1e1051a39Sopenharmony_ci
2e1051a39Sopenharmony_ci#
3e1051a39Sopenharmony_ci# This config is used by the Time Stamp Authority tests.
4e1051a39Sopenharmony_ci#
5e1051a39Sopenharmony_ci
6e1051a39Sopenharmony_ci# Comment out the next line to ignore configuration errors
7e1051a39Sopenharmony_ciconfig_diagnostics = 1
8e1051a39Sopenharmony_ci
9e1051a39Sopenharmony_ci# Extra OBJECT IDENTIFIER info:
10e1051a39Sopenharmony_cioid_section		= new_oids
11e1051a39Sopenharmony_ci
12e1051a39Sopenharmony_ciTSDNSECT		= ts_cert_dn
13e1051a39Sopenharmony_ciINDEX			= 1
14e1051a39Sopenharmony_ci
15e1051a39Sopenharmony_ci[ new_oids ]
16e1051a39Sopenharmony_ci
17e1051a39Sopenharmony_ci# Policies used by the TSA tests.
18e1051a39Sopenharmony_citsa_policy1 = 1.2.3.4.1
19e1051a39Sopenharmony_citsa_policy2 = 1.2.3.4.5.6
20e1051a39Sopenharmony_citsa_policy3 = 1.2.3.4.5.7
21e1051a39Sopenharmony_ci
22e1051a39Sopenharmony_ci#----------------------------------------------------------------------
23e1051a39Sopenharmony_ci[ ca ]
24e1051a39Sopenharmony_cidefault_ca	= CA_default		# The default ca section
25e1051a39Sopenharmony_ci
26e1051a39Sopenharmony_ci[ CA_default ]
27e1051a39Sopenharmony_ci
28e1051a39Sopenharmony_cidir		= ./demoCA
29e1051a39Sopenharmony_cicerts		= $dir/certs		# Where the issued certs are kept
30e1051a39Sopenharmony_cidatabase	= $dir/index.txt	# database index file.
31e1051a39Sopenharmony_cinew_certs_dir	= $dir/newcerts		# default place for new certs.
32e1051a39Sopenharmony_ci
33e1051a39Sopenharmony_cicertificate	= $dir/cacert.pem 	# The CA certificate
34e1051a39Sopenharmony_ciserial		= $dir/serial 		# The current serial number
35e1051a39Sopenharmony_ciprivate_key	= $dir/private/cakey.pem# The private key
36e1051a39Sopenharmony_ci
37e1051a39Sopenharmony_cidefault_days	= 365			# how long to certify for
38e1051a39Sopenharmony_cidefault_md	= sha256			# which md to use.
39e1051a39Sopenharmony_cipreserve	= no			# keep passed DN ordering
40e1051a39Sopenharmony_ci
41e1051a39Sopenharmony_cipolicy		= policy_match
42e1051a39Sopenharmony_ci
43e1051a39Sopenharmony_ci# For the CA policy
44e1051a39Sopenharmony_ci[ policy_match ]
45e1051a39Sopenharmony_cicountryName		= supplied
46e1051a39Sopenharmony_cistateOrProvinceName	= supplied
47e1051a39Sopenharmony_ciorganizationName	= supplied
48e1051a39Sopenharmony_ciorganizationalUnitName	= optional
49e1051a39Sopenharmony_cicommonName		= supplied
50e1051a39Sopenharmony_ciemailAddress		= optional
51e1051a39Sopenharmony_ci
52e1051a39Sopenharmony_ci#----------------------------------------------------------------------
53e1051a39Sopenharmony_ci[ req ]
54e1051a39Sopenharmony_cidefault_md		= sha1
55e1051a39Sopenharmony_cidistinguished_name	= $ENV::TSDNSECT
56e1051a39Sopenharmony_ciencrypt_rsa_key		= no
57e1051a39Sopenharmony_ciprompt 			= no
58e1051a39Sopenharmony_ci# attributes		= req_attributes
59e1051a39Sopenharmony_cix509_extensions	= v3_ca	# The extensions to add to the self signed cert
60e1051a39Sopenharmony_ci
61e1051a39Sopenharmony_cistring_mask = nombstr
62e1051a39Sopenharmony_ci
63e1051a39Sopenharmony_ci[ ts_ca_dn ]
64e1051a39Sopenharmony_cicountryName			= HU
65e1051a39Sopenharmony_cistateOrProvinceName		= Budapest
66e1051a39Sopenharmony_cilocalityName			= Budapest
67e1051a39Sopenharmony_ciorganizationName		= Gov-CA Ltd.
68e1051a39Sopenharmony_cicommonName			= ca1
69e1051a39Sopenharmony_ci
70e1051a39Sopenharmony_ci[ ts_cert_dn ]
71e1051a39Sopenharmony_cicountryName			= HU
72e1051a39Sopenharmony_cistateOrProvinceName		= Budapest
73e1051a39Sopenharmony_cilocalityName			= Buda
74e1051a39Sopenharmony_ciorganizationName		= Hun-TSA Ltd.
75e1051a39Sopenharmony_cicommonName			= tsa$ENV::INDEX
76e1051a39Sopenharmony_ci
77e1051a39Sopenharmony_ci[ tsa_cert ]
78e1051a39Sopenharmony_ci
79e1051a39Sopenharmony_ci# TSA server cert is not a CA cert.
80e1051a39Sopenharmony_cibasicConstraints=CA:FALSE
81e1051a39Sopenharmony_ci
82e1051a39Sopenharmony_ci# The following key usage flags are needed for TSA server certificates.
83e1051a39Sopenharmony_cikeyUsage = nonRepudiation, digitalSignature
84e1051a39Sopenharmony_ciextendedKeyUsage = critical,timeStamping
85e1051a39Sopenharmony_ci
86e1051a39Sopenharmony_ci# PKIX recommendations harmless if included in all certificates.
87e1051a39Sopenharmony_cisubjectKeyIdentifier=hash
88e1051a39Sopenharmony_ciauthorityKeyIdentifier=keyid,issuer:always
89e1051a39Sopenharmony_ci
90e1051a39Sopenharmony_ci[ non_tsa_cert ]
91e1051a39Sopenharmony_ci
92e1051a39Sopenharmony_ci# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
93e1051a39Sopenharmony_cibasicConstraints=CA:FALSE
94e1051a39Sopenharmony_ci
95e1051a39Sopenharmony_ci# The following key usage flags are needed for TSA server certificates.
96e1051a39Sopenharmony_cikeyUsage = nonRepudiation, digitalSignature
97e1051a39Sopenharmony_ci# timeStamping is not supported by this certificate
98e1051a39Sopenharmony_ci# extendedKeyUsage = critical,timeStamping
99e1051a39Sopenharmony_ci
100e1051a39Sopenharmony_ci# PKIX recommendations harmless if included in all certificates.
101e1051a39Sopenharmony_cisubjectKeyIdentifier=hash
102e1051a39Sopenharmony_ciauthorityKeyIdentifier=keyid,issuer:always
103e1051a39Sopenharmony_ci
104e1051a39Sopenharmony_ci[ v3_req ]
105e1051a39Sopenharmony_ci
106e1051a39Sopenharmony_ci# Extensions to add to a certificate request
107e1051a39Sopenharmony_cibasicConstraints = CA:FALSE
108e1051a39Sopenharmony_cikeyUsage = nonRepudiation, digitalSignature
109e1051a39Sopenharmony_ci
110e1051a39Sopenharmony_ci[ v3_ca ]
111e1051a39Sopenharmony_ci
112e1051a39Sopenharmony_ci# Extensions for a typical CA
113e1051a39Sopenharmony_ci
114e1051a39Sopenharmony_cisubjectKeyIdentifier=hash
115e1051a39Sopenharmony_ciauthorityKeyIdentifier=keyid:always,issuer:always
116e1051a39Sopenharmony_cibasicConstraints = critical,CA:true
117e1051a39Sopenharmony_cikeyUsage = cRLSign, keyCertSign
118e1051a39Sopenharmony_ci
119e1051a39Sopenharmony_ci#----------------------------------------------------------------------
120e1051a39Sopenharmony_ci[ tsa ]
121e1051a39Sopenharmony_ci
122e1051a39Sopenharmony_cidefault_tsa = tsa_config1	# the default TSA section
123e1051a39Sopenharmony_ci
124e1051a39Sopenharmony_ci[ tsa_config1 ]
125e1051a39Sopenharmony_ci
126e1051a39Sopenharmony_ci# These are used by the TSA reply generation only.
127e1051a39Sopenharmony_cidir		= .			# TSA root directory
128e1051a39Sopenharmony_ciserial		= $dir/tsa_serial	# The current serial number (mandatory)
129e1051a39Sopenharmony_cisigner_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
130e1051a39Sopenharmony_ci					# (optional)
131e1051a39Sopenharmony_cicerts		= $dir/tsaca.pem	# Certificate chain to include in reply
132e1051a39Sopenharmony_ci					# (optional)
133e1051a39Sopenharmony_cisigner_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
134e1051a39Sopenharmony_cisigner_digest  = sha256             # Signing digest to use. (Optional)
135e1051a39Sopenharmony_cidefault_policy	= tsa_policy1		# Policy if request did not specify it
136e1051a39Sopenharmony_ci					# (optional)
137e1051a39Sopenharmony_ciother_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
138e1051a39Sopenharmony_cidigests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
139e1051a39Sopenharmony_ciaccuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
140e1051a39Sopenharmony_ciordering		= yes	# Is ordering defined for timestamps?
141e1051a39Sopenharmony_ci				# (optional, default: no)
142e1051a39Sopenharmony_citsa_name		= yes	# Must the TSA name be included in the reply?
143e1051a39Sopenharmony_ci				# (optional, default: no)
144e1051a39Sopenharmony_ciess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
145e1051a39Sopenharmony_ci				# (optional, default: no)
146e1051a39Sopenharmony_ciess_cert_id_alg		= sha256	# algorithm to compute certificate
147e1051a39Sopenharmony_ci					# identifier (optional, default: sha1)
148e1051a39Sopenharmony_ci
149e1051a39Sopenharmony_ci[ tsa_config2 ]
150e1051a39Sopenharmony_ci
151e1051a39Sopenharmony_ci# This configuration uses a certificate which doesn't have timeStamping usage.
152e1051a39Sopenharmony_ci# These are used by the TSA reply generation only.
153e1051a39Sopenharmony_cidir		= .			# TSA root directory
154e1051a39Sopenharmony_ciserial		= $dir/tsa_serial	# The current serial number (mandatory)
155e1051a39Sopenharmony_cisigner_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
156e1051a39Sopenharmony_ci					# (optional)
157e1051a39Sopenharmony_cicerts		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
158e1051a39Sopenharmony_ci					# (optional)
159e1051a39Sopenharmony_cisigner_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
160e1051a39Sopenharmony_cisigner_digest  = sha256             # Signing digest to use. (Optional)
161e1051a39Sopenharmony_cidefault_policy	= tsa_policy1		# Policy if request did not specify it
162e1051a39Sopenharmony_ci					# (optional)
163e1051a39Sopenharmony_ciother_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
164e1051a39Sopenharmony_cidigests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
165