CAtsa.cnf 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162
  1. #
  2. # This config is used by the Time Stamp Authority tests.
  3. #
  4. # Extra OBJECT IDENTIFIER info:
  5. oid_section = new_oids
  6. TSDNSECT = ts_cert_dn
  7. INDEX = 1
  8. [ new_oids ]
  9. # Policies used by the TSA tests.
  10. tsa_policy1 = 1.2.3.4.1
  11. tsa_policy2 = 1.2.3.4.5.6
  12. tsa_policy3 = 1.2.3.4.5.7
  13. #----------------------------------------------------------------------
  14. [ ca ]
  15. default_ca = CA_default # The default ca section
  16. [ CA_default ]
  17. dir = ./demoCA
  18. certs = $dir/certs # Where the issued certs are kept
  19. database = $dir/index.txt # database index file.
  20. new_certs_dir = $dir/newcerts # default place for new certs.
  21. certificate = $dir/cacert.pem # The CA certificate
  22. serial = $dir/serial # The current serial number
  23. private_key = $dir/private/cakey.pem# The private key
  24. default_days = 365 # how long to certify for
  25. default_md = sha256 # which md to use.
  26. preserve = no # keep passed DN ordering
  27. policy = policy_match
  28. # For the CA policy
  29. [ policy_match ]
  30. countryName = supplied
  31. stateOrProvinceName = supplied
  32. organizationName = supplied
  33. organizationalUnitName = optional
  34. commonName = supplied
  35. emailAddress = optional
  36. #----------------------------------------------------------------------
  37. [ req ]
  38. default_bits = 2048
  39. default_md = sha1
  40. distinguished_name = $ENV::TSDNSECT
  41. encrypt_rsa_key = no
  42. prompt = no
  43. # attributes = req_attributes
  44. x509_extensions = v3_ca # The extensions to add to the self signed cert
  45. string_mask = nombstr
  46. [ ts_ca_dn ]
  47. countryName = HU
  48. stateOrProvinceName = Budapest
  49. localityName = Budapest
  50. organizationName = Gov-CA Ltd.
  51. commonName = ca1
  52. [ ts_cert_dn ]
  53. countryName = HU
  54. stateOrProvinceName = Budapest
  55. localityName = Buda
  56. organizationName = Hun-TSA Ltd.
  57. commonName = tsa$ENV::INDEX
  58. [ tsa_cert ]
  59. # TSA server cert is not a CA cert.
  60. basicConstraints=CA:FALSE
  61. # The following key usage flags are needed for TSA server certificates.
  62. keyUsage = nonRepudiation, digitalSignature
  63. extendedKeyUsage = critical,timeStamping
  64. # PKIX recommendations harmless if included in all certificates.
  65. subjectKeyIdentifier=hash
  66. authorityKeyIdentifier=keyid,issuer:always
  67. [ non_tsa_cert ]
  68. # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
  69. basicConstraints=CA:FALSE
  70. # The following key usage flags are needed for TSA server certificates.
  71. keyUsage = nonRepudiation, digitalSignature
  72. # timeStamping is not supported by this certificate
  73. # extendedKeyUsage = critical,timeStamping
  74. # PKIX recommendations harmless if included in all certificates.
  75. subjectKeyIdentifier=hash
  76. authorityKeyIdentifier=keyid,issuer:always
  77. [ v3_req ]
  78. # Extensions to add to a certificate request
  79. basicConstraints = CA:FALSE
  80. keyUsage = nonRepudiation, digitalSignature
  81. [ v3_ca ]
  82. # Extensions for a typical CA
  83. subjectKeyIdentifier=hash
  84. authorityKeyIdentifier=keyid:always,issuer:always
  85. basicConstraints = critical,CA:true
  86. keyUsage = cRLSign, keyCertSign
  87. #----------------------------------------------------------------------
  88. [ tsa ]
  89. default_tsa = tsa_config1 # the default TSA section
  90. [ tsa_config1 ]
  91. # These are used by the TSA reply generation only.
  92. dir = . # TSA root directory
  93. serial = $dir/tsa_serial # The current serial number (mandatory)
  94. signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
  95. # (optional)
  96. certs = $dir/tsaca.pem # Certificate chain to include in reply
  97. # (optional)
  98. signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
  99. signer_digest = sha256 # Signing digest to use. (Optional)
  100. default_policy = tsa_policy1 # Policy if request did not specify it
  101. # (optional)
  102. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  103. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
  104. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  105. ordering = yes # Is ordering defined for timestamps?
  106. # (optional, default: no)
  107. tsa_name = yes # Must the TSA name be included in the reply?
  108. # (optional, default: no)
  109. ess_cert_id_chain = yes # Must the ESS cert id chain be included?
  110. # (optional, default: no)
  111. ess_cert_id_alg = sha256 # algorithm to compute certificate
  112. # identifier (optional, default: sha1)
  113. [ tsa_config2 ]
  114. # This configuration uses a certificate which doesn't have timeStamping usage.
  115. # These are used by the TSA reply generation only.
  116. dir = . # TSA root directory
  117. serial = $dir/tsa_serial # The current serial number (mandatory)
  118. signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
  119. # (optional)
  120. certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
  121. # (optional)
  122. signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
  123. signer_digest = sha256 # Signing digest to use. (Optional)
  124. default_policy = tsa_policy1 # Policy if request did not specify it
  125. # (optional)
  126. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  127. digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)