#
# rootca.conf
#
# See Ristic OpenSSL Cookbook URL above.

oid_section                     = new_oids

[ new_oids ]
tsa_policy1                     = 1.2.3.4.1
tsa_policy2                     = 1.2.3.4.5.6
tsa_policy3                     = 1.2.3.4.5.7


[ tsa ]

default_tsa             = tsa_config1

[ tsa_config1 ]
dir                     = /run/user/1000/ca                     # TSA root directory, same as root-ca
serial                  = $dir/tsa_serial       # current serial number (mandatory)
signer_cert             = $dir/tsa.crt     # signing certificate (optional)
certs                   = $dir/tsa-chain.pem # certification chain (optional)
signer_key              = $dir/private/tsa.key # tsa private key (optional)
default_policy          = tsa_policy1
signer_digest           = sha256                # digest to use for signing (optional)
other_policies          = tsa_policy2,tsa_policy3 # other policies (optional)
digests                 = sha256,sha384,sha512    # acceptable digests (mandatory)
accuracy                = secs:1,millisecs:500,microsecs:100 # accuracy optional
ordering                = yes                   # is ordering defined? (optional, default: no)
tsa_name                = yes                   # must tsa name be included in reply? (opt., default: no)
ess_cert_id_chain       = yes                   # must ess cert id change be incl? (opt., default: no)
ess_cert_id_alg         = sha256                # alg to compute cert. id (optional, default: sha1)

# added, was missing in the blog post
crypto_device           = builtin

# The tsa_ext extension is
# used to create the tsa cert tsa.crt

[ tsa_ext ]

authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = critical,timeStamping
keyUsage                = critical,nonRepudiation
subjectKeyIdentifier    = hash