CAtsa.cnf 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164
  1. #
  2. # This config is used by the Time Stamp Authority tests.
  3. #
  4. # Comment out the next line to ignore configuration errors
  5. config_diagnostics = 1
  6. # Extra OBJECT IDENTIFIER info:
  7. oid_section = new_oids
  8. TSDNSECT = ts_cert_dn
  9. INDEX = 1
  10. [ new_oids ]
  11. # Policies used by the TSA tests.
  12. tsa_policy1 = 1.2.3.4.1
  13. tsa_policy2 = 1.2.3.4.5.6
  14. tsa_policy3 = 1.2.3.4.5.7
  15. #----------------------------------------------------------------------
  16. [ ca ]
  17. default_ca = CA_default # The default ca section
  18. [ CA_default ]
  19. dir = ./demoCA
  20. certs = $dir/certs # Where the issued certs are kept
  21. database = $dir/index.txt # database index file.
  22. new_certs_dir = $dir/newcerts # default place for new certs.
  23. certificate = $dir/cacert.pem # The CA certificate
  24. serial = $dir/serial # The current serial number
  25. private_key = $dir/private/cakey.pem# The private key
  26. default_days = 365 # how long to certify for
  27. default_md = sha256 # which md to use.
  28. preserve = no # keep passed DN ordering
  29. policy = policy_match
  30. # For the CA policy
  31. [ policy_match ]
  32. countryName = supplied
  33. stateOrProvinceName = supplied
  34. organizationName = supplied
  35. organizationalUnitName = optional
  36. commonName = supplied
  37. emailAddress = optional
  38. #----------------------------------------------------------------------
  39. [ req ]
  40. default_md = sha1
  41. distinguished_name = $ENV::TSDNSECT
  42. encrypt_rsa_key = no
  43. prompt = no
  44. # attributes = req_attributes
  45. x509_extensions = v3_ca # The extensions to add to the self signed cert
  46. string_mask = nombstr
  47. [ ts_ca_dn ]
  48. countryName = HU
  49. stateOrProvinceName = Budapest
  50. localityName = Budapest
  51. organizationName = Gov-CA Ltd.
  52. commonName = ca1
  53. [ ts_cert_dn ]
  54. countryName = HU
  55. stateOrProvinceName = Budapest
  56. localityName = Buda
  57. organizationName = Hun-TSA Ltd.
  58. commonName = tsa$ENV::INDEX
  59. [ tsa_cert ]
  60. # TSA server cert is not a CA cert.
  61. basicConstraints=CA:FALSE
  62. # The following key usage flags are needed for TSA server certificates.
  63. keyUsage = nonRepudiation, digitalSignature
  64. extendedKeyUsage = critical,timeStamping
  65. # PKIX recommendations harmless if included in all certificates.
  66. subjectKeyIdentifier=hash
  67. authorityKeyIdentifier=keyid,issuer:always
  68. [ non_tsa_cert ]
  69. # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  70. basicConstraints=CA:FALSE
  71. # The following key usage flags are needed for TSA server certificates.
  72. keyUsage = nonRepudiation, digitalSignature
  73. # timeStamping is not supported by this certificate
  74. # extendedKeyUsage = critical,timeStamping
  75. # PKIX recommendations harmless if included in all certificates.
  76. subjectKeyIdentifier=hash
  77. authorityKeyIdentifier=keyid,issuer:always
  78. [ v3_req ]
  79. # Extensions to add to a certificate request
  80. basicConstraints = CA:FALSE
  81. keyUsage = nonRepudiation, digitalSignature
  82. [ v3_ca ]
  83. # Extensions for a typical CA
  84. subjectKeyIdentifier=hash
  85. authorityKeyIdentifier=keyid:always,issuer:always
  86. basicConstraints = critical,CA:true
  87. keyUsage = cRLSign, keyCertSign
  88. #----------------------------------------------------------------------
  89. [ tsa ]
  90. default_tsa = tsa_config1 # the default TSA section
  91. [ tsa_config1 ]
  92. # These are used by the TSA reply generation only.
  93. dir = . # TSA root directory
  94. serial = $dir/tsa_serial # The current serial number (mandatory)
  95. signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
  96. # (optional)
  97. certs = $dir/tsaca.pem # Certificate chain to include in reply
  98. # (optional)
  99. signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
  100. signer_digest = sha256 # Signing digest to use. (Optional)
  101. default_policy = tsa_policy1 # Policy if request did not specify it
  102. # (optional)
  103. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  104. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
  105. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  106. ordering = yes # Is ordering defined for timestamps?
  107. # (optional, default: no)
  108. tsa_name = yes # Must the TSA name be included in the reply?
  109. # (optional, default: no)
  110. ess_cert_id_chain = yes # Must the ESS cert id chain be included?
  111. # (optional, default: no)
  112. ess_cert_id_alg = sha256 # algorithm to compute certificate
  113. # identifier (optional, default: sha1)
  114. [ tsa_config2 ]
  115. # This configuration uses a certificate which doesn't have timeStamping usage.
  116. # These are used by the TSA reply generation only.
  117. dir = . # TSA root directory
  118. serial = $dir/tsa_serial # The current serial number (mandatory)
  119. signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
  120. # (optional)
  121. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  122. # (optional)
  123. signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
  124. signer_digest = sha256 # Signing digest to use. (Optional)
  125. default_policy = tsa_policy1 # Policy if request did not specify it
  126. # (optional)
  127. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  128. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)