1 |
|
---|
2 | #
|
---|
3 | # This config is used by the Time Stamp Authority tests.
|
---|
4 | #
|
---|
5 |
|
---|
6 | # Comment out the next line to ignore configuration errors
|
---|
7 | config_diagnostics = 1
|
---|
8 |
|
---|
9 | # Extra OBJECT IDENTIFIER info:
|
---|
10 | oid_section = new_oids
|
---|
11 |
|
---|
12 | TSDNSECT = ts_cert_dn
|
---|
13 | INDEX = 1
|
---|
14 |
|
---|
15 | [ new_oids ]
|
---|
16 |
|
---|
17 | # Policies used by the TSA tests.
|
---|
18 | tsa_policy1 = 1.2.3.4.1
|
---|
19 | tsa_policy2 = 1.2.3.4.5.6
|
---|
20 | tsa_policy3 = 1.2.3.4.5.7
|
---|
21 |
|
---|
22 | #----------------------------------------------------------------------
|
---|
23 | [ ca ]
|
---|
24 | default_ca = CA_default # The default ca section
|
---|
25 |
|
---|
26 | [ CA_default ]
|
---|
27 |
|
---|
28 | dir = ./demoCA
|
---|
29 | certs = $dir/certs # Where the issued certs are kept
|
---|
30 | database = $dir/index.txt # database index file.
|
---|
31 | new_certs_dir = $dir/newcerts # default place for new certs.
|
---|
32 |
|
---|
33 | certificate = $dir/cacert.pem # The CA certificate
|
---|
34 | serial = $dir/serial # The current serial number
|
---|
35 | private_key = $dir/private/cakey.pem# The private key
|
---|
36 |
|
---|
37 | default_days = 365 # how long to certify for
|
---|
38 | default_md = sha256 # which md to use.
|
---|
39 | preserve = no # keep passed DN ordering
|
---|
40 |
|
---|
41 | policy = policy_match
|
---|
42 |
|
---|
43 | # For the CA policy
|
---|
44 | [ policy_match ]
|
---|
45 | countryName = supplied
|
---|
46 | stateOrProvinceName = supplied
|
---|
47 | organizationName = supplied
|
---|
48 | organizationalUnitName = optional
|
---|
49 | commonName = supplied
|
---|
50 | emailAddress = optional
|
---|
51 |
|
---|
52 | #----------------------------------------------------------------------
|
---|
53 | [ req ]
|
---|
54 | default_md = sha1
|
---|
55 | distinguished_name = $ENV::TSDNSECT
|
---|
56 | encrypt_rsa_key = no
|
---|
57 | prompt = no
|
---|
58 | # attributes = req_attributes
|
---|
59 | x509_extensions = v3_ca # The extensions to add to the self signed cert
|
---|
60 |
|
---|
61 | string_mask = nombstr
|
---|
62 |
|
---|
63 | [ ts_ca_dn ]
|
---|
64 | countryName = HU
|
---|
65 | stateOrProvinceName = Budapest
|
---|
66 | localityName = Budapest
|
---|
67 | organizationName = Gov-CA Ltd.
|
---|
68 | commonName = ca1
|
---|
69 |
|
---|
70 | [ ts_cert_dn ]
|
---|
71 | countryName = HU
|
---|
72 | stateOrProvinceName = Budapest
|
---|
73 | localityName = Buda
|
---|
74 | organizationName = Hun-TSA Ltd.
|
---|
75 | commonName = tsa$ENV::INDEX
|
---|
76 |
|
---|
77 | [ tsa_cert ]
|
---|
78 |
|
---|
79 | # TSA server cert is not a CA cert.
|
---|
80 | basicConstraints=CA:FALSE
|
---|
81 |
|
---|
82 | # The following key usage flags are needed for TSA server certificates.
|
---|
83 | keyUsage = nonRepudiation, digitalSignature
|
---|
84 | extendedKeyUsage = critical,timeStamping
|
---|
85 |
|
---|
86 | # PKIX recommendations harmless if included in all certificates.
|
---|
87 | subjectKeyIdentifier=hash
|
---|
88 | authorityKeyIdentifier=keyid,issuer:always
|
---|
89 |
|
---|
90 | [ non_tsa_cert ]
|
---|
91 |
|
---|
92 | # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
|
---|
93 | basicConstraints=CA:FALSE
|
---|
94 |
|
---|
95 | # The following key usage flags are needed for TSA server certificates.
|
---|
96 | keyUsage = nonRepudiation, digitalSignature
|
---|
97 | # timeStamping is not supported by this certificate
|
---|
98 | # extendedKeyUsage = critical,timeStamping
|
---|
99 |
|
---|
100 | # PKIX recommendations harmless if included in all certificates.
|
---|
101 | subjectKeyIdentifier=hash
|
---|
102 | authorityKeyIdentifier=keyid,issuer:always
|
---|
103 |
|
---|
104 | [ v3_req ]
|
---|
105 |
|
---|
106 | # Extensions to add to a certificate request
|
---|
107 | basicConstraints = CA:FALSE
|
---|
108 | keyUsage = nonRepudiation, digitalSignature
|
---|
109 |
|
---|
110 | [ v3_ca ]
|
---|
111 |
|
---|
112 | # Extensions for a typical CA
|
---|
113 |
|
---|
114 | subjectKeyIdentifier=hash
|
---|
115 | authorityKeyIdentifier=keyid:always,issuer:always
|
---|
116 | basicConstraints = critical,CA:true
|
---|
117 | keyUsage = cRLSign, keyCertSign
|
---|
118 |
|
---|
119 | #----------------------------------------------------------------------
|
---|
120 | [ tsa ]
|
---|
121 |
|
---|
122 | default_tsa = tsa_config1 # the default TSA section
|
---|
123 |
|
---|
124 | [ tsa_config1 ]
|
---|
125 |
|
---|
126 | # These are used by the TSA reply generation only.
|
---|
127 | dir = . # TSA root directory
|
---|
128 | serial = $dir/tsa_serial # The current serial number (mandatory)
|
---|
129 | signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
|
---|
130 | # (optional)
|
---|
131 | certs = $dir/tsaca.pem # Certificate chain to include in reply
|
---|
132 | # (optional)
|
---|
133 | signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
|
---|
134 | signer_digest = sha256 # Signing digest to use. (Optional)
|
---|
135 | default_policy = tsa_policy1 # Policy if request did not specify it
|
---|
136 | # (optional)
|
---|
137 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
---|
138 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|
---|
139 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
|
---|
140 | ordering = yes # Is ordering defined for timestamps?
|
---|
141 | # (optional, default: no)
|
---|
142 | tsa_name = yes # Must the TSA name be included in the reply?
|
---|
143 | # (optional, default: no)
|
---|
144 | ess_cert_id_chain = yes # Must the ESS cert id chain be included?
|
---|
145 | # (optional, default: no)
|
---|
146 | ess_cert_id_alg = sha256 # algorithm to compute certificate
|
---|
147 | # identifier (optional, default: sha1)
|
---|
148 |
|
---|
149 | [ tsa_config2 ]
|
---|
150 |
|
---|
151 | # This configuration uses a certificate which doesn't have timeStamping usage.
|
---|
152 | # These are used by the TSA reply generation only.
|
---|
153 | dir = . # TSA root directory
|
---|
154 | serial = $dir/tsa_serial # The current serial number (mandatory)
|
---|
155 | signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
|
---|
156 | # (optional)
|
---|
157 | certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
|
---|
158 | # (optional)
|
---|
159 | signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
|
---|
160 | signer_digest = sha256 # Signing digest to use. (Optional)
|
---|
161 | default_policy = tsa_policy1 # Policy if request did not specify it
|
---|
162 | # (optional)
|
---|
163 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
|
---|
164 | digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
|
---|