1
2#
3# This config is used by the Time Stamp Authority tests.
4#
5
6# This definition stops the following lines choking if HOME isn't
7# defined.
8HOME			= .
9RANDFILE		= $ENV::HOME/.rnd
10
11# Extra OBJECT IDENTIFIER info:
12oid_section		= new_oids
13
14TSDNSECT		= ts_cert_dn
15INDEX			= 1
16
17[ new_oids ]
18
19# Policies used by the TSA tests.
20tsa_policy1 = 1.2.3.4.1
21tsa_policy2 = 1.2.3.4.5.6
22tsa_policy3 = 1.2.3.4.5.7
23
24#----------------------------------------------------------------------
25[ ca ]
26default_ca	= CA_default		# The default ca section
27
28[ CA_default ]
29
30dir		= ./demoCA
31certs		= $dir/certs		# Where the issued certs are kept
32database	= $dir/index.txt	# database index file.
33new_certs_dir	= $dir/newcerts		# default place for new certs.
34
35certificate	= $dir/cacert.pem 	# The CA certificate
36serial		= $dir/serial 		# The current serial number
37private_key	= $dir/private/cakey.pem# The private key
38RANDFILE	= $dir/private/.rand	# private random number file
39
40default_days	= 365			# how long to certify for
41default_md	= sha1			# which md to use.
42preserve	= no			# keep passed DN ordering
43
44policy		= policy_match
45
46# For the CA policy
47[ policy_match ]
48countryName		= supplied
49stateOrProvinceName	= supplied
50organizationName	= supplied
51organizationalUnitName	= optional
52commonName		= supplied
53emailAddress		= optional
54
55#----------------------------------------------------------------------
56[ req ]
57default_bits		= 1024
58default_md		= sha1
59distinguished_name	= $ENV::TSDNSECT
60encrypt_rsa_key		= no
61prompt 			= no
62# attributes		= req_attributes
63x509_extensions	= v3_ca	# The extentions to add to the self signed cert
64
65string_mask = nombstr
66
67[ ts_ca_dn ]
68countryName			= HU
69stateOrProvinceName		= Budapest
70localityName			= Budapest
71organizationName		= Gov-CA Ltd.
72commonName			= ca1
73
74[ ts_cert_dn ]
75countryName			= HU
76stateOrProvinceName		= Budapest
77localityName			= Buda
78organizationName		= Hun-TSA Ltd.
79commonName			= tsa$ENV::INDEX
80
81[ tsa_cert ]
82
83# TSA server cert is not a CA cert.
84basicConstraints=CA:FALSE
85
86# The following key usage flags are needed for TSA server certificates.
87keyUsage = nonRepudiation, digitalSignature
88extendedKeyUsage = critical,timeStamping
89
90# PKIX recommendations harmless if included in all certificates.
91subjectKeyIdentifier=hash
92authorityKeyIdentifier=keyid,issuer:always
93
94[ non_tsa_cert ]
95
96# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
97basicConstraints=CA:FALSE
98
99# The following key usage flags are needed for TSA server certificates.
100keyUsage = nonRepudiation, digitalSignature
101# timeStamping is not supported by this certificate
102# extendedKeyUsage = critical,timeStamping
103
104# PKIX recommendations harmless if included in all certificates.
105subjectKeyIdentifier=hash
106authorityKeyIdentifier=keyid,issuer:always
107
108[ v3_req ]
109
110# Extensions to add to a certificate request
111basicConstraints = CA:FALSE
112keyUsage = nonRepudiation, digitalSignature
113
114[ v3_ca ]
115
116# Extensions for a typical CA
117
118subjectKeyIdentifier=hash
119authorityKeyIdentifier=keyid:always,issuer:always
120basicConstraints = critical,CA:true
121keyUsage = cRLSign, keyCertSign
122
123#----------------------------------------------------------------------
124[ tsa ]
125
126default_tsa = tsa_config1	# the default TSA section
127
128[ tsa_config1 ]
129
130# These are used by the TSA reply generation only.
131dir		= .			# TSA root directory
132serial		= $dir/tsa_serial	# The current serial number (mandatory)
133signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
134					# (optional)
135certs		= $dir/tsaca.pem	# Certificate chain to include in reply
136					# (optional)
137signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
138
139default_policy	= tsa_policy1		# Policy if request did not specify it
140					# (optional)
141other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
142digests		= md5, sha1		# Acceptable message digests (mandatory)
143accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
144ordering		= yes	# Is ordering defined for timestamps?
145				# (optional, default: no)
146tsa_name		= yes	# Must the TSA name be included in the reply?
147				# (optional, default: no)
148ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
149				# (optional, default: no)
150
151[ tsa_config2 ]
152
153# This configuration uses a certificate which doesn't have timeStamping usage.
154# These are used by the TSA reply generation only.
155dir		= .			# TSA root directory
156serial		= $dir/tsa_serial	# The current serial number (mandatory)
157signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
158					# (optional)
159certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
160					# (optional)
161signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
162
163default_policy	= tsa_policy1		# Policy if request did not specify it
164					# (optional)
165other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
166digests		= md5, sha1		# Acceptable message digests (mandatory)
167