sign-pdf-worker/ts-authority/rootca.conf

#
# rootca.conf
#
# See Ristic OpenSSL Cookbook URL above.

oid_section                     = new_oids

[ new_oids ]
tsa_policy1                     = 1.2.3.4.1
tsa_policy2                     = 1.2.3.4.5.6
tsa_policy3                     = 1.2.3.4.5.7

######  First Part ########

[default]
name                    = root-ca
domain_suffix           = example.com
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9080
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "Example Inc."
commonName              = "Root CA"

###### Second Part #######

[ca_default]
home                    = .
database                = $home/ca/db/index
serial                  = $home/ca/db/serial
crlnumber               = $home/ca/db/crlnumber
certificate             = $home/ca/$name.crt
private_key             = $home/ca/private/$name.key
RANDFILE                = $home/ca/private/random
new_certs_dir           = $home/ca/certs
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 30
default_md              = sha256
policy                  = policy_c_o_match
name                    = foo@example.com


[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


##### Third Part #######

[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext


[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash


####### Fourth Part - Extensions  ########
#
# Value           Meaning  - see x509v3.cnf(5)
# --------        ------------------------------
# serverAuth      SSL/TLS web server authentication
# clientAuth      SSL/TLS web client authentication
# codeSigning     code signing
# emailProtection email protection (S/MIME)
# timeStamping    trusted doc hash timestamping
# OCSPSigning     OCSP Signing
# ipsecIKE        IPsec internet key exchange
# msCodeInd       Microsoft individual code signing (authenticode)
# msCodeCom       Microsoft commercial code signing (authenticode)
# msCTLSign       Microsoft trust list signing
# msEFS           Microsoft encrypted file system (EFS)


[sub_ca_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
keyUsage                = critical,keyCertSign,cRLSign
extendedKeyUsage        = clientAuth,serverAuth
nameConstraints         = @name_constraints
subjectKeyIdentifier    = hash


[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[name_constraints]
permitted;DNS.0=example.com
permitted;DNS.1=example.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0


#######  Fifth Part  ==========


[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash


###########  TSA extension   ##############
#
# Copied from the OpenSSL CAtsa.cnf test configuration and modified for use as a TSA extension.
#
#

[ tsa ]

default_tsa             = tsa_config1

[ tsa_config1 ]
dir                     = /home/julien/dev/chill/sign-pdf-worker/ts-authority                     # TSA root directory, same as root-ca
serial                  = $dir/ca/tsa_serial       # current serial number (mandatory)
signer_cert             = $dir/ca/tsa.crt     # signing certificate (optional)
certs                   = $dir/ca/tsa-chain.pem # certification chain (optional)
signer_key              = $dir/ca/private/tsa.key # tsa private key (optional)
default_policy          = tsa_policy1
signer_digest           = sha256                # digest to use for signing (optional)
other_policies          = tsa_policy2,tsa_policy3 # other policies (optional)
digests                 = sha256,sha384,sha512    # acceptable digests (mandatory)
accuracy                = secs:1,millisecs:500,microsecs:100 # accuracy optional
ordering                = yes                   # is ordering defined? (optional, default: no)
tsa_name                = yes                   # must tsa name be included in reply? (opt., default: no)
ess_cert_id_chain       = yes                   # must ess cert id change be incl? (opt., default: no)
ess_cert_id_alg         = sha256                # alg to compute cert. id (optional, default: sha1)

# added, was missing in the blog post
crypto_device           = builtin

# The tsa_ext extension is
# used to create the tsa cert tsa.crt

[ tsa_ext ]

authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = critical,timeStamping
keyUsage                = critical,nonRepudiation
subjectKeyIdentifier    = hash
write readme to generate timestamps 2024-10-11 10:43:25 +00:00			`#`
			`# rootca.conf`
			`#`
			`# See Ristic OpenSSL Cookbook URL above.`

			`oid_section = new_oids`

			`[ new_oids ]`
			`tsa_policy1 = 1.2.3.4.1`
			`tsa_policy2 = 1.2.3.4.5.6`
			`tsa_policy3 = 1.2.3.4.5.7`

			`###### First Part ########`

			`[default]`
			`name = root-ca`
			`domain_suffix = example.com`
			`aia_url = http://$name.$domain_suffix/$name.crt`
			`crl_url = http://$name.$domain_suffix/$name.crl`
			`ocsp_url = http://ocsp.$name.$domain_suffix:9080`
			`default_ca = ca_default`
			`name_opt = utf8,esc_ctrl,multiline,lname,align`

			`[ca_dn]`
			`countryName = "US"`
			`organizationName = "Example Inc."`
			`commonName = "Root CA"`

			`###### Second Part #######`

			`[ca_default]`
			`home = .`
			`database = $home/ca/db/index`
			`serial = $home/ca/db/serial`
			`crlnumber = $home/ca/db/crlnumber`
			`certificate = $home/ca/$name.crt`
			`private_key = $home/ca/private/$name.key`
			`RANDFILE = $home/ca/private/random`
			`new_certs_dir = $home/ca/certs`
			`unique_subject = no`
			`copy_extensions = none`
			`default_days = 3650`
			`default_crl_days = 30`
			`default_md = sha256`
			`policy = policy_c_o_match`
			`name = foo@example.com`


			`[policy_c_o_match]`
			`countryName = match`
			`stateOrProvinceName = optional`
			`organizationName = match`
			`organizationalUnitName = optional`
			`commonName = supplied`
			`emailAddress = optional`


			`##### Third Part #######`

			`[req]`
			`default_bits = 4096`
			`encrypt_key = yes`
			`default_md = sha256`
			`utf8 = yes`
			`string_mask = utf8only`
			`prompt = no`
			`distinguished_name = ca_dn`
			`req_extensions = ca_ext`


			`[ca_ext]`
			`basicConstraints = critical,CA:true`
			`keyUsage = critical,keyCertSign,cRLSign`
			`subjectKeyIdentifier = hash`


			`####### Fourth Part - Extensions ########`
			`#`
			`# Value Meaning - see x509v3.cnf(5)`
			`# -------- ------------------------------`
			`# serverAuth SSL/TLS web server authentication`
			`# clientAuth SSL/TLS web client authentication`
			`# codeSigning code signing`
			`# emailProtection email protection (S/MIME)`
			`# timeStamping trusted doc hash timestamping`
			`# OCSPSigning OCSP Signing`
			`# ipsecIKE IPsec internet key exchange`
			`# msCodeInd Microsoft individual code signing (authenticode)`
			`# msCodeCom Microsoft commercial code signing (authenticode)`
			`# msCTLSign Microsoft trust list signing`
			`# msEFS Microsoft encrypted file system (EFS)`


			`[sub_ca_ext]`
			`authorityInfoAccess = @issuer_info`
			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = critical,CA:true,pathlen:0`
			`crlDistributionPoints = @crl_info`
			`keyUsage = critical,keyCertSign,cRLSign`
			`extendedKeyUsage = clientAuth,serverAuth`
			`nameConstraints = @name_constraints`
			`subjectKeyIdentifier = hash`


			`[crl_info]`
			`URI.0 = $crl_url`

			`[issuer_info]`
			`caIssuers;URI.0 = $aia_url`
			`OCSP;URI.0 = $ocsp_url`

			`[name_constraints]`
			`permitted;DNS.0=example.com`
			`permitted;DNS.1=example.org`
			`excluded;IP.0=0.0.0.0/0.0.0.0`
			`excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0`


			`####### Fifth Part ==========`


			`[ocsp_ext]`
			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = critical,CA:false`
			`extendedKeyUsage = OCSPSigning`
			`keyUsage = critical,digitalSignature`
			`subjectKeyIdentifier = hash`


			`########### TSA extension ##############`
			`#`
			`# Copied from the OpenSSL CAtsa.cnf test configuration and modified for use as a TSA extension.`
			`#`
			`#`

			`[ tsa ]`

			`default_tsa = tsa_config1`

			`[ tsa_config1 ]`
Integrate local OpenSSL TSA for timestamping Replaced HTTPTimeStamper with LocalOpensslTimestamp for TSA operations using a local OpenSSL CLI. Updated related configurations and dependencies to support this change, enhancing the timestamping process's reliability and security. 2024-10-11 13:07:21 +00:00			`dir = /home/julien/dev/chill/sign-pdf-worker/ts-authority # TSA root directory, same as root-ca`
write readme to generate timestamps 2024-10-11 10:43:25 +00:00			`serial = $dir/ca/tsa_serial # current serial number (mandatory)`
			`signer_cert = $dir/ca/tsa.crt # signing certificate (optional)`
			`certs = $dir/ca/tsa-chain.pem # certification chain (optional)`
			`signer_key = $dir/ca/private/tsa.key # tsa private key (optional)`
			`default_policy = tsa_policy1`
			`signer_digest = sha256 # digest to use for signing (optional)`
			`other_policies = tsa_policy2,tsa_policy3 # other policies (optional)`
			`digests = sha256,sha384,sha512 # acceptable digests (mandatory)`
			`accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional`
			`ordering = yes # is ordering defined? (optional, default: no)`
			`tsa_name = yes # must tsa name be included in reply? (opt., default: no)`
			`ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no)`
			`ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1)`

			`# added, was missing in the blog post`
			`crypto_device = builtin`

			`# The tsa_ext extension is`
			`# used to create the tsa cert tsa.crt`

			`[ tsa_ext ]`

			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = critical,CA:false`
			`extendedKeyUsage = critical,timeStamping`
			`keyUsage = critical,nonRepudiation`
			`subjectKeyIdentifier = hash`