mirror of
https://github.com/kakwa/uts-server
synced 2024-12-04 15:05:54 +01:00
improve documentation
add documentation explaining the requirement for the timestamp signer certificate
This commit is contained in:
parent
dd19915c91
commit
82766a0200
25
docs/conf.py
25
docs/conf.py
@ -185,6 +185,31 @@ Configuration Parameters
|
||||
"""
|
||||
|
||||
foot = """
|
||||
.. warning::
|
||||
|
||||
The TSA signing certificate must have exactly one extended key usage assigned to it: **timeStamping**.
|
||||
|
||||
The extended key usage must also be **critical**, otherwise the certificate is going to be refused.
|
||||
|
||||
Here is a sample openssl.cfg configuration for creating such certificate:
|
||||
|
||||
.. sourcecode:: ini
|
||||
|
||||
[ tsa_cert ]
|
||||
|
||||
# TSA server cert is not a CA cert, disabling CA role
|
||||
basicConstraints=CA:FALSE
|
||||
|
||||
# The following key usage flags are mandatory for TSA server certificates.
|
||||
# This parameters set the main specificities of a TSA certificate
|
||||
keyUsage = nonRepudiation, digitalSignature
|
||||
extendedKeyUsage = critical,timeStamping
|
||||
|
||||
# PKIX recommendations harmless if included in all certificates.
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer:always
|
||||
|
||||
|
||||
Full Configuration File
|
||||
=======================
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user