160662d10Schristos 260662d10Schristos# 360662d10Schristos# This config is used by the Time Stamp Authority tests. 460662d10Schristos# 560662d10Schristos 660662d10SchristosRANDFILE = ./.rnd 760662d10Schristos 860662d10Schristos# Extra OBJECT IDENTIFIER info: 960662d10Schristosoid_section = new_oids 1060662d10Schristos 1160662d10SchristosTSDNSECT = ts_cert_dn 1260662d10SchristosINDEX = 1 1360662d10Schristos 1460662d10Schristos[ new_oids ] 1560662d10Schristos 1660662d10Schristos# Policies used by the TSA tests. 1760662d10Schristostsa_policy1 = 1.2.3.4.1 1860662d10Schristostsa_policy2 = 1.2.3.4.5.6 1960662d10Schristostsa_policy3 = 1.2.3.4.5.7 2060662d10Schristos 2160662d10Schristos#---------------------------------------------------------------------- 2260662d10Schristos[ ca ] 2360662d10Schristosdefault_ca = CA_default # The default ca section 2460662d10Schristos 2560662d10Schristos[ CA_default ] 2660662d10Schristos 2760662d10Schristosdir = ./demoCA 2860662d10Schristoscerts = $dir/certs # Where the issued certs are kept 2960662d10Schristosdatabase = $dir/index.txt # database index file. 3060662d10Schristosnew_certs_dir = $dir/newcerts # default place for new certs. 3160662d10Schristos 3260662d10Schristoscertificate = $dir/cacert.pem # The CA certificate 3360662d10Schristosserial = $dir/serial # The current serial number 3460662d10Schristosprivate_key = $dir/private/cakey.pem# The private key 3560662d10SchristosRANDFILE = $dir/private/.rand # private random number file 3660662d10Schristos 3760662d10Schristosdefault_days = 365 # how long to certify for 38*1dcdf01fSchristosdefault_md = sha256 # which md to use. 3960662d10Schristospreserve = no # keep passed DN ordering 4060662d10Schristos 4160662d10Schristospolicy = policy_match 4260662d10Schristos 4360662d10Schristos# For the CA policy 4460662d10Schristos[ policy_match ] 4560662d10SchristoscountryName = supplied 4660662d10SchristosstateOrProvinceName = supplied 4760662d10SchristosorganizationName = supplied 4860662d10SchristosorganizationalUnitName = optional 4960662d10SchristoscommonName = supplied 5060662d10SchristosemailAddress = optional 5160662d10Schristos 5260662d10Schristos#---------------------------------------------------------------------- 5360662d10Schristos[ req ] 54*1dcdf01fSchristosdefault_bits = 2048 5560662d10Schristosdefault_md = sha1 5660662d10Schristosdistinguished_name = $ENV::TSDNSECT 5760662d10Schristosencrypt_rsa_key = no 5860662d10Schristosprompt = no 5960662d10Schristos# attributes = req_attributes 60*1dcdf01fSchristosx509_extensions = v3_ca # The extensions to add to the self signed cert 6160662d10Schristos 6260662d10Schristosstring_mask = nombstr 6360662d10Schristos 6460662d10Schristos[ ts_ca_dn ] 6560662d10SchristoscountryName = HU 6660662d10SchristosstateOrProvinceName = Budapest 6760662d10SchristoslocalityName = Budapest 6860662d10SchristosorganizationName = Gov-CA Ltd. 6960662d10SchristoscommonName = ca1 7060662d10Schristos 7160662d10Schristos[ ts_cert_dn ] 7260662d10SchristoscountryName = HU 7360662d10SchristosstateOrProvinceName = Budapest 7460662d10SchristoslocalityName = Buda 7560662d10SchristosorganizationName = Hun-TSA Ltd. 7660662d10SchristoscommonName = tsa$ENV::INDEX 7760662d10Schristos 7860662d10Schristos[ tsa_cert ] 7960662d10Schristos 8060662d10Schristos# TSA server cert is not a CA cert. 8160662d10SchristosbasicConstraints=CA:FALSE 8260662d10Schristos 8360662d10Schristos# The following key usage flags are needed for TSA server certificates. 8460662d10SchristoskeyUsage = nonRepudiation, digitalSignature 8560662d10SchristosextendedKeyUsage = critical,timeStamping 8660662d10Schristos 8760662d10Schristos# PKIX recommendations harmless if included in all certificates. 8860662d10SchristossubjectKeyIdentifier=hash 8960662d10SchristosauthorityKeyIdentifier=keyid,issuer:always 9060662d10Schristos 9160662d10Schristos[ non_tsa_cert ] 9260662d10Schristos 9360662d10Schristos# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) 9460662d10SchristosbasicConstraints=CA:FALSE 9560662d10Schristos 9660662d10Schristos# The following key usage flags are needed for TSA server certificates. 9760662d10SchristoskeyUsage = nonRepudiation, digitalSignature 9860662d10Schristos# timeStamping is not supported by this certificate 9960662d10Schristos# extendedKeyUsage = critical,timeStamping 10060662d10Schristos 10160662d10Schristos# PKIX recommendations harmless if included in all certificates. 10260662d10SchristossubjectKeyIdentifier=hash 10360662d10SchristosauthorityKeyIdentifier=keyid,issuer:always 10460662d10Schristos 10560662d10Schristos[ v3_req ] 10660662d10Schristos 10760662d10Schristos# Extensions to add to a certificate request 10860662d10SchristosbasicConstraints = CA:FALSE 10960662d10SchristoskeyUsage = nonRepudiation, digitalSignature 11060662d10Schristos 11160662d10Schristos[ v3_ca ] 11260662d10Schristos 11360662d10Schristos# Extensions for a typical CA 11460662d10Schristos 11560662d10SchristossubjectKeyIdentifier=hash 11660662d10SchristosauthorityKeyIdentifier=keyid:always,issuer:always 11760662d10SchristosbasicConstraints = critical,CA:true 11860662d10SchristoskeyUsage = cRLSign, keyCertSign 11960662d10Schristos 12060662d10Schristos#---------------------------------------------------------------------- 12160662d10Schristos[ tsa ] 12260662d10Schristos 12360662d10Schristosdefault_tsa = tsa_config1 # the default TSA section 12460662d10Schristos 12560662d10Schristos[ tsa_config1 ] 12660662d10Schristos 12760662d10Schristos# These are used by the TSA reply generation only. 12860662d10Schristosdir = . # TSA root directory 12960662d10Schristosserial = $dir/tsa_serial # The current serial number (mandatory) 13060662d10Schristossigner_cert = $dir/tsa_cert1.pem # The TSA signing certificate 13160662d10Schristos # (optional) 13260662d10Schristoscerts = $dir/tsaca.pem # Certificate chain to include in reply 13360662d10Schristos # (optional) 13460662d10Schristossigner_key = $dir/tsa_key1.pem # The TSA private key (optional) 135*1dcdf01fSchristossigner_digest = sha256 # Signing digest to use. (Optional) 13660662d10Schristosdefault_policy = tsa_policy1 # Policy if request did not specify it 13760662d10Schristos # (optional) 13860662d10Schristosother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 139*1dcdf01fSchristosdigests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 14060662d10Schristosaccuracy = secs:1, millisecs:500, microsecs:100 # (optional) 14160662d10Schristosordering = yes # Is ordering defined for timestamps? 14260662d10Schristos # (optional, default: no) 14360662d10Schristostsa_name = yes # Must the TSA name be included in the reply? 14460662d10Schristos # (optional, default: no) 14560662d10Schristosess_cert_id_chain = yes # Must the ESS cert id chain be included? 14660662d10Schristos # (optional, default: no) 147*1dcdf01fSchristosess_cert_id_alg = sha256 # algorithm to compute certificate 148*1dcdf01fSchristos # identifier (optional, default: sha1) 14960662d10Schristos 15060662d10Schristos[ tsa_config2 ] 15160662d10Schristos 15260662d10Schristos# This configuration uses a certificate which doesn't have timeStamping usage. 15360662d10Schristos# These are used by the TSA reply generation only. 15460662d10Schristosdir = . # TSA root directory 15560662d10Schristosserial = $dir/tsa_serial # The current serial number (mandatory) 15660662d10Schristossigner_cert = $dir/tsa_cert2.pem # The TSA signing certificate 15760662d10Schristos # (optional) 15860662d10Schristoscerts = $dir/demoCA/cacert.pem# Certificate chain to include in reply 15960662d10Schristos # (optional) 16060662d10Schristossigner_key = $dir/tsa_key2.pem # The TSA private key (optional) 161*1dcdf01fSchristossigner_digest = sha256 # Signing digest to use. (Optional) 16260662d10Schristosdefault_policy = tsa_policy1 # Policy if request did not specify it 16360662d10Schristos # (optional) 16460662d10Schristosother_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 165*1dcdf01fSchristosdigests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 166