3 # This config is used by the Time Stamp Authority tests.
6 # Extra OBJECT IDENTIFIER info:
14 # Policies used by the TSA tests.
15 tsa_policy1 = 1.2.3.4.1
16 tsa_policy2 = 1.2.3.4.5.6
17 tsa_policy3 = 1.2.3.4.5.7
19 #----------------------------------------------------------------------
21 default_ca = CA_default # The default ca section
26 certs = $dir/certs # Where the issued certs are kept
27 database = $dir/index.txt # database index file.
28 new_certs_dir = $dir/newcerts # default place for new certs.
30 certificate = $dir/cacert.pem # The CA certificate
31 serial = $dir/serial # The current serial number
32 private_key = $dir/private/cakey.pem# The private key
34 default_days = 365 # how long to certify for
35 default_md = sha256 # which md to use.
36 preserve = no # keep passed DN ordering
42 countryName = supplied
43 stateOrProvinceName = supplied
44 organizationName = supplied
45 organizationalUnitName = optional
47 emailAddress = optional
49 #----------------------------------------------------------------------
53 distinguished_name = $ENV::TSDNSECT
56 # attributes = req_attributes
57 x509_extensions = v3_ca # The extensions to add to the self signed cert
63 stateOrProvinceName = Budapest
64 localityName = Budapest
65 organizationName = Gov-CA Ltd.
70 stateOrProvinceName = Budapest
72 organizationName = Hun-TSA Ltd.
73 commonName = tsa$ENV::INDEX
77 # TSA server cert is not a CA cert.
78 basicConstraints=CA:FALSE
80 # The following key usage flags are needed for TSA server certificates.
81 keyUsage = nonRepudiation, digitalSignature
82 extendedKeyUsage = critical,timeStamping
84 # PKIX recommendations harmless if included in all certificates.
85 subjectKeyIdentifier=hash
86 authorityKeyIdentifier=keyid,issuer:always
90 # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
91 basicConstraints=CA:FALSE
93 # The following key usage flags are needed for TSA server certificates.
94 keyUsage = nonRepudiation, digitalSignature
95 # timeStamping is not supported by this certificate
96 # extendedKeyUsage = critical,timeStamping
98 # PKIX recommendations harmless if included in all certificates.
99 subjectKeyIdentifier=hash
100 authorityKeyIdentifier=keyid,issuer:always
104 # Extensions to add to a certificate request
105 basicConstraints = CA:FALSE
106 keyUsage = nonRepudiation, digitalSignature
110 # Extensions for a typical CA
112 subjectKeyIdentifier=hash
113 authorityKeyIdentifier=keyid:always,issuer:always
114 basicConstraints = critical,CA:true
115 keyUsage = cRLSign, keyCertSign
117 #----------------------------------------------------------------------
120 default_tsa = tsa_config1 # the default TSA section
124 # These are used by the TSA reply generation only.
125 dir = . # TSA root directory
126 serial = $dir/tsa_serial # The current serial number (mandatory)
127 signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
129 certs = $dir/tsaca.pem # Certificate chain to include in reply
131 signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
132 signer_digest = sha256 # Signing digest to use. (Optional)
133 default_policy = tsa_policy1 # Policy if request did not specify it
135 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
136 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
137 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
138 ordering = yes # Is ordering defined for timestamps?
139 # (optional, default: no)
140 tsa_name = yes # Must the TSA name be included in the reply?
141 # (optional, default: no)
142 ess_cert_id_chain = yes # Must the ESS cert id chain be included?
143 # (optional, default: no)
144 ess_cert_id_alg = sha256 # algorithm to compute certificate
145 # identifier (optional, default: sha1)
149 # This configuration uses a certificate which doesn't have timeStamping usage.
150 # These are used by the TSA reply generation only.
151 dir = . # TSA root directory
152 serial = $dir/tsa_serial # The current serial number (mandatory)
153 signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
155 certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
157 signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
158 signer_digest = sha256 # Signing digest to use. (Optional)
159 default_policy = tsa_policy1 # Policy if request did not specify it
161 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
162 digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)