| |
| # |
| # This config is used by the Time Stamp Authority tests. |
| # |
| |
| # Comment out the next line to ignore configuration errors |
| config_diagnostics = 1 |
| |
| # Extra OBJECT IDENTIFIER info: |
| oid_section = new_oids |
| |
| TSDNSECT = ts_cert_dn |
| INDEX = 1 |
| |
| [ new_oids ] |
| |
| # Policies used by the TSA tests. |
| tsa_policy1 = 1.2.3.4.1 |
| tsa_policy2 = 1.2.3.4.5.6 |
| tsa_policy3 = 1.2.3.4.5.7 |
| |
| #---------------------------------------------------------------------- |
| [ ca ] |
| default_ca = CA_default # The default ca section |
| |
| [ CA_default ] |
| |
| dir = ./demoCA |
| certs = $dir/certs # Where the issued certs are kept |
| database = $dir/index.txt # database index file. |
| new_certs_dir = $dir/newcerts # default place for new certs. |
| |
| certificate = $dir/cacert.pem # The CA certificate |
| serial = $dir/serial # The current serial number |
| private_key = $dir/private/cakey.pem# The private key |
| |
| default_days = 365 # how long to certify for |
| default_md = sha256 # which md to use. |
| preserve = no # keep passed DN ordering |
| |
| policy = policy_match |
| |
| # For the CA policy |
| [ policy_match ] |
| countryName = supplied |
| stateOrProvinceName = supplied |
| organizationName = supplied |
| organizationalUnitName = optional |
| commonName = supplied |
| emailAddress = optional |
| |
| #---------------------------------------------------------------------- |
| [ req ] |
| default_md = sha1 |
| distinguished_name = $ENV::TSDNSECT |
| encrypt_rsa_key = no |
| prompt = no |
| # attributes = req_attributes |
| x509_extensions = v3_ca # The extensions to add to the self signed cert |
| |
| string_mask = nombstr |
| |
| [ ts_ca_dn ] |
| countryName = HU |
| stateOrProvinceName = Budapest |
| localityName = Budapest |
| organizationName = Gov-CA Ltd. |
| commonName = ca1 |
| |
| [ ts_cert_dn ] |
| countryName = HU |
| stateOrProvinceName = Budapest |
| localityName = Buda |
| organizationName = Hun-TSA Ltd. |
| commonName = tsa$ENV::INDEX |
| |
| [ tsa_cert ] |
| |
| # TSA server cert is not a CA cert. |
| basicConstraints=CA:FALSE |
| |
| # The following key usage flags are needed for TSA server certificates. |
| keyUsage = nonRepudiation, digitalSignature |
| extendedKeyUsage = critical,timeStamping |
| |
| # PKIX recommendations harmless if included in all certificates. |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid,issuer:always |
| |
| [ non_tsa_cert ] |
| |
| # This is not a CA cert and not a TSA cert, either (timeStamping usage missing) |
| basicConstraints=CA:FALSE |
| |
| # The following key usage flags are needed for TSA server certificates. |
| keyUsage = nonRepudiation, digitalSignature |
| # timeStamping is not supported by this certificate |
| # extendedKeyUsage = critical,timeStamping |
| |
| # PKIX recommendations harmless if included in all certificates. |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid,issuer:always |
| |
| [ v3_req ] |
| |
| # Extensions to add to a certificate request |
| basicConstraints = CA:FALSE |
| keyUsage = nonRepudiation, digitalSignature |
| |
| [ v3_ca ] |
| |
| # Extensions for a typical CA |
| |
| subjectKeyIdentifier=hash |
| authorityKeyIdentifier=keyid:always,issuer:always |
| basicConstraints = critical,CA:true |
| keyUsage = cRLSign, keyCertSign |
| |
| #---------------------------------------------------------------------- |
| [ tsa ] |
| |
| default_tsa = tsa_config1 # the default TSA section |
| |
| [ tsa_config1 ] |
| |
| # These are used by the TSA reply generation only. |
| dir = . # TSA root directory |
| serial = $dir/tsa_serial # The current serial number (mandatory) |
| signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate |
| # (optional) |
| certs = $dir/tsaca.pem # Certificate chain to include in reply |
| # (optional) |
| signer_key = $dir/tsa_key1.pem # The TSA private key (optional) |
| signer_digest = sha256 # Signing digest to use. (Optional) |
| default_policy = tsa_policy1 # Policy if request did not specify it |
| # (optional) |
| other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
| digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |
| accuracy = secs:1, millisecs:500, microsecs:100 # (optional) |
| ordering = yes # Is ordering defined for timestamps? |
| # (optional, default: no) |
| tsa_name = yes # Must the TSA name be included in the reply? |
| # (optional, default: no) |
| ess_cert_id_chain = yes # Must the ESS cert id chain be included? |
| # (optional, default: no) |
| ess_cert_id_alg = sha256 # algorithm to compute certificate |
| # identifier (optional, default: sha1) |
| |
| [ tsa_config2 ] |
| |
| # This configuration uses a certificate which doesn't have timeStamping usage. |
| # These are used by the TSA reply generation only. |
| dir = . # TSA root directory |
| serial = $dir/tsa_serial # The current serial number (mandatory) |
| signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate |
| # (optional) |
| certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply |
| # (optional) |
| signer_key = $dir/tsa_key2.pem # The TSA private key (optional) |
| signer_digest = sha256 # Signing digest to use. (Optional) |
| default_policy = tsa_policy1 # Policy if request did not specify it |
| # (optional) |
| other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) |
| digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) |