#
# rootca.conf
#
# See Ristic OpenSSL Cookbook URL above.

oid_section                     = new_oids

[ new_oids ]
tsa_policy1                     = 1.2.3.4.1
tsa_policy2                     = 1.2.3.4.5.6
tsa_policy3                     = 1.2.3.4.5.7

######  First Part ########

[default]
name                    = root-ca
domain_suffix           = example.com
aia_url                 = http://$name.$domain_suffix/$name.crt
crl_url                 = http://$name.$domain_suffix/$name.crl
ocsp_url                = http://ocsp.$name.$domain_suffix:9080
default_ca              = ca_default
name_opt                = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName             = "US"
organizationName        = "Example Inc."
commonName              = "Root CA"

###### Second Part #######

[ca_default]
home                    = .
database                = $home/ca/db/index
serial                  = $home/ca/db/serial
crlnumber               = $home/ca/db/crlnumber
certificate             = $home/ca/$name.crt
private_key             = $home/ca/private/$name.key
RANDFILE                = $home/ca/private/random
new_certs_dir           = $home/ca/certs
unique_subject          = no
copy_extensions         = none
default_days            = 3650
default_crl_days        = 30
default_md              = sha256
policy                  = policy_c_o_match
name                    = foo@example.com


[policy_c_o_match]
countryName             = match
stateOrProvinceName     = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional


##### Third Part #######

[req]
default_bits            = 4096
encrypt_key             = yes
default_md              = sha256
utf8                    = yes
string_mask             = utf8only
prompt                  = no
distinguished_name      = ca_dn
req_extensions          = ca_ext


[ca_ext]
basicConstraints        = critical,CA:true
keyUsage                = critical,keyCertSign,cRLSign
subjectKeyIdentifier    = hash


####### Fourth Part - Extensions  ########
#
# Value           Meaning  - see x509v3.cnf(5)
# --------        ------------------------------
# serverAuth      SSL/TLS web server authentication
# clientAuth      SSL/TLS web client authentication
# codeSigning     code signing
# emailProtection email protection (S/MIME)
# timeStamping    trusted doc hash timestamping
# OCSPSigning     OCSP Signing
# ipsecIKE        IPsec internet key exchange
# msCodeInd       Microsoft individual code signing (authenticode)
# msCodeCom       Microsoft commercial code signing (authenticode)
# msCTLSign       Microsoft trust list signing
# msEFS           Microsoft encrypted file system (EFS)


[sub_ca_ext]
authorityInfoAccess     = @issuer_info
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:true,pathlen:0
crlDistributionPoints   = @crl_info
keyUsage                = critical,keyCertSign,cRLSign
extendedKeyUsage        = clientAuth,serverAuth
nameConstraints         = @name_constraints
subjectKeyIdentifier    = hash


[crl_info]
URI.0                   = $crl_url

[issuer_info]
caIssuers;URI.0         = $aia_url
OCSP;URI.0              = $ocsp_url

[name_constraints]
permitted;DNS.0=example.com
permitted;DNS.1=example.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0


#######  Fifth Part  ==========


[ocsp_ext]
authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = OCSPSigning
keyUsage                = critical,digitalSignature
subjectKeyIdentifier    = hash


###########  TSA extension   ##############
#
# Copied from the OpenSSL CAtsa.cnf test configuration and modified for use as a TSA extension.
#
#

[ tsa ]

default_tsa             = tsa_config1

[ tsa_config1 ]
dir                     = .                     # TSA root directory, same as root-ca
serial                  = $dir/ca/tsa_serial       # current serial number (mandatory)
signer_cert             = $dir/ca/tsa.crt     # signing certificate (optional)
certs                   = $dir/ca/tsa-chain.pem # certification chain (optional)
signer_key              = $dir/ca/private/tsa.key # tsa private key (optional)
default_policy          = tsa_policy1
signer_digest           = sha256                # digest to use for signing (optional)
other_policies          = tsa_policy2,tsa_policy3 # other policies (optional)
digests                 = sha256,sha384,sha512    # acceptable digests (mandatory)
accuracy                = secs:1,millisecs:500,microsecs:100 # accuracy optional
ordering                = yes                   # is ordering defined? (optional, default: no)
tsa_name                = yes                   # must tsa name be included in reply? (opt., default: no)
ess_cert_id_chain       = yes                   # must ess cert id change be incl? (opt., default: no)
ess_cert_id_alg         = sha256                # alg to compute cert. id (optional, default: sha1)

# added, was missing in the blog post
crypto_device           = builtin

# The tsa_ext extension is
# used to create the tsa cert tsa.crt

[ tsa_ext ]

authorityKeyIdentifier  = keyid:always
basicConstraints        = critical,CA:false
extendedKeyUsage        = critical,timeStamping
keyUsage                = critical,nonRepudiation
subjectKeyIdentifier    = hash