2024-10-11 10:43:25 +00:00
|
|
|
#
|
|
|
|
# rootca.conf
|
|
|
|
#
|
|
|
|
# See Ristic OpenSSL Cookbook URL above.
|
|
|
|
|
|
|
|
oid_section = new_oids
|
|
|
|
|
|
|
|
[ new_oids ]
|
|
|
|
tsa_policy1 = 1.2.3.4.1
|
|
|
|
tsa_policy2 = 1.2.3.4.5.6
|
|
|
|
tsa_policy3 = 1.2.3.4.5.7
|
|
|
|
|
|
|
|
###### First Part ########
|
|
|
|
|
|
|
|
[default]
|
|
|
|
name = root-ca
|
|
|
|
domain_suffix = example.com
|
|
|
|
aia_url = http://$name.$domain_suffix/$name.crt
|
|
|
|
crl_url = http://$name.$domain_suffix/$name.crl
|
|
|
|
ocsp_url = http://ocsp.$name.$domain_suffix:9080
|
|
|
|
default_ca = ca_default
|
|
|
|
name_opt = utf8,esc_ctrl,multiline,lname,align
|
|
|
|
|
|
|
|
[ca_dn]
|
|
|
|
countryName = "US"
|
|
|
|
organizationName = "Example Inc."
|
|
|
|
commonName = "Root CA"
|
|
|
|
|
|
|
|
###### Second Part #######
|
|
|
|
|
|
|
|
[ca_default]
|
|
|
|
home = .
|
|
|
|
database = $home/ca/db/index
|
|
|
|
serial = $home/ca/db/serial
|
|
|
|
crlnumber = $home/ca/db/crlnumber
|
|
|
|
certificate = $home/ca/$name.crt
|
|
|
|
private_key = $home/ca/private/$name.key
|
|
|
|
RANDFILE = $home/ca/private/random
|
|
|
|
new_certs_dir = $home/ca/certs
|
|
|
|
unique_subject = no
|
|
|
|
copy_extensions = none
|
|
|
|
default_days = 3650
|
|
|
|
default_crl_days = 30
|
|
|
|
default_md = sha256
|
|
|
|
policy = policy_c_o_match
|
|
|
|
name = foo@example.com
|
|
|
|
|
|
|
|
|
|
|
|
[policy_c_o_match]
|
|
|
|
countryName = match
|
|
|
|
stateOrProvinceName = optional
|
|
|
|
organizationName = match
|
|
|
|
organizationalUnitName = optional
|
|
|
|
commonName = supplied
|
|
|
|
emailAddress = optional
|
|
|
|
|
|
|
|
|
|
|
|
##### Third Part #######
|
|
|
|
|
|
|
|
[req]
|
|
|
|
default_bits = 4096
|
|
|
|
encrypt_key = yes
|
|
|
|
default_md = sha256
|
|
|
|
utf8 = yes
|
|
|
|
string_mask = utf8only
|
|
|
|
prompt = no
|
|
|
|
distinguished_name = ca_dn
|
|
|
|
req_extensions = ca_ext
|
|
|
|
|
|
|
|
|
|
|
|
[ca_ext]
|
|
|
|
basicConstraints = critical,CA:true
|
|
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
|
|
subjectKeyIdentifier = hash
|
|
|
|
|
|
|
|
|
|
|
|
####### Fourth Part - Extensions ########
|
|
|
|
#
|
|
|
|
# Value Meaning - see x509v3.cnf(5)
|
|
|
|
# -------- ------------------------------
|
|
|
|
# serverAuth SSL/TLS web server authentication
|
|
|
|
# clientAuth SSL/TLS web client authentication
|
|
|
|
# codeSigning code signing
|
|
|
|
# emailProtection email protection (S/MIME)
|
|
|
|
# timeStamping trusted doc hash timestamping
|
|
|
|
# OCSPSigning OCSP Signing
|
|
|
|
# ipsecIKE IPsec internet key exchange
|
|
|
|
# msCodeInd Microsoft individual code signing (authenticode)
|
|
|
|
# msCodeCom Microsoft commercial code signing (authenticode)
|
|
|
|
# msCTLSign Microsoft trust list signing
|
|
|
|
# msEFS Microsoft encrypted file system (EFS)
|
|
|
|
|
|
|
|
|
|
|
|
[sub_ca_ext]
|
|
|
|
authorityInfoAccess = @issuer_info
|
|
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
basicConstraints = critical,CA:true,pathlen:0
|
|
|
|
crlDistributionPoints = @crl_info
|
|
|
|
keyUsage = critical,keyCertSign,cRLSign
|
|
|
|
extendedKeyUsage = clientAuth,serverAuth
|
|
|
|
nameConstraints = @name_constraints
|
|
|
|
subjectKeyIdentifier = hash
|
|
|
|
|
|
|
|
|
|
|
|
[crl_info]
|
|
|
|
URI.0 = $crl_url
|
|
|
|
|
|
|
|
[issuer_info]
|
|
|
|
caIssuers;URI.0 = $aia_url
|
|
|
|
OCSP;URI.0 = $ocsp_url
|
|
|
|
|
|
|
|
[name_constraints]
|
|
|
|
permitted;DNS.0=example.com
|
|
|
|
permitted;DNS.1=example.org
|
|
|
|
excluded;IP.0=0.0.0.0/0.0.0.0
|
|
|
|
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
|
|
|
|
|
|
|
|
|
|
|
|
####### Fifth Part ==========
|
|
|
|
|
|
|
|
|
|
|
|
[ocsp_ext]
|
|
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
basicConstraints = critical,CA:false
|
|
|
|
extendedKeyUsage = OCSPSigning
|
|
|
|
keyUsage = critical,digitalSignature
|
|
|
|
subjectKeyIdentifier = hash
|
|
|
|
|
|
|
|
|
|
|
|
########### TSA extension ##############
|
|
|
|
#
|
|
|
|
# Copied from the OpenSSL CAtsa.cnf test configuration and modified for use as a TSA extension.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
|
|
|
|
[ tsa ]
|
|
|
|
|
|
|
|
default_tsa = tsa_config1
|
|
|
|
|
|
|
|
[ tsa_config1 ]
|
2024-10-11 13:07:21 +00:00
|
|
|
dir = /home/julien/dev/chill/sign-pdf-worker/ts-authority # TSA root directory, same as root-ca
|
2024-10-11 10:43:25 +00:00
|
|
|
serial = $dir/ca/tsa_serial # current serial number (mandatory)
|
|
|
|
signer_cert = $dir/ca/tsa.crt # signing certificate (optional)
|
|
|
|
certs = $dir/ca/tsa-chain.pem # certification chain (optional)
|
|
|
|
signer_key = $dir/ca/private/tsa.key # tsa private key (optional)
|
|
|
|
default_policy = tsa_policy1
|
|
|
|
signer_digest = sha256 # digest to use for signing (optional)
|
|
|
|
other_policies = tsa_policy2,tsa_policy3 # other policies (optional)
|
|
|
|
digests = sha256,sha384,sha512 # acceptable digests (mandatory)
|
|
|
|
accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional
|
|
|
|
ordering = yes # is ordering defined? (optional, default: no)
|
|
|
|
tsa_name = yes # must tsa name be included in reply? (opt., default: no)
|
|
|
|
ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no)
|
|
|
|
ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1)
|
|
|
|
|
|
|
|
# added, was missing in the blog post
|
|
|
|
crypto_device = builtin
|
|
|
|
|
|
|
|
# The tsa_ext extension is
|
|
|
|
# used to create the tsa cert tsa.crt
|
|
|
|
|
|
|
|
[ tsa_ext ]
|
|
|
|
|
|
|
|
authorityKeyIdentifier = keyid:always
|
|
|
|
basicConstraints = critical,CA:false
|
|
|
|
extendedKeyUsage = critical,timeStamping
|
|
|
|
keyUsage = critical,nonRepudiation
|
|
|
|
subjectKeyIdentifier = hash
|