CAtsa.cnf 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
  1. #
  2. # This config is used by the Time Stamp Authority tests.
  3. #
  4. # This definition stops the following lines choking if HOME isn't
  5. # defined.
  6. HOME = .
  7. RANDFILE = $ENV::HOME/.rnd
  8. # Extra OBJECT IDENTIFIER info:
  9. oid_section = new_oids
  10. TSDNSECT = ts_cert_dn
  11. INDEX = 1
  12. [ new_oids ]
  13. # Policies used by the TSA tests.
  14. tsa_policy1 = 1.2.3.4.1
  15. tsa_policy2 = 1.2.3.4.5.6
  16. tsa_policy3 = 1.2.3.4.5.7
  17. #----------------------------------------------------------------------
  18. [ ca ]
  19. default_ca = CA_default # The default ca section
  20. [ CA_default ]
  21. dir = ./demoCA
  22. certs = $dir/certs # Where the issued certs are kept
  23. database = $dir/index.txt # database index file.
  24. new_certs_dir = $dir/newcerts # default place for new certs.
  25. certificate = $dir/cacert.pem # The CA certificate
  26. serial = $dir/serial # The current serial number
  27. private_key = $dir/private/cakey.pem# The private key
  28. RANDFILE = $dir/private/.rand # private random number file
  29. default_days = 365 # how long to certify for
  30. default_md = sha1 # which md to use.
  31. preserve = no # keep passed DN ordering
  32. policy = policy_match
  33. # For the CA policy
  34. [ policy_match ]
  35. countryName = supplied
  36. stateOrProvinceName = supplied
  37. organizationName = supplied
  38. organizationalUnitName = optional
  39. commonName = supplied
  40. emailAddress = optional
  41. #----------------------------------------------------------------------
  42. [ req ]
  43. default_bits = 1024
  44. default_md = sha1
  45. distinguished_name = $ENV::TSDNSECT
  46. encrypt_rsa_key = no
  47. prompt = no
  48. # attributes = req_attributes
  49. x509_extensions = v3_ca # The extentions to add to the self signed cert
  50. string_mask = nombstr
  51. [ ts_ca_dn ]
  52. countryName = HU
  53. stateOrProvinceName = Budapest
  54. localityName = Budapest
  55. organizationName = Gov-CA Ltd.
  56. commonName = ca1
  57. [ ts_cert_dn ]
  58. countryName = HU
  59. stateOrProvinceName = Budapest
  60. localityName = Buda
  61. organizationName = Hun-TSA Ltd.
  62. commonName = tsa$ENV::INDEX
  63. [ tsa_cert ]
  64. # TSA server cert is not a CA cert.
  65. basicConstraints=CA:FALSE
  66. # The following key usage flags are needed for TSA server certificates.
  67. keyUsage = nonRepudiation, digitalSignature
  68. extendedKeyUsage = critical,timeStamping
  69. # PKIX recommendations harmless if included in all certificates.
  70. subjectKeyIdentifier=hash
  71. authorityKeyIdentifier=keyid,issuer:always
  72. [ non_tsa_cert ]
  73. # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  74. basicConstraints=CA:FALSE
  75. # The following key usage flags are needed for TSA server certificates.
  76. keyUsage = nonRepudiation, digitalSignature
  77. # timeStamping is not supported by this certificate
  78. # extendedKeyUsage = critical,timeStamping
  79. # PKIX recommendations harmless if included in all certificates.
  80. subjectKeyIdentifier=hash
  81. authorityKeyIdentifier=keyid,issuer:always
  82. [ v3_req ]
  83. # Extensions to add to a certificate request
  84. basicConstraints = CA:FALSE
  85. keyUsage = nonRepudiation, digitalSignature
  86. [ v3_ca ]
  87. # Extensions for a typical CA
  88. subjectKeyIdentifier=hash
  89. authorityKeyIdentifier=keyid:always,issuer:always
  90. basicConstraints = critical,CA:true
  91. keyUsage = cRLSign, keyCertSign
  92. #----------------------------------------------------------------------
  93. [ tsa ]
  94. default_tsa = tsa_config1 # the default TSA section
  95. [ tsa_config1 ]
  96. # These are used by the TSA reply generation only.
  97. dir = . # TSA root directory
  98. serial = $dir/tsa_serial # The current serial number (mandatory)
  99. signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
  100. # (optional)
  101. certs = $dir/tsaca.pem # Certificate chain to include in reply
  102. # (optional)
  103. signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
  104. default_policy = tsa_policy1 # Policy if request did not specify it
  105. # (optional)
  106. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  107. digests = md5, sha1 # Acceptable message digests (mandatory)
  108. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  109. ordering = yes # Is ordering defined for timestamps?
  110. # (optional, default: no)
  111. tsa_name = yes # Must the TSA name be included in the reply?
  112. # (optional, default: no)
  113. ess_cert_id_chain = yes # Must the ESS cert id chain be included?
  114. # (optional, default: no)
  115. [ tsa_config2 ]
  116. # This configuration uses a certificate which doesn't have timeStamping usage.
  117. # These are used by the TSA reply generation only.
  118. dir = . # TSA root directory
  119. serial = $dir/tsa_serial # The current serial number (mandatory)
  120. signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
  121. # (optional)
  122. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  123. # (optional)
  124. signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
  125. default_policy = tsa_policy1 # Policy if request did not specify it
  126. # (optional)
  127. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  128. digests = md5, sha1 # Acceptable message digests (mandatory)