1
2#
3# This config is used by the Time Stamp Authority tests.
4#
5
6RANDFILE		= ./.rnd
7
8# Extra OBJECT IDENTIFIER info:
9oid_section		= new_oids
10
11TSDNSECT		= ts_cert_dn
12INDEX			= 1
13
14[ new_oids ]
15
16# Policies used by the TSA tests.
17tsa_policy1 = 1.2.3.4.1
18tsa_policy2 = 1.2.3.4.5.6
19tsa_policy3 = 1.2.3.4.5.7
20
21#----------------------------------------------------------------------
22[ ca ]
23default_ca	= CA_default		# The default ca section
24
25[ CA_default ]
26
27dir		= ./demoCA
28certs		= $dir/certs		# Where the issued certs are kept
29database	= $dir/index.txt	# database index file.
30new_certs_dir	= $dir/newcerts		# default place for new certs.
31
32certificate	= $dir/cacert.pem 	# The CA certificate
33serial		= $dir/serial 		# The current serial number
34private_key	= $dir/private/cakey.pem# The private key
35RANDFILE	= $dir/private/.rand	# private random number file
36
37default_days	= 365			# how long to certify for
38default_md	= sha256			# which md to use.
39preserve	= no			# keep passed DN ordering
40
41policy		= policy_match
42
43# For the CA policy
44[ policy_match ]
45countryName		= supplied
46stateOrProvinceName	= supplied
47organizationName	= supplied
48organizationalUnitName	= optional
49commonName		= supplied
50emailAddress		= optional
51
52#----------------------------------------------------------------------
53[ req ]
54default_bits		= 2048
55default_md		= sha1
56distinguished_name	= $ENV::TSDNSECT
57encrypt_rsa_key		= no
58prompt 			= no
59# attributes		= req_attributes
60x509_extensions	= v3_ca	# The extensions to add to the self signed cert
61
62string_mask = nombstr
63
64[ ts_ca_dn ]
65countryName			= HU
66stateOrProvinceName		= Budapest
67localityName			= Budapest
68organizationName		= Gov-CA Ltd.
69commonName			= ca1
70
71[ ts_cert_dn ]
72countryName			= HU
73stateOrProvinceName		= Budapest
74localityName			= Buda
75organizationName		= Hun-TSA Ltd.
76commonName			= tsa$ENV::INDEX
77
78[ tsa_cert ]
79
80# TSA server cert is not a CA cert.
81basicConstraints=CA:FALSE
82
83# The following key usage flags are needed for TSA server certificates.
84keyUsage = nonRepudiation, digitalSignature
85extendedKeyUsage = critical,timeStamping
86
87# PKIX recommendations harmless if included in all certificates.
88subjectKeyIdentifier=hash
89authorityKeyIdentifier=keyid,issuer:always
90
91[ non_tsa_cert ]
92
93# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
94basicConstraints=CA:FALSE
95
96# The following key usage flags are needed for TSA server certificates.
97keyUsage = nonRepudiation, digitalSignature
98# timeStamping is not supported by this certificate
99# extendedKeyUsage = critical,timeStamping
100
101# PKIX recommendations harmless if included in all certificates.
102subjectKeyIdentifier=hash
103authorityKeyIdentifier=keyid,issuer:always
104
105[ v3_req ]
106
107# Extensions to add to a certificate request
108basicConstraints = CA:FALSE
109keyUsage = nonRepudiation, digitalSignature
110
111[ v3_ca ]
112
113# Extensions for a typical CA
114
115subjectKeyIdentifier=hash
116authorityKeyIdentifier=keyid:always,issuer:always
117basicConstraints = critical,CA:true
118keyUsage = cRLSign, keyCertSign
119
120#----------------------------------------------------------------------
121[ tsa ]
122
123default_tsa = tsa_config1	# the default TSA section
124
125[ tsa_config1 ]
126
127# These are used by the TSA reply generation only.
128dir		= .			# TSA root directory
129serial		= $dir/tsa_serial	# The current serial number (mandatory)
130signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
131					# (optional)
132certs		= $dir/tsaca.pem	# Certificate chain to include in reply
133					# (optional)
134signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
135signer_digest  = sha256             # Signing digest to use. (Optional)
136default_policy	= tsa_policy1		# Policy if request did not specify it
137					# (optional)
138other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
139digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
140accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
141ordering		= yes	# Is ordering defined for timestamps?
142				# (optional, default: no)
143tsa_name		= yes	# Must the TSA name be included in the reply?
144				# (optional, default: no)
145ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
146				# (optional, default: no)
147ess_cert_id_alg		= sha256	# algorithm to compute certificate
148					# identifier (optional, default: sha1)
149
150[ tsa_config2 ]
151
152# This configuration uses a certificate which doesn't have timeStamping usage.
153# These are used by the TSA reply generation only.
154dir		= .			# TSA root directory
155serial		= $dir/tsa_serial	# The current serial number (mandatory)
156signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
157					# (optional)
158certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
159					# (optional)
160signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
161signer_digest  = sha256             # Signing digest to use. (Optional)
162default_policy	= tsa_policy1		# Policy if request did not specify it
163					# (optional)
164other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
165digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
166