CAtsa.cnf 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172
  1. #
  2. # This config is used by the Time Stamp Authority tests.
  3. #
  4. # This definition stops the following lines choking if HOME isn't
  5. # defined.
  6. HOME = .
  7. RANDFILE = $ENV::HOME/.rnd
  8. # Extra OBJECT IDENTIFIER info:
  9. oid_section = new_oids
  10. [ new_oids ]
  11. # Policies used by the TSA tests.
  12. tsa_policy1 = 1.2.3.4.1
  13. tsa_policy2 = 1.2.3.4.5.6
  14. tsa_policy3 = 1.2.3.4.5.7
  15. #----------------------------------------------------------------------
  16. [ ca ]
  17. default_ca = CA_default # The default ca section
  18. [ CA_default ]
  19. dir = ./demoCA
  20. certs = $dir/certs # Where the issued certs are kept
  21. database = $dir/index.txt # database index file.
  22. new_certs_dir = $dir/newcerts # default place for new certs.
  23. certificate = $dir/cacert.pem # The CA certificate
  24. serial = $dir/serial # The current serial number
  25. private_key = $dir/private/cakey.pem# The private key
  26. RANDFILE = $dir/private/.rand # private random number file
  27. default_days = 365 # how long to certify for
  28. default_md = sha1 # which md to use.
  29. preserve = no # keep passed DN ordering
  30. policy = policy_match
  31. # For the CA policy
  32. [ policy_match ]
  33. countryName = supplied
  34. stateOrProvinceName = supplied
  35. organizationName = supplied
  36. organizationalUnitName = optional
  37. commonName = supplied
  38. emailAddress = optional
  39. #----------------------------------------------------------------------
  40. [ req ]
  41. default_bits = 1024
  42. default_md = sha1
  43. distinguished_name = req_distinguished_name
  44. encrypt_rsa_key = no
  45. # attributes = req_attributes
  46. x509_extensions = v3_ca # The extentions to add to the self signed cert
  47. string_mask = nombstr
  48. [ req_distinguished_name ]
  49. countryName = Country Name (2 letter code)
  50. countryName_default = HU
  51. countryName_min = 2
  52. countryName_max = 2
  53. stateOrProvinceName = State or Province Name (full name)
  54. stateOrProvinceName_default =
  55. localityName = Locality Name (eg, city)
  56. 0.organizationName = Organization Name (eg, company)
  57. 0.organizationName_default =
  58. commonName = Common Name (eg, YOUR name)
  59. commonName_max = 64
  60. [ req_attributes ]
  61. challengePassword = A challenge password
  62. challengePassword_min = 4
  63. challengePassword_max = 20
  64. unstructuredName = An optional company name
  65. [ tsa_cert ]
  66. # TSA server cert is not a CA cert.
  67. basicConstraints=CA:FALSE
  68. # The following key usage flags are needed for TSA server certificates.
  69. keyUsage = nonRepudiation, digitalSignature
  70. extendedKeyUsage = critical,timeStamping
  71. # PKIX recommendations harmless if included in all certificates.
  72. subjectKeyIdentifier=hash
  73. authorityKeyIdentifier=keyid,issuer:always
  74. [ non_tsa_cert ]
  75. # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  76. basicConstraints=CA:FALSE
  77. # The following key usage flags are needed for TSA server certificates.
  78. keyUsage = nonRepudiation, digitalSignature
  79. # timeStamping is not supported by this certificate
  80. # extendedKeyUsage = critical,timeStamping
  81. # PKIX recommendations harmless if included in all certificates.
  82. subjectKeyIdentifier=hash
  83. authorityKeyIdentifier=keyid,issuer:always
  84. [ v3_req ]
  85. # Extensions to add to a certificate request
  86. basicConstraints = CA:FALSE
  87. keyUsage = nonRepudiation, digitalSignature
  88. [ v3_ca ]
  89. # Extensions for a typical CA
  90. subjectKeyIdentifier=hash
  91. authorityKeyIdentifier=keyid:always,issuer:always
  92. basicConstraints = critical,CA:true
  93. keyUsage = cRLSign, keyCertSign
  94. #----------------------------------------------------------------------
  95. [ tsa ]
  96. default_tsa = tsa_config1 # the default TSA section
  97. [ tsa_config1 ]
  98. # These are used by the TSA reply generation only.
  99. dir = . # TSA root directory
  100. serial = $dir/tsa_serial # The current serial number (mandatory)
  101. signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
  102. # (optional)
  103. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  104. # (optional)
  105. signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
  106. default_policy = tsa_policy1 # Policy if request did not specify it
  107. # (optional)
  108. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  109. digests = md5, sha1 # Acceptable message digests (mandatory)
  110. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  111. ordering = yes # Is ordering defined for timestamps?
  112. # (optional, default: no)
  113. tsa_name = yes # Must the TSA name be included in the reply?
  114. # (optional, default: no)
  115. ess_cert_id_chain = yes # Must the ESS cert id chain be included?
  116. # (optional, default: no)
  117. [ tsa_config2 ]
  118. # This configuration uses a certificate which doesn't have timeStamping usage.
  119. # These are used by the TSA reply generation only.
  120. dir = . # TSA root directory
  121. serial = $dir/tsa_serial # The current serial number (mandatory)
  122. signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
  123. # (optional)
  124. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  125. # (optional)
  126. signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
  127. default_policy = tsa_policy1 # Policy if request did not specify it
  128. # (optional)
  129. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  130. digests = md5, sha1 # Acceptable message digests (mandatory)