sign-pdf-worker/ts-authority/vendee-tsa.conf

#
# rootca.conf
#
# See Ristic OpenSSL Cookbook URL above.

oid_section                     = new_oids

[ new_oids ]
tsa_policy1                     = 1.2.3.4.1
tsa_policy2                     = 1.2.3.4.5.6
tsa_policy3                     = 1.2.3.4.5.7


[ tsa ]

default_tsa             = tsa_config1

[ tsa_config1 ]
dir                     = /run/user/1000/ca                     # TSA root directory, same as root-ca
serial                  = $dir/tsa_serial       # current serial number (mandatory)
signer_cert             = $dir/tsa.crt     # signing certificate (optional)
certs                   = $dir/tsa-chain.pem # certification chain (optional)
signer_key              = $dir/private/tsa.key # tsa private key (optional)
default_policy          = tsa_policy1
signer_digest           = sha256                # digest to use for signing (optional)
other_policies          = tsa_policy2,tsa_policy3 # other policies (optional)
digests                 = sha256,sha384,sha512    # acceptable digests (mandatory)
accuracy                = secs:1,millisecs:500,microsecs:100 # accuracy optional
ordering                = yes                   # is ordering defined? (optional, default: no)
tsa_name                = yes                   # must tsa name be included in reply? (opt., default: no)
ess_cert_id_chain       = yes                   # must ess cert id change be incl? (opt., default: no)
ess_cert_id_alg         = sha256                # alg to compute cert. id (optional, default: sha1)

# added, was missing in the blog post
crypto_device           = builtin

# The tsa_ext extension is
# used to create the tsa cert tsa.crt

[ tsa_ext ]

authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = critical,timeStamping
keyUsage                = critical,nonRepudiation
subjectKeyIdentifier    = hash
create a new script dedicated for signing for vendee certificates 2024-10-11 14:12:33 +00:00			`#`
			`# rootca.conf`
			`#`
			`# See Ristic OpenSSL Cookbook URL above.`

			`oid_section = new_oids`

			`[ new_oids ]`
			`tsa_policy1 = 1.2.3.4.1`
			`tsa_policy2 = 1.2.3.4.5.6`
			`tsa_policy3 = 1.2.3.4.5.7`


			`[ tsa ]`

			`default_tsa = tsa_config1`

			`[ tsa_config1 ]`
			`dir = /run/user/1000/ca # TSA root directory, same as root-ca`
			`serial = $dir/tsa_serial # current serial number (mandatory)`
			`signer_cert = $dir/tsa.crt # signing certificate (optional)`
			`certs = $dir/tsa-chain.pem # certification chain (optional)`
			`signer_key = $dir/private/tsa.key # tsa private key (optional)`
			`default_policy = tsa_policy1`
			`signer_digest = sha256 # digest to use for signing (optional)`
			`other_policies = tsa_policy2,tsa_policy3 # other policies (optional)`
			`digests = sha256,sha384,sha512 # acceptable digests (mandatory)`
			`accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional`
			`ordering = yes # is ordering defined? (optional, default: no)`
			`tsa_name = yes # must tsa name be included in reply? (opt., default: no)`
			`ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no)`
			`ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1)`

			`# added, was missing in the blog post`
			`crypto_device = builtin`

			`# The tsa_ext extension is`
			`# used to create the tsa cert tsa.crt`

			`[ tsa_ext ]`

			`authorityKeyIdentifier = keyid:always`
			`basicConstraints = critical,CA:false`
			`extendedKeyUsage = critical,timeStamping`
			`keyUsage = critical,nonRepudiation`
			`subjectKeyIdentifier = hash`