create a new script dedicated for signing for vendee certificates

2024-10-11 16:12:33 +02:00
parent c8042a6f84
commit 3716c3ce78
3 changed files with 89 additions and 0 deletions
--- a/ts-authority/README.md
+++ b/ts-authority/README.md
@@ -151,3 +151,17 @@ The OK response ensures that the original signed timestamp is correctly authoriz
 openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
 ```

+
+# Préparation pour Vendée
+
+## Extraire les infos
+
+```bash
+openssl pkcs12 -info -in horodatage.p12 -legacy
+```
+
+Ca demandera un mot de passe pour déchiffrer, et un autre mot de passe pour chiffrer la clé qui apparaitra.
+
+- on recopie la clé et on fait un copier-coller dans /run/user/1000/ca/private/tsa.key
+- on recopie tous les certificats, on supprime les interligne, et on colle ça dans /run/user/1000/ca/tsa-chain.pem
+- on recopie le premier certificat, pour céer /run/user/1000/ca/tsa.crt
--- a/ts-authority/vendee-tsa.conf
+++ b/ts-authority/vendee-tsa.conf
@@ -0,0 +1,46 @@
+#
+# rootca.conf
+#
+# See Ristic OpenSSL Cookbook URL above.
+
+oid_section                     = new_oids
+
+[ new_oids ]
+tsa_policy1                     = 1.2.3.4.1
+tsa_policy2                     = 1.2.3.4.5.6
+tsa_policy3                     = 1.2.3.4.5.7
+
+
+[ tsa ]
+
+default_tsa             = tsa_config1
+
+[ tsa_config1 ]
+dir                     = /run/user/1000/ca                     # TSA root directory, same as root-ca
+serial                  = $dir/tsa_serial       # current serial number (mandatory)
+signer_cert             = $dir/tsa.crt     # signing certificate (optional)
+certs                   = $dir/tsa-chain.pem # certification chain (optional)
+signer_key              = $dir/private/tsa.key # tsa private key (optional)
+default_policy          = tsa_policy1
+signer_digest           = sha256                # digest to use for signing (optional)
+other_policies          = tsa_policy2,tsa_policy3 # other policies (optional)
+digests                 = sha256,sha384,sha512    # acceptable digests (mandatory)
+accuracy                = secs:1,millisecs:500,microsecs:100 # accuracy optional
+ordering                = yes                   # is ordering defined? (optional, default: no)
+tsa_name                = yes                   # must tsa name be included in reply? (opt., default: no)
+ess_cert_id_chain       = yes                   # must ess cert id change be incl? (opt., default: no)
+ess_cert_id_alg         = sha256                # alg to compute cert. id (optional, default: sha1)
+
+# added, was missing in the blog post
+crypto_device           = builtin
+
+# The tsa_ext extension is
+# used to create the tsa cert tsa.crt
+
+[ tsa_ext ]
+
+authorityKeyIdentifier  = keyid:always
+basicConstraints        = critical,CA:false
+extendedKeyUsage        = critical,timeStamping
+keyUsage                = critical,nonRepudiation
+subjectKeyIdentifier    = hash