Fix rpath-related Linux "test_shlibload" failure.
[openssl.git] / test / CAtsa.cnf
1
2 #
3 # This config is used by the Time Stamp Authority tests.
4 #
5
6 RANDFILE                = ./.rnd
7
8 # Extra OBJECT IDENTIFIER info:
9 oid_section             = new_oids
10
11 TSDNSECT                = ts_cert_dn
12 INDEX                   = 1
13
14 [ new_oids ]
15
16 # Policies used by the TSA tests.
17 tsa_policy1 = 1.2.3.4.1
18 tsa_policy2 = 1.2.3.4.5.6
19 tsa_policy3 = 1.2.3.4.5.7
20
21 #----------------------------------------------------------------------
22 [ ca ]
23 default_ca      = CA_default            # The default ca section
24
25 [ CA_default ]
26
27 dir             = ./demoCA
28 certs           = $dir/certs            # Where the issued certs are kept
29 database        = $dir/index.txt        # database index file.
30 new_certs_dir   = $dir/newcerts         # default place for new certs.
31
32 certificate     = $dir/cacert.pem       # The CA certificate
33 serial          = $dir/serial           # The current serial number
34 private_key     = $dir/private/cakey.pem# The private key
35 RANDFILE        = $dir/private/.rand    # private random number file
36
37 default_days    = 365                   # how long to certify for
38 default_md      = sha256                        # which md to use.
39 preserve        = no                    # keep passed DN ordering
40
41 policy          = policy_match
42
43 # For the CA policy
44 [ policy_match ]
45 countryName             = supplied
46 stateOrProvinceName     = supplied
47 organizationName        = supplied
48 organizationalUnitName  = optional
49 commonName              = supplied
50 emailAddress            = optional
51
52 #----------------------------------------------------------------------
53 [ req ]
54 default_bits            = 2048
55 default_md              = sha1
56 distinguished_name      = $ENV::TSDNSECT
57 encrypt_rsa_key         = no
58 prompt                  = no
59 # attributes            = req_attributes
60 x509_extensions = v3_ca # The extensions to add to the self signed cert
61
62 string_mask = nombstr
63
64 [ ts_ca_dn ]
65 countryName                     = HU
66 stateOrProvinceName             = Budapest
67 localityName                    = Budapest
68 organizationName                = Gov-CA Ltd.
69 commonName                      = ca1
70
71 [ ts_cert_dn ]
72 countryName                     = HU
73 stateOrProvinceName             = Budapest
74 localityName                    = Buda
75 organizationName                = Hun-TSA Ltd.
76 commonName                      = tsa$ENV::INDEX
77
78 [ tsa_cert ]
79
80 # TSA server cert is not a CA cert.
81 basicConstraints=CA:FALSE
82
83 # The following key usage flags are needed for TSA server certificates.
84 keyUsage = nonRepudiation, digitalSignature
85 extendedKeyUsage = critical,timeStamping
86
87 # PKIX recommendations harmless if included in all certificates.
88 subjectKeyIdentifier=hash
89 authorityKeyIdentifier=keyid,issuer:always
90
91 [ non_tsa_cert ]
92
93 # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
94 basicConstraints=CA:FALSE
95
96 # The following key usage flags are needed for TSA server certificates.
97 keyUsage = nonRepudiation, digitalSignature
98 # timeStamping is not supported by this certificate
99 # extendedKeyUsage = critical,timeStamping
100
101 # PKIX recommendations harmless if included in all certificates.
102 subjectKeyIdentifier=hash
103 authorityKeyIdentifier=keyid,issuer:always
104
105 [ v3_req ]
106
107 # Extensions to add to a certificate request
108 basicConstraints = CA:FALSE
109 keyUsage = nonRepudiation, digitalSignature
110
111 [ v3_ca ]
112
113 # Extensions for a typical CA
114
115 subjectKeyIdentifier=hash
116 authorityKeyIdentifier=keyid:always,issuer:always
117 basicConstraints = critical,CA:true
118 keyUsage = cRLSign, keyCertSign
119
120 #----------------------------------------------------------------------
121 [ tsa ]
122
123 default_tsa = tsa_config1       # the default TSA section
124
125 [ tsa_config1 ]
126
127 # These are used by the TSA reply generation only.
128 dir             = .                     # TSA root directory
129 serial          = $dir/tsa_serial       # The current serial number (mandatory)
130 signer_cert     = $dir/tsa_cert1.pem    # The TSA signing certificate
131                                         # (optional)
132 certs           = $dir/tsaca.pem        # Certificate chain to include in reply
133                                         # (optional)
134 signer_key      = $dir/tsa_key1.pem     # The TSA private key (optional)
135 signer_digest  = sha256             # Signing digest to use. (Optional)
136 default_policy  = tsa_policy1           # Policy if request did not specify it
137                                         # (optional)
138 other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
139 digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
140 accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
141 ordering                = yes   # Is ordering defined for timestamps?
142                                 # (optional, default: no)
143 tsa_name                = yes   # Must the TSA name be included in the reply?
144                                 # (optional, default: no)
145 ess_cert_id_chain       = yes   # Must the ESS cert id chain be included?
146                                 # (optional, default: no)
147 ess_cert_id_alg         = sha256        # algorithm to compute certificate
148                                         # identifier (optional, default: sha1)
149
150 [ tsa_config2 ]
151
152 # This configuration uses a certificate which doesn't have timeStamping usage.
153 # These are used by the TSA reply generation only.
154 dir             = .                     # TSA root directory
155 serial          = $dir/tsa_serial       # The current serial number (mandatory)
156 signer_cert     = $dir/tsa_cert2.pem    # The TSA signing certificate
157                                         # (optional)
158 certs           = $dir/demoCA/cacert.pem# Certificate chain to include in reply
159                                         # (optional)
160 signer_key      = $dir/tsa_key2.pem     # The TSA private key (optional)
161 signer_digest  = sha256             # Signing digest to use. (Optional)
162 default_policy  = tsa_policy1           # Policy if request did not specify it
163                                         # (optional)
164 other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
165 digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)