# # rootca.conf # # See Ristic OpenSSL Cookbook URL above. oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ tsa ] default_tsa = tsa_config1 [ tsa_config1 ] dir = /run/user/1000/ca # TSA root directory, same as root-ca serial = $dir/tsa_serial # current serial number (mandatory) signer_cert = $dir/tsa.crt # signing certificate (optional) certs = $dir/tsa-chain.pem # certification chain (optional) signer_key = $dir/private/tsa.key # tsa private key (optional) default_policy = tsa_policy1 signer_digest = sha256 # digest to use for signing (optional) other_policies = tsa_policy2,tsa_policy3 # other policies (optional) digests = sha256,sha384,sha512 # acceptable digests (mandatory) accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional ordering = yes # is ordering defined? (optional, default: no) tsa_name = yes # must tsa name be included in reply? (opt., default: no) ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no) ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1) # added, was missing in the blog post crypto_device = builtin # The tsa_ext extension is # used to create the tsa cert tsa.crt [ tsa_ext ] authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false extendedKeyUsage = critical,timeStamping keyUsage = critical,nonRepudiation subjectKeyIdentifier = hash