1 2# 3# This config is used by the Time Stamp Authority tests. 4# 5 6# This definition stops the following lines choking if HOME isn't 7# defined. 8HOME = . 9RANDFILE = $ENV::HOME/.rnd 10 11# Extra OBJECT IDENTIFIER info: 12oid_section = new_oids 13 14TSDNSECT = ts_cert_dn 15INDEX = 1 16 17[ new_oids ] 18 19# Policies used by the TSA tests. 20tsa_policy1 = 1.2.3.4.1 21tsa_policy2 = 1.2.3.4.5.6 22tsa_policy3 = 1.2.3.4.5.7 23 24#---------------------------------------------------------------------- 25[ ca ] 26default_ca = CA_default # The default ca section 27 28[ CA_default ] 29 30dir = ./demoCA 31certs = $dir/certs # Where the issued certs are kept 32database = $dir/index.txt # database index file. 33new_certs_dir = $dir/newcerts # default place for new certs. 34 35certificate = $dir/cacert.pem # The CA certificate 36serial = $dir/serial # The current serial number 37private_key = $dir/private/cakey.pem# The private key 38RANDFILE = $dir/private/.rand # private random number file 39 40default_days = 365 # how long to certify for 41default_md = sha1 # which md to use. 42preserve = no # keep passed DN ordering 43 44policy = policy_match 45 46# For the CA policy 47[ policy_match ] 48countryName = supplied 49stateOrProvinceName = supplied 50organizationName = supplied 51organizationalUnitName = optional 52commonName = supplied 53emailAddress = optional 54 55#---------------------------------------------------------------------- 56[ req ] 57default_bits = 1024 58default_md = sha1 59distinguished_name = $ENV::TSDNSECT 60encrypt_rsa_key = no 61prompt = no 62# attributes = req_attributes 63x509_extensions = v3_ca # The extentions to add to the self signed cert 64 65string_mask = nombstr 66 67[ ts_ca_dn ] 68countryName = HU 69stateOrProvinceName = Budapest 70localityName = Budapest 71organizationName = Gov-CA Ltd. 72commonName = ca1 73 74[ ts_cert_dn ] 75countryName = HU 76stateOrProvinceName = Budapest 77localityName = Buda 78organizationName = Hun-TSA Ltd. 79commonName = tsa$ENV::INDEX 80 81[ tsa_cert ] 82 83# TSA server cert is not a CA cert. 84basicConstraints=CA:FALSE 85 86# The following key usage flags are needed for TSA server certificates. 87keyUsage = nonRepudiation, digitalSignature 88extendedKeyUsage = critical,timeStamping 89 90# PKIX recommendations harmless if included in all certificates. 91subjectKeyIdentifier=hash 92authorityKeyIdentifier=keyid,issuer:always 93 94[ non_tsa_cert ] 95 96# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) 97basicConstraints=CA:FALSE 98 99# The following key usage flags are needed for TSA server certificates. 100keyUsage = nonRepudiation, digitalSignature 101# timeStamping is not supported by this certificate 102# extendedKeyUsage = critical,timeStamping 103 104# PKIX recommendations harmless if included in all certificates. 105subjectKeyIdentifier=hash 106authorityKeyIdentifier=keyid,issuer:always 107 108[ v3_req ] 109 110# Extensions to add to a certificate request 111basicConstraints = CA:FALSE 112keyUsage = nonRepudiation, digitalSignature 113 114[ v3_ca ] 115 116# Extensions for a typical CA 117 118subjectKeyIdentifier=hash 119authorityKeyIdentifier=keyid:always,issuer:always 120basicConstraints = critical,CA:true 121keyUsage = cRLSign, keyCertSign 122 123#---------------------------------------------------------------------- 124[ tsa ] 125 126default_tsa = tsa_config1 # the default TSA section 127 128[ tsa_config1 ] 129 130# These are used by the TSA reply generation only. 131dir = . # TSA root directory 132serial = $dir/tsa_serial # The current serial number (mandatory) 133signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate 134 # (optional) 135certs = $dir/tsaca.pem # Certificate chain to include in reply 136 # (optional) 137signer_key = $dir/tsa_key1.pem # The TSA private key (optional) 138 139default_policy = tsa_policy1 # Policy if request did not specify it 140 # (optional) 141other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 142digests = md5, sha1 # Acceptable message digests (mandatory) 143accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 144ordering = yes # Is ordering defined for timestamps? 145 # (optional, default: no) 146tsa_name = yes # Must the TSA name be included in the reply? 147 # (optional, default: no) 148ess_cert_id_chain = yes # Must the ESS cert id chain be included? 149 # (optional, default: no) 150 151[ tsa_config2 ] 152 153# This configuration uses a certificate which doesn't have timeStamping usage. 154# These are used by the TSA reply generation only. 155dir = . # TSA root directory 156serial = $dir/tsa_serial # The current serial number (mandatory) 157signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate 158 # (optional) 159certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply 160 # (optional) 161signer_key = $dir/tsa_key2.pem # The TSA private key (optional) 162 163default_policy = tsa_policy1 # Policy if request did not specify it 164 # (optional) 165other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 166digests = md5, sha1 # Acceptable message digests (mandatory) 167