xref: /freebsd/crypto/openssl/test/CAtsa.cnf (revision 8aaffd78c0f517985c12fd1e3cbceeb6c6b98ef5)
1
2#
3# This config is used by the Time Stamp Authority tests.
4#
5
6# Comment out the next line to ignore configuration errors
7config_diagnostics = 1
8
9# Extra OBJECT IDENTIFIER info:
10oid_section		= new_oids
11
12TSDNSECT		= ts_cert_dn
13INDEX			= 1
14
15[ new_oids ]
16
17# Policies used by the TSA tests.
18tsa_policy1 = 1.2.3.4.1
19tsa_policy2 = 1.2.3.4.5.6
20tsa_policy3 = 1.2.3.4.5.7
21
22#----------------------------------------------------------------------
23[ ca ]
24default_ca	= CA_default		# The default ca section
25
26[ CA_default ]
27
28dir		= ./demoCA
29certs		= $dir/certs		# Where the issued certs are kept
30database	= $dir/index.txt	# database index file.
31new_certs_dir	= $dir/newcerts		# default place for new certs.
32
33certificate	= $dir/cacert.pem 	# The CA certificate
34serial		= $dir/serial 		# The current serial number
35private_key	= $dir/private/cakey.pem# The private key
36
37default_days	= 365			# how long to certify for
38default_md	= sha256			# which md to use.
39preserve	= no			# keep passed DN ordering
40
41policy		= policy_match
42
43# For the CA policy
44[ policy_match ]
45countryName		= supplied
46stateOrProvinceName	= supplied
47organizationName	= supplied
48organizationalUnitName	= optional
49commonName		= supplied
50emailAddress		= optional
51
52#----------------------------------------------------------------------
53[ req ]
54default_md		= sha1
55distinguished_name	= $ENV::TSDNSECT
56encrypt_rsa_key		= no
57prompt 			= no
58# attributes		= req_attributes
59x509_extensions	= v3_ca	# The extensions to add to the self signed cert
60
61string_mask = nombstr
62
63[ ts_ca_dn ]
64countryName			= HU
65stateOrProvinceName		= Budapest
66localityName			= Budapest
67organizationName		= Gov-CA Ltd.
68commonName			= ca1
69
70[ ts_cert_dn ]
71countryName			= HU
72stateOrProvinceName		= Budapest
73localityName			= Buda
74organizationName		= Hun-TSA Ltd.
75commonName			= tsa$ENV::INDEX
76
77[ tsa_cert ]
78
79# TSA server cert is not a CA cert.
80basicConstraints=CA:FALSE
81
82# The following key usage flags are needed for TSA server certificates.
83keyUsage = nonRepudiation, digitalSignature
84extendedKeyUsage = critical,timeStamping
85
86# PKIX recommendations harmless if included in all certificates.
87subjectKeyIdentifier=hash
88authorityKeyIdentifier=keyid,issuer:always
89
90[ non_tsa_cert ]
91
92# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
93basicConstraints=CA:FALSE
94
95# The following key usage flags are needed for TSA server certificates.
96keyUsage = nonRepudiation, digitalSignature
97# timeStamping is not supported by this certificate
98# extendedKeyUsage = critical,timeStamping
99
100# PKIX recommendations harmless if included in all certificates.
101subjectKeyIdentifier=hash
102authorityKeyIdentifier=keyid,issuer:always
103
104[ v3_req ]
105
106# Extensions to add to a certificate request
107basicConstraints = CA:FALSE
108keyUsage = nonRepudiation, digitalSignature
109
110[ v3_ca ]
111
112# Extensions for a typical CA
113
114subjectKeyIdentifier=hash
115authorityKeyIdentifier=keyid:always,issuer:always
116basicConstraints = critical,CA:true
117keyUsage = cRLSign, keyCertSign
118
119#----------------------------------------------------------------------
120[ tsa ]
121
122default_tsa = tsa_config1	# the default TSA section
123
124[ tsa_config1 ]
125
126# These are used by the TSA reply generation only.
127dir		= .			# TSA root directory
128serial		= $dir/tsa_serial	# The current serial number (mandatory)
129signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
130					# (optional)
131certs		= $dir/tsaca.pem	# Certificate chain to include in reply
132					# (optional)
133signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
134signer_digest  = sha256             # Signing digest to use. (Optional)
135default_policy	= tsa_policy1		# Policy if request did not specify it
136					# (optional)
137other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
138digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
139accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
140ordering		= yes	# Is ordering defined for timestamps?
141				# (optional, default: no)
142tsa_name		= yes	# Must the TSA name be included in the reply?
143				# (optional, default: no)
144ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
145				# (optional, default: no)
146ess_cert_id_alg		= sha256	# algorithm to compute certificate
147					# identifier (optional, default: sha1)
148
149[ tsa_config2 ]
150
151# This configuration uses a certificate which doesn't have timeStamping usage.
152# These are used by the TSA reply generation only.
153dir		= .			# TSA root directory
154serial		= $dir/tsa_serial	# The current serial number (mandatory)
155signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
156					# (optional)
157certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
158					# (optional)
159signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
160signer_digest  = sha256             # Signing digest to use. (Optional)
161default_policy	= tsa_policy1		# Policy if request did not specify it
162					# (optional)
163other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
164digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
165