improve documentation

add documentation explaining the requirement for the timestamp signer certificate
2019-04-12 15:12:59 +02:00 · 2019-04-12 15:12:59 +02:00 · 82766a0200
parent dd19915c91
commit 82766a0200
1 changed files with 25 additions and 0 deletions
--- a/docs/conf.py
+++ b/docs/conf.py
@ -185,6 +185,31 @@ Configuration Parameters
 """

    foot = """
+.. warning::
+
+  The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
+
+  The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
+
+  Here is a sample openssl.cfg configuration for creating such certificate:
+
+  .. sourcecode:: ini
+
+    [ tsa_cert ]
+
+    # TSA server cert is not a CA cert, disabling CA role
+    basicConstraints=CA:FALSE
+
+    # The following key usage flags are mandatory for TSA server certificates.
+    # This parameters set the main specificities of a TSA certificate
+    keyUsage = nonRepudiation, digitalSignature
+    extendedKeyUsage = critical,timeStamping
+
+    # PKIX recommendations harmless if included in all certificates.
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid,issuer:always
+
+
 Full Configuration File
 =======================