#----------------------------------------------------------------------
#
# Properties needed for a Time-Stamp Authority (TSA) certificates
#
#----------------------------------------------------------------------

# Extensions required to a TSA certificate
[ tsa_cert ]

# TSA server cert is not a CA cert, disabling CA role
basicConstraints=CA:FALSE

# The following key usage flags are mandatory for TSA server certificates.
# This parameters set the main specificities of a TSA certificate
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage = critical,timeStamping

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always


#----------------------------------------------------------------------
#
# Other Properties for the CA and non-tsa certificates
#
#----------------------------------------------------------------------

# Common properties of all the certificates/CA (CN, OU, etc...)
[ dn_section ]
countryName			= FR
stateOrProvinceName		= Paris
localityName			= Paris
organizationName		= UTS-SERVER test

# CN is passed through environment variable "CN"
commonName			= $ENV::CN


# OpenSSL parameters for certificate requests generation
[ req ]
default_bits		= 4096
default_md		= sha512
distinguished_name	= dn_section
encrypt_rsa_key		= no
prompt 			= no
# The extentions to add to the self signed cert
x509_extensions	= v3_ca


# Extensions for a typical CA
[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = cRLSign, keyCertSign