From 82766a0200d11973d6363ab679affcb5d50106f3 Mon Sep 17 00:00:00 2001
From: Pierre-Francois Carpentier <carpentier.pf@gmail.com>
Date: Fri, 12 Apr 2019 15:12:59 +0200
Subject: [PATCH] improve documentation

add documentation explaining the requirement for the timestamp signer
certificate
---
 docs/conf.py | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/conf.py b/docs/conf.py
index c82a762..6d1c225 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -185,6 +185,31 @@ Configuration Parameters
 """
 
     foot = """
+.. warning::
+
+  The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
+
+  The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
+
+  Here is a sample openssl.cfg configuration for creating such certificate:
+
+  .. sourcecode:: ini
+
+    [ tsa_cert ]
+
+    # TSA server cert is not a CA cert, disabling CA role
+    basicConstraints=CA:FALSE
+
+    # The following key usage flags are mandatory for TSA server certificates.
+    # This parameters set the main specificities of a TSA certificate
+    keyUsage = nonRepudiation, digitalSignature
+    extendedKeyUsage = critical,timeStamping
+
+    # PKIX recommendations harmless if included in all certificates.
+    subjectKeyIdentifier=hash
+    authorityKeyIdentifier=keyid,issuer:always
+
+
 Full Configuration File
 =======================