3 # This config is used by the Time Stamp Authority tests.
6 # This definition stops the following lines choking if HOME isn't
9 RANDFILE = $ENV::HOME/.rnd
11 # Extra OBJECT IDENTIFIER info:
12 oid_section = new_oids
16 # Policies used by the TSA tests.
17 tsa_policy1 = 1.2.3.4.1
18 tsa_policy2 = 1.2.3.4.5.6
19 tsa_policy3 = 1.2.3.4.5.7
21 #----------------------------------------------------------------------
23 default_ca = CA_default # The default ca section
28 certs = $dir/certs # Where the issued certs are kept
29 database = $dir/index.txt # database index file.
30 new_certs_dir = $dir/newcerts # default place for new certs.
32 certificate = $dir/cacert.pem # The CA certificate
33 serial = $dir/serial # The current serial number
34 private_key = $dir/private/cakey.pem# The private key
35 RANDFILE = $dir/private/.rand # private random number file
37 default_days = 365 # how long to certify for
38 default_md = sha1 # which md to use.
39 preserve = no # keep passed DN ordering
45 countryName = supplied
46 stateOrProvinceName = supplied
47 organizationName = supplied
48 organizationalUnitName = optional
50 emailAddress = optional
52 #----------------------------------------------------------------------
56 distinguished_name = req_distinguished_name
58 # attributes = req_attributes
59 x509_extensions = v3_ca # The extentions to add to the self signed cert
63 [ req_distinguished_name ]
64 countryName = Country Name (2 letter code)
65 countryName_default = HU
69 stateOrProvinceName = State or Province Name (full name)
70 stateOrProvinceName_default =
72 localityName = Locality Name (eg, city)
74 0.organizationName = Organization Name (eg, company)
75 0.organizationName_default =
77 commonName = Common Name (eg, YOUR name)
81 challengePassword = A challenge password
82 challengePassword_min = 4
83 challengePassword_max = 20
85 unstructuredName = An optional company name
89 # TSA server cert is not a CA cert.
90 basicConstraints=CA:FALSE
92 # The following key usage flags are needed for TSA server certificates.
93 keyUsage = nonRepudiation, digitalSignature
94 extendedKeyUsage = critical,timeStamping
96 # PKIX recommendations harmless if included in all certificates.
97 subjectKeyIdentifier=hash
98 authorityKeyIdentifier=keyid,issuer:always
102 # This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
103 basicConstraints=CA:FALSE
105 # The following key usage flags are needed for TSA server certificates.
106 keyUsage = nonRepudiation, digitalSignature
107 # timeStamping is not supported by this certificate
108 # extendedKeyUsage = critical,timeStamping
110 # PKIX recommendations harmless if included in all certificates.
111 subjectKeyIdentifier=hash
112 authorityKeyIdentifier=keyid,issuer:always
116 # Extensions to add to a certificate request
117 basicConstraints = CA:FALSE
118 keyUsage = nonRepudiation, digitalSignature
122 # Extensions for a typical CA
124 subjectKeyIdentifier=hash
125 authorityKeyIdentifier=keyid:always,issuer:always
126 basicConstraints = critical,CA:true
127 keyUsage = cRLSign, keyCertSign
129 #----------------------------------------------------------------------
132 default_tsa = tsa_config1 # the default TSA section
136 # These are used by the TSA reply generation only.
137 dir = . # TSA root directory
138 serial = $dir/tsa_serial # The current serial number (mandatory)
139 signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
141 certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
143 signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
145 default_policy = tsa_policy1 # Policy if request did not specify it
147 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
148 digests = md5, sha1 # Acceptable message digests (mandatory)
149 accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
150 ordering = yes # Is ordering defined for timestamps?
151 # (optional, default: no)
152 tsa_name = yes # Must the TSA name be included in the reply?
153 # (optional, default: no)
154 ess_cert_id_chain = yes # Must the ESS cert id chain be included?
155 # (optional, default: no)
159 # This configuration uses a certificate which doesn't have timeStamping usage.
160 # These are used by the TSA reply generation only.
161 dir = . # TSA root directory
162 serial = $dir/tsa_serial # The current serial number (mandatory)
163 signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
165 certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
167 signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
169 default_policy = tsa_policy1 # Policy if request did not specify it
171 other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
172 digests = md5, sha1 # Acceptable message digests (mandatory)