552e UM	1
	2	#
	3	# This config is used by the Time Stamp Authority tests.
	4	#
	5
2d851ab9	6	RANDFILE = ./.rnd
8573552e UM	7
	8	# Extra OBJECT IDENTIFIER info:
	9	oid_section = new_oids
	10
cf32ad7f DSH	11	TSDNSECT = ts_cert_dn
	12	INDEX = 1
	13
8573552e UM	14	[ new_oids ]
	15
	16	# Policies used by the TSA tests.
	17	tsa_policy1 = 1.2.3.4.1
	18	tsa_policy2 = 1.2.3.4.5.6
	19	tsa_policy3 = 1.2.3.4.5.7
	20
	21	#----------------------------------------------------------------------
	22	[ ca ]
	23	default_ca = CA_default # The default ca section
	24
	25	[ CA_default ]
	26
	27	dir = ./demoCA
	28	certs = $dir/certs # Where the issued certs are kept
	29	database = $dir/index.txt # database index file.
	30	new_certs_dir = $dir/newcerts # default place for new certs.
	31
	32	certificate = $dir/cacert.pem # The CA certificate
	33	serial = $dir/serial # The current serial number
	34	private_key = $dir/private/cakey.pem# The private key
	35	RANDFILE = $dir/private/.rand # private random number file
	36
	37	default_days = 365 # how long to certify for
2cc7acd2	38	default_md = sha256 # which md to use.
8573552e UM	39	preserve = no # keep passed DN ordering
	40
	41	policy = policy_match
	42
	43	# For the CA policy
	44	[ policy_match ]
	45	countryName = supplied
	46	stateOrProvinceName = supplied
	47	organizationName = supplied
	48	organizationalUnitName = optional
	49	commonName = supplied
	50	emailAddress = optional
	51
	52	#----------------------------------------------------------------------
	53	[ req ]
fec66938	54	default_bits = 2048
8573552e	55	default_md = sha1
cf32ad7f	56	distinguished_name = $ENV::TSDNSECT
8573552e	57	encrypt_rsa_key = no
cf32ad7f	58	prompt = no
8573552e	59	# attributes = req_attributes
478b50cf	60	x509_extensions = v3_ca # The extensions to add to the self signed cert
8573552e UM	61
	62	string_mask = nombstr
	63
cf32ad7f DSH	64	[ ts_ca_dn ]
	65	countryName = HU
	66	stateOrProvinceName = Budapest
	67	localityName = Budapest
	68	organizationName = Gov-CA Ltd.
	69	commonName = ca1
8573552e	70
cf32ad7f DSH	71	[ ts_cert_dn ]
	72	countryName = HU
	73	stateOrProvinceName = Budapest
	74	localityName = Buda
	75	organizationName = Hun-TSA Ltd.
	76	commonName = tsa$ENV::INDEX
8573552e UM	77
	78	[ tsa_cert ]
	79
	80	# TSA server cert is not a CA cert.
	81	basicConstraints=CA:FALSE
	82
	83	# The following key usage flags are needed for TSA server certificates.
	84	keyUsage = nonRepudiation, digitalSignature
	85	extendedKeyUsage = critical,timeStamping
	86
	87	# PKIX recommendations harmless if included in all certificates.
	88	subjectKeyIdentifier=hash
	89	authorityKeyIdentifier=keyid,issuer:always
	90
	91	[ non_tsa_cert ]
	92
	93	# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
	94	basicConstraints=CA:FALSE
	95
	96	# The following key usage flags are needed for TSA server certificates.
	97	keyUsage = nonRepudiation, digitalSignature
	98	# timeStamping is not supported by this certificate
	99	# extendedKeyUsage = critical,timeStamping
	100
	101	# PKIX recommendations harmless if included in all certificates.
	102	subjectKeyIdentifier=hash
	103	authorityKeyIdentifier=keyid,issuer:always
	104
	105	[ v3_req ]
	106
	107	# Extensions to add to a certificate request
	108	basicConstraints = CA:FALSE
	109	keyUsage = nonRepudiation, digitalSignature
	110
	111	[ v3_ca ]
	112
	113	# Extensions for a typical CA
	114
	115	subjectKeyIdentifier=hash
	116	authorityKeyIdentifier=keyid:always,issuer:always
	117	basicConstraints = critical,CA:true
	118	keyUsage = cRLSign, keyCertSign
	119
	120	#----------------------------------------------------------------------
	121	[ tsa ]
	122
	123	default_tsa = tsa_config1 # the default TSA section
	124
	125	[ tsa_config1 ]
	126
	127	# These are used by the TSA reply generation only.
	128	dir = . # TSA root directory
	129	serial = $dir/tsa_serial # The current serial number (mandatory)
	130	signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
	131	# (optional)
cf32ad7f	132	certs = $dir/tsaca.pem # Certificate chain to include in reply
8573552e UM	133	# (optional)
8573552e UM	134	signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
2cc7acd2	135	signer_digest = sha256 # Signing digest to use. (Optional)
8573552e UM	136	default_policy = tsa_policy1 # Policy if request did not specify it
	137	# (optional)
	138	other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
2cc7acd2	139	digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
8573552e UM	140	accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
	141	ordering = yes # Is ordering defined for timestamps?
	142	# (optional, default: no)
	143	tsa_name = yes # Must the TSA name be included in the reply?
	144	# (optional, default: no)
	145	ess_cert_id_chain = yes # Must the ESS cert id chain be included?
	146	# (optional, default: no)
f0ef20bf MK	147	ess_cert_id_alg = sha256 # algorithm to compute certificate
f0ef20bf MK	148	# identifier (optional, default: sha1)
8573552e UM	149
	150	[ tsa_config2 ]
	151
	152	# This configuration uses a certificate which doesn't have timeStamping usage.
	153	# These are used by the TSA reply generation only.
	154	dir = . # TSA root directory
	155	serial = $dir/tsa_serial # The current serial number (mandatory)
	156	signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
	157	# (optional)
	158	certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
	159	# (optional)
	160	signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
2cc7acd2	161	signer_digest = sha256 # Signing digest to use. (Optional)
8573552e UM	162	default_policy = tsa_policy1 # Policy if request did not specify it
	163	# (optional)
	164	other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
2cc7acd2	165	digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)