1*e0c4386eSCy Schubert 2*e0c4386eSCy Schubert# 3*e0c4386eSCy Schubert# This config is used by the Time Stamp Authority tests. 4*e0c4386eSCy Schubert# 5*e0c4386eSCy Schubert 6*e0c4386eSCy Schubert# Comment out the next line to ignore configuration errors 7*e0c4386eSCy Schubertconfig_diagnostics = 1 8*e0c4386eSCy Schubert 9*e0c4386eSCy Schubert# Extra OBJECT IDENTIFIER info: 10*e0c4386eSCy Schubertoid_section = new_oids 11*e0c4386eSCy Schubert 12*e0c4386eSCy SchubertTSDNSECT = ts_cert_dn 13*e0c4386eSCy SchubertINDEX = 1 14*e0c4386eSCy Schubert 15*e0c4386eSCy Schubert[ new_oids ] 16*e0c4386eSCy Schubert 17*e0c4386eSCy Schubert# Policies used by the TSA tests. 18*e0c4386eSCy Schuberttsa_policy1 = 1.2.3.4.1 19*e0c4386eSCy Schuberttsa_policy2 = 1.2.3.4.5.6 20*e0c4386eSCy Schuberttsa_policy3 = 1.2.3.4.5.7 21*e0c4386eSCy Schubert 22*e0c4386eSCy Schubert#---------------------------------------------------------------------- 23*e0c4386eSCy Schubert[ ca ] 24*e0c4386eSCy Schubertdefault_ca = CA_default # The default ca section 25*e0c4386eSCy Schubert 26*e0c4386eSCy Schubert[ CA_default ] 27*e0c4386eSCy Schubert 28*e0c4386eSCy Schubertdir = ./demoCA 29*e0c4386eSCy Schubertcerts = $dir/certs # Where the issued certs are kept 30*e0c4386eSCy Schubertdatabase = $dir/index.txt # database index file. 31*e0c4386eSCy Schubertnew_certs_dir = $dir/newcerts # default place for new certs. 32*e0c4386eSCy Schubert 33*e0c4386eSCy Schubertcertificate = $dir/cacert.pem # The CA certificate 34*e0c4386eSCy Schubertserial = $dir/serial # The current serial number 35*e0c4386eSCy Schubertprivate_key = $dir/private/cakey.pem# The private key 36*e0c4386eSCy Schubert 37*e0c4386eSCy Schubertdefault_days = 365 # how long to certify for 38*e0c4386eSCy Schubertdefault_md = sha256 # which md to use. 39*e0c4386eSCy Schubertpreserve = no # keep passed DN ordering 40*e0c4386eSCy Schubert 41*e0c4386eSCy Schubertpolicy = policy_match 42*e0c4386eSCy Schubert 43*e0c4386eSCy Schubert# For the CA policy 44*e0c4386eSCy Schubert[ policy_match ] 45*e0c4386eSCy SchubertcountryName = supplied 46*e0c4386eSCy SchubertstateOrProvinceName = supplied 47*e0c4386eSCy SchubertorganizationName = supplied 48*e0c4386eSCy SchubertorganizationalUnitName = optional 49*e0c4386eSCy SchubertcommonName = supplied 50*e0c4386eSCy SchubertemailAddress = optional 51*e0c4386eSCy Schubert 52*e0c4386eSCy Schubert#---------------------------------------------------------------------- 53*e0c4386eSCy Schubert[ req ] 54*e0c4386eSCy Schubertdefault_md = sha1 55*e0c4386eSCy Schubertdistinguished_name = $ENV::TSDNSECT 56*e0c4386eSCy Schubertencrypt_rsa_key = no 57*e0c4386eSCy Schubertprompt = no 58*e0c4386eSCy Schubert# attributes = req_attributes 59*e0c4386eSCy Schubertx509_extensions = v3_ca # The extensions to add to the self signed cert 60*e0c4386eSCy Schubert 61*e0c4386eSCy Schubertstring_mask = nombstr 62*e0c4386eSCy Schubert 63*e0c4386eSCy Schubert[ ts_ca_dn ] 64*e0c4386eSCy SchubertcountryName = HU 65*e0c4386eSCy SchubertstateOrProvinceName = Budapest 66*e0c4386eSCy SchubertlocalityName = Budapest 67*e0c4386eSCy SchubertorganizationName = Gov-CA Ltd. 68*e0c4386eSCy SchubertcommonName = ca1 69*e0c4386eSCy Schubert 70*e0c4386eSCy Schubert[ ts_cert_dn ] 71*e0c4386eSCy SchubertcountryName = HU 72*e0c4386eSCy SchubertstateOrProvinceName = Budapest 73*e0c4386eSCy SchubertlocalityName = Buda 74*e0c4386eSCy SchubertorganizationName = Hun-TSA Ltd. 75*e0c4386eSCy SchubertcommonName = tsa$ENV::INDEX 76*e0c4386eSCy Schubert 77*e0c4386eSCy Schubert[ tsa_cert ] 78*e0c4386eSCy Schubert 79*e0c4386eSCy Schubert# TSA server cert is not a CA cert. 80*e0c4386eSCy SchubertbasicConstraints=CA:FALSE 81*e0c4386eSCy Schubert 82*e0c4386eSCy Schubert# The following key usage flags are needed for TSA server certificates. 83*e0c4386eSCy SchubertkeyUsage = nonRepudiation, digitalSignature 84*e0c4386eSCy SchubertextendedKeyUsage = critical,timeStamping 85*e0c4386eSCy Schubert 86*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 87*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 88*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid,issuer:always 89*e0c4386eSCy Schubert 90*e0c4386eSCy Schubert[ non_tsa_cert ] 91*e0c4386eSCy Schubert 92*e0c4386eSCy Schubert# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) 93*e0c4386eSCy SchubertbasicConstraints=CA:FALSE 94*e0c4386eSCy Schubert 95*e0c4386eSCy Schubert# The following key usage flags are needed for TSA server certificates. 96*e0c4386eSCy SchubertkeyUsage = nonRepudiation, digitalSignature 97*e0c4386eSCy Schubert# timeStamping is not supported by this certificate 98*e0c4386eSCy Schubert# extendedKeyUsage = critical,timeStamping 99*e0c4386eSCy Schubert 100*e0c4386eSCy Schubert# PKIX recommendations harmless if included in all certificates. 101*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 102*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid,issuer:always 103*e0c4386eSCy Schubert 104*e0c4386eSCy Schubert[ v3_req ] 105*e0c4386eSCy Schubert 106*e0c4386eSCy Schubert# Extensions to add to a certificate request 107*e0c4386eSCy SchubertbasicConstraints = CA:FALSE 108*e0c4386eSCy SchubertkeyUsage = nonRepudiation, digitalSignature 109*e0c4386eSCy Schubert 110*e0c4386eSCy Schubert[ v3_ca ] 111*e0c4386eSCy Schubert 112*e0c4386eSCy Schubert# Extensions for a typical CA 113*e0c4386eSCy Schubert 114*e0c4386eSCy SchubertsubjectKeyIdentifier=hash 115*e0c4386eSCy SchubertauthorityKeyIdentifier=keyid:always,issuer:always 116*e0c4386eSCy SchubertbasicConstraints = critical,CA:true 117*e0c4386eSCy SchubertkeyUsage = cRLSign, keyCertSign 118*e0c4386eSCy Schubert 119*e0c4386eSCy Schubert#---------------------------------------------------------------------- 120*e0c4386eSCy Schubert[ tsa ] 121*e0c4386eSCy Schubert 122*e0c4386eSCy Schubertdefault_tsa = tsa_config1 # the default TSA section 123*e0c4386eSCy Schubert 124*e0c4386eSCy Schubert[ tsa_config1 ] 125*e0c4386eSCy Schubert 126*e0c4386eSCy Schubert# These are used by the TSA reply generation only. 127*e0c4386eSCy Schubertdir = . # TSA root directory 128*e0c4386eSCy Schubertserial = $dir/tsa_serial # The current serial number (mandatory) 129*e0c4386eSCy Schubertsigner_cert = $dir/tsa_cert1.pem # The TSA signing certificate 130*e0c4386eSCy Schubert # (optional) 131*e0c4386eSCy Schubertcerts = $dir/tsaca.pem # Certificate chain to include in reply 132*e0c4386eSCy Schubert # (optional) 133*e0c4386eSCy Schubertsigner_key = $dir/tsa_key1.pem # The TSA private key (optional) 134*e0c4386eSCy Schubertsigner_digest = sha256 # Signing digest to use. (Optional) 135*e0c4386eSCy Schubertdefault_policy = tsa_policy1 # Policy if request did not specify it 136*e0c4386eSCy Schubert # (optional) 137*e0c4386eSCy Schubertother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 138*e0c4386eSCy Schubertdigests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 139*e0c4386eSCy Schubertaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 140*e0c4386eSCy Schubertordering = yes # Is ordering defined for timestamps? 141*e0c4386eSCy Schubert # (optional, default: no) 142*e0c4386eSCy Schuberttsa_name = yes # Must the TSA name be included in the reply? 143*e0c4386eSCy Schubert # (optional, default: no) 144*e0c4386eSCy Schubertess_cert_id_chain = yes # Must the ESS cert id chain be included? 145*e0c4386eSCy Schubert # (optional, default: no) 146*e0c4386eSCy Schubertess_cert_id_alg = sha256 # algorithm to compute certificate 147*e0c4386eSCy Schubert # identifier (optional, default: sha1) 148*e0c4386eSCy Schubert 149*e0c4386eSCy Schubert[ tsa_config2 ] 150*e0c4386eSCy Schubert 151*e0c4386eSCy Schubert# This configuration uses a certificate which doesn't have timeStamping usage. 152*e0c4386eSCy Schubert# These are used by the TSA reply generation only. 153*e0c4386eSCy Schubertdir = . # TSA root directory 154*e0c4386eSCy Schubertserial = $dir/tsa_serial # The current serial number (mandatory) 155*e0c4386eSCy Schubertsigner_cert = $dir/tsa_cert2.pem # The TSA signing certificate 156*e0c4386eSCy Schubert # (optional) 157*e0c4386eSCy Schubertcerts = $dir/demoCA/cacert.pem# Certificate chain to include in reply 158*e0c4386eSCy Schubert # (optional) 159*e0c4386eSCy Schubertsigner_key = $dir/tsa_key2.pem # The TSA private key (optional) 160*e0c4386eSCy Schubertsigner_digest = sha256 # Signing digest to use. (Optional) 161*e0c4386eSCy Schubertdefault_policy = tsa_policy1 # Policy if request did not specify it 162*e0c4386eSCy Schubert # (optional) 163*e0c4386eSCy Schubertother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 164*e0c4386eSCy Schubertdigests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 165