mirror of
https://github.com/kakwa/uts-server
synced 2024-12-04 23:15:54 +01:00
improve documentation
add documentation explaining the requirement for the timestamp signer certificate
This commit is contained in:
parent
dd19915c91
commit
82766a0200
25
docs/conf.py
25
docs/conf.py
@ -185,6 +185,31 @@ Configuration Parameters
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
foot = """
|
foot = """
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
|
||||||
|
|
||||||
|
The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
|
||||||
|
|
||||||
|
Here is a sample openssl.cfg configuration for creating such certificate:
|
||||||
|
|
||||||
|
.. sourcecode:: ini
|
||||||
|
|
||||||
|
[ tsa_cert ]
|
||||||
|
|
||||||
|
# TSA server cert is not a CA cert, disabling CA role
|
||||||
|
basicConstraints=CA:FALSE
|
||||||
|
|
||||||
|
# The following key usage flags are mandatory for TSA server certificates.
|
||||||
|
# This parameters set the main specificities of a TSA certificate
|
||||||
|
keyUsage = nonRepudiation, digitalSignature
|
||||||
|
extendedKeyUsage = critical,timeStamping
|
||||||
|
|
||||||
|
# PKIX recommendations harmless if included in all certificates.
|
||||||
|
subjectKeyIdentifier=hash
|
||||||
|
authorityKeyIdentifier=keyid,issuer:always
|
||||||
|
|
||||||
|
|
||||||
Full Configuration File
|
Full Configuration File
|
||||||
=======================
|
=======================
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user