# # rootca.conf # # See Ristic OpenSSL Cookbook URL above. oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 ###### First Part ######## [default] name = root-ca domain_suffix = example.com aia_url = http://$name.$domain_suffix/$name.crt crl_url = http://$name.$domain_suffix/$name.crl ocsp_url = http://ocsp.$name.$domain_suffix:9080 default_ca = ca_default name_opt = utf8,esc_ctrl,multiline,lname,align [ca_dn] countryName = "US" organizationName = "Example Inc." commonName = "Root CA" ###### Second Part ####### [ca_default] home = . database = $home/ca/db/index serial = $home/ca/db/serial crlnumber = $home/ca/db/crlnumber certificate = $home/ca/$name.crt private_key = $home/ca/private/$name.key RANDFILE = $home/ca/private/random new_certs_dir = $home/ca/certs unique_subject = no copy_extensions = none default_days = 3650 default_crl_days = 30 default_md = sha256 policy = policy_c_o_match name = foo@example.com [policy_c_o_match] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional ##### Third Part ####### [req] default_bits = 4096 encrypt_key = yes default_md = sha256 utf8 = yes string_mask = utf8only prompt = no distinguished_name = ca_dn req_extensions = ca_ext [ca_ext] basicConstraints = critical,CA:true keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash ####### Fourth Part - Extensions ######## # # Value Meaning - see x509v3.cnf(5) # -------- ------------------------------ # serverAuth SSL/TLS web server authentication # clientAuth SSL/TLS web client authentication # codeSigning code signing # emailProtection email protection (S/MIME) # timeStamping trusted doc hash timestamping # OCSPSigning OCSP Signing # ipsecIKE IPsec internet key exchange # msCodeInd Microsoft individual code signing (authenticode) # msCodeCom Microsoft commercial code signing (authenticode) # msCTLSign Microsoft trust list signing # msEFS Microsoft encrypted file system (EFS) [sub_ca_ext] authorityInfoAccess = @issuer_info authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true,pathlen:0 crlDistributionPoints = @crl_info keyUsage = critical,keyCertSign,cRLSign extendedKeyUsage = clientAuth,serverAuth nameConstraints = @name_constraints subjectKeyIdentifier = hash [crl_info] URI.0 = $crl_url [issuer_info] caIssuers;URI.0 = $aia_url OCSP;URI.0 = $ocsp_url [name_constraints] permitted;DNS.0=example.com permitted;DNS.1=example.org excluded;IP.0=0.0.0.0/0.0.0.0 excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0 ####### Fifth Part ========== [ocsp_ext] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = OCSPSigning keyUsage = critical,digitalSignature subjectKeyIdentifier = hash ########### TSA extension ############## # # Copied from the OpenSSL CAtsa.cnf test configuration and modified for use as a TSA extension. # # [ tsa ] default_tsa = tsa_config1 [ tsa_config1 ] dir = /home/julien/dev/chill/sign-pdf-worker/ts-authority # TSA root directory, same as root-ca serial = $dir/ca/tsa_serial # current serial number (mandatory) signer_cert = $dir/ca/tsa.crt # signing certificate (optional) certs = $dir/ca/tsa-chain.pem # certification chain (optional) signer_key = $dir/ca/private/tsa.key # tsa private key (optional) default_policy = tsa_policy1 signer_digest = sha256 # digest to use for signing (optional) other_policies = tsa_policy2,tsa_policy3 # other policies (optional) digests = sha256,sha384,sha512 # acceptable digests (mandatory) accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional ordering = yes # is ordering defined? (optional, default: no) tsa_name = yes # must tsa name be included in reply? (opt., default: no) ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no) ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1) # added, was missing in the blog post crypto_device = builtin # The tsa_ext extension is # used to create the tsa cert tsa.crt [ tsa_ext ] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = critical,timeStamping keyUsage = critical,nonRepudiation subjectKeyIdentifier = hash