1 2# 3# This config is used by the Time Stamp Authority tests. 4# 5 6# Comment out the next line to ignore configuration errors 7config_diagnostics = 1 8 9# Extra OBJECT IDENTIFIER info: 10oid_section = new_oids 11 12TSDNSECT = ts_cert_dn 13INDEX = 1 14 15[ new_oids ] 16 17# Policies used by the TSA tests. 18tsa_policy1 = 1.2.3.4.1 19tsa_policy2 = 1.2.3.4.5.6 20tsa_policy3 = 1.2.3.4.5.7 21 22#---------------------------------------------------------------------- 23[ ca ] 24default_ca = CA_default # The default ca section 25 26[ CA_default ] 27 28dir = ./demoCA 29certs = $dir/certs # Where the issued certs are kept 30database = $dir/index.txt # database index file. 31new_certs_dir = $dir/newcerts # default place for new certs. 32 33certificate = $dir/cacert.pem # The CA certificate 34serial = $dir/serial # The current serial number 35private_key = $dir/private/cakey.pem# The private key 36 37default_days = 365 # how long to certify for 38default_md = sha256 # which md to use. 39preserve = no # keep passed DN ordering 40 41policy = policy_match 42 43# For the CA policy 44[ policy_match ] 45countryName = supplied 46stateOrProvinceName = supplied 47organizationName = supplied 48organizationalUnitName = optional 49commonName = supplied 50emailAddress = optional 51 52#---------------------------------------------------------------------- 53[ req ] 54default_md = sha1 55distinguished_name = $ENV::TSDNSECT 56encrypt_rsa_key = no 57prompt = no 58# attributes = req_attributes 59x509_extensions = v3_ca # The extensions to add to the self signed cert 60 61string_mask = nombstr 62 63[ ts_ca_dn ] 64countryName = HU 65stateOrProvinceName = Budapest 66localityName = Budapest 67organizationName = Gov-CA Ltd. 68commonName = ca1 69 70[ ts_cert_dn ] 71countryName = HU 72stateOrProvinceName = Budapest 73localityName = Buda 74organizationName = Hun-TSA Ltd. 75commonName = tsa$ENV::INDEX 76 77[ tsa_cert ] 78 79# TSA server cert is not a CA cert. 80basicConstraints=CA:FALSE 81 82# The following key usage flags are needed for TSA server certificates. 83keyUsage = nonRepudiation, digitalSignature 84extendedKeyUsage = critical,timeStamping 85 86# PKIX recommendations harmless if included in all certificates. 87subjectKeyIdentifier=hash 88authorityKeyIdentifier=keyid,issuer:always 89 90[ non_tsa_cert ] 91 92# This is not a CA cert and not a TSA cert, either (timeStamping usage missing) 93basicConstraints=CA:FALSE 94 95# The following key usage flags are needed for TSA server certificates. 96keyUsage = nonRepudiation, digitalSignature 97# timeStamping is not supported by this certificate 98# extendedKeyUsage = critical,timeStamping 99 100# PKIX recommendations harmless if included in all certificates. 101subjectKeyIdentifier=hash 102authorityKeyIdentifier=keyid,issuer:always 103 104[ v3_req ] 105 106# Extensions to add to a certificate request 107basicConstraints = CA:FALSE 108keyUsage = nonRepudiation, digitalSignature 109 110[ v3_ca ] 111 112# Extensions for a typical CA 113 114subjectKeyIdentifier=hash 115authorityKeyIdentifier=keyid:always,issuer:always 116basicConstraints = critical,CA:true 117keyUsage = cRLSign, keyCertSign 118 119#---------------------------------------------------------------------- 120[ tsa ] 121 122default_tsa = tsa_config1 # the default TSA section 123 124[ tsa_config1 ] 125 126# These are used by the TSA reply generation only. 127dir = . # TSA root directory 128serial = $dir/tsa_serial # The current serial number (mandatory) 129signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate 130 # (optional) 131certs = $dir/tsaca.pem # Certificate chain to include in reply 132 # (optional) 133signer_key = $dir/tsa_key1.pem # The TSA private key (optional) 134signer_digest = sha256 # Signing digest to use. (Optional) 135default_policy = tsa_policy1 # Policy if request did not specify it 136 # (optional) 137other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 138digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 139accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 140ordering = yes # Is ordering defined for timestamps? 141 # (optional, default: no) 142tsa_name = yes # Must the TSA name be included in the reply? 143 # (optional, default: no) 144ess_cert_id_chain = yes # Must the ESS cert id chain be included? 145 # (optional, default: no) 146ess_cert_id_alg = sha256 # algorithm to compute certificate 147 # identifier (optional, default: sha256) 148 149[ tsa_config2 ] 150 151# This configuration uses a certificate which doesn't have timeStamping usage. 152# These are used by the TSA reply generation only. 153dir = . # TSA root directory 154serial = $dir/tsa_serial # The current serial number (mandatory) 155signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate 156 # (optional) 157certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply 158 # (optional) 159signer_key = $dir/tsa_key2.pem # The TSA private key (optional) 160signer_digest = sha256 # Signing digest to use. (Optional) 161default_policy = tsa_policy1 # Policy if request did not specify it 162 # (optional) 163other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 164digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) 165