CAtsa.cnf 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
  1. #
  2. # This config is used by the Time Stamp Authority tests.
  3. #
  4. RANDFILE = ./.rnd
  5. # Extra OBJECT IDENTIFIER info:
  6. oid_section = new_oids
  7. TSDNSECT = ts_cert_dn
  8. INDEX = 1
  9. [ new_oids ]
  10. # Policies used by the TSA tests.
  11. tsa_policy1 = 1.2.3.4.1
  12. tsa_policy2 = 1.2.3.4.5.6
  13. tsa_policy3 = 1.2.3.4.5.7
  14. #----------------------------------------------------------------------
  15. [ ca ]
  16. default_ca = CA_default # The default ca section
  17. [ CA_default ]
  18. dir = ./demoCA
  19. certs = $dir/certs # Where the issued certs are kept
  20. database = $dir/index.txt # database index file.
  21. new_certs_dir = $dir/newcerts # default place for new certs.
  22. certificate = $dir/cacert.pem # The CA certificate
  23. serial = $dir/serial # The current serial number
  24. private_key = $dir/private/cakey.pem# The private key
  25. RANDFILE = $dir/private/.rand # private random number file
  26. default_days = 365 # how long to certify for
  27. default_md = sha256 # which md to use.
  28. preserve = no # keep passed DN ordering
  29. policy = policy_match
  30. # For the CA policy
  31. [ policy_match ]
  32. countryName = supplied
  33. stateOrProvinceName = supplied
  34. organizationName = supplied
  35. organizationalUnitName = optional
  36. commonName = supplied
  37. emailAddress = optional
  38. #----------------------------------------------------------------------
  39. [ req ]
  40. default_bits = 2048
  41. default_md = sha1
  42. distinguished_name = $ENV::TSDNSECT
  43. encrypt_rsa_key = no
  44. prompt = no
  45. # attributes = req_attributes
  46. x509_extensions = v3_ca # The extensions to add to the self signed cert
  47. string_mask = nombstr
  48. [ ts_ca_dn ]
  49. countryName = HU
  50. stateOrProvinceName = Budapest
  51. localityName = Budapest
  52. organizationName = Gov-CA Ltd.
  53. commonName = ca1
  54. [ ts_cert_dn ]
  55. countryName = HU
  56. stateOrProvinceName = Budapest
  57. localityName = Buda
  58. organizationName = Hun-TSA Ltd.
  59. commonName = tsa$ENV::INDEX
  60. [ tsa_cert ]
  61. # TSA server cert is not a CA cert.
  62. basicConstraints=CA:FALSE
  63. # The following key usage flags are needed for TSA server certificates.
  64. keyUsage = nonRepudiation, digitalSignature
  65. extendedKeyUsage = critical,timeStamping
  66. # PKIX recommendations harmless if included in all certificates.
  67. subjectKeyIdentifier=hash
  68. authorityKeyIdentifier=keyid,issuer:always
  69. [ non_tsa_cert ]
  70. # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  71. basicConstraints=CA:FALSE
  72. # The following key usage flags are needed for TSA server certificates.
  73. keyUsage = nonRepudiation, digitalSignature
  74. # timeStamping is not supported by this certificate
  75. # extendedKeyUsage = critical,timeStamping
  76. # PKIX recommendations harmless if included in all certificates.
  77. subjectKeyIdentifier=hash
  78. authorityKeyIdentifier=keyid,issuer:always
  79. [ v3_req ]
  80. # Extensions to add to a certificate request
  81. basicConstraints = CA:FALSE
  82. keyUsage = nonRepudiation, digitalSignature
  83. [ v3_ca ]
  84. # Extensions for a typical CA
  85. subjectKeyIdentifier=hash
  86. authorityKeyIdentifier=keyid:always,issuer:always
  87. basicConstraints = critical,CA:true
  88. keyUsage = cRLSign, keyCertSign
  89. #----------------------------------------------------------------------
  90. [ tsa ]
  91. default_tsa = tsa_config1 # the default TSA section
  92. [ tsa_config1 ]
  93. # These are used by the TSA reply generation only.
  94. dir = . # TSA root directory
  95. serial = $dir/tsa_serial # The current serial number (mandatory)
  96. signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
  97. # (optional)
  98. certs = $dir/tsaca.pem # Certificate chain to include in reply
  99. # (optional)
  100. signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
  101. signer_digest = sha256 # Signing digest to use. (Optional)
  102. default_policy = tsa_policy1 # Policy if request did not specify it
  103. # (optional)
  104. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  105. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
  106. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  107. ordering = yes # Is ordering defined for timestamps?
  108. # (optional, default: no)
  109. tsa_name = yes # Must the TSA name be included in the reply?
  110. # (optional, default: no)
  111. ess_cert_id_chain = yes # Must the ESS cert id chain be included?
  112. # (optional, default: no)
  113. ess_cert_id_alg = sha256 # algorithm to compute certificate
  114. # identifier (optional, default: sha1)
  115. [ tsa_config2 ]
  116. # This configuration uses a certificate which doesn't have timeStamping usage.
  117. # These are used by the TSA reply generation only.
  118. dir = . # TSA root directory
  119. serial = $dir/tsa_serial # The current serial number (mandatory)
  120. signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
  121. # (optional)
  122. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  123. # (optional)
  124. signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
  125. signer_digest = sha256 # Signing digest to use. (Optional)
  126. default_policy = tsa_policy1 # Policy if request did not specify it
  127. # (optional)
  128. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  129. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)