1
0
mirror of https://github.com/kakwa/uts-server synced 2024-12-04 23:15:54 +01:00

improve documentation

add documentation explaining the requirement for the timestamp signer
certificate
This commit is contained in:
Pierre-Francois Carpentier 2019-04-12 15:12:59 +02:00
parent dd19915c91
commit 82766a0200

View File

@ -185,6 +185,31 @@ Configuration Parameters
""" """
foot = """ foot = """
.. warning::
The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
Here is a sample openssl.cfg configuration for creating such certificate:
.. sourcecode:: ini
[ tsa_cert ]
# TSA server cert is not a CA cert, disabling CA role
basicConstraints=CA:FALSE
# The following key usage flags are mandatory for TSA server certificates.
# This parameters set the main specificities of a TSA certificate
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
Full Configuration File Full Configuration File
======================= =======================