CAtsa.cnf 4.66 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163

#
# This config is used by the Time Stamp Authority tests.
#

RANDFILE		= ./.rnd

# Extra OBJECT IDENTIFIER info:
oid_section		= new_oids

TSDNSECT		= ts_cert_dn
INDEX			= 1

[ new_oids ]

# Policies used by the TSA tests.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

#----------------------------------------------------------------------
[ ca ]
default_ca	= CA_default		# The default ca section

[ CA_default ]

dir		= ./demoCA
certs		= $dir/certs		# Where the issued certs are kept
database	= $dir/index.txt	# database index file.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

default_days	= 365			# how long to certify for
default_md	= sha1			# which md to use.
preserve	= no			# keep passed DN ordering

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= supplied
stateOrProvinceName	= supplied
organizationName	= supplied
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

#----------------------------------------------------------------------
[ req ]
default_bits		= 1024
default_md		= sha1
distinguished_name	= $ENV::TSDNSECT
encrypt_rsa_key		= no
prompt 			= no
# attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

string_mask = nombstr

[ ts_ca_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Budapest
organizationName		= Gov-CA Ltd.
commonName			= ca1

[ ts_cert_dn ]
countryName			= HU
stateOrProvinceName		= Budapest
localityName			= Buda
organizationName		= Hun-TSA Ltd.
commonName			= tsa$ENV::INDEX

[ tsa_cert ]

# TSA server cert is not a CA cert.
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ non_tsa_cert ]

# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
basicConstraints=CA:FALSE

# The following key usage flags are needed for TSA server certificates.
keyUsage = nonRepudiation, digitalSignature
# timeStamping is not supported by this certificate
# extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always

[ v3_req ]

# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature

[ v3_ca ]

# Extensions for a typical CA

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign

#----------------------------------------------------------------------
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/tsaca.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= md5, sha1		# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
				# (optional, default: no)

[ tsa_config2 ]

# This configuration uses a certificate which doesn't have timeStamping usage.
# These are used by the TSA reply generation only.
dir		= .			# TSA root directory
serial		= $dir/tsa_serial	# The current serial number (mandatory)
signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= md5, sha1		# Acceptable message digests (mandatory)