[ oids ]

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

[ main ]

# Comma-separated list of ips:ports to listen on.
# If the port is SSL, a letter s must be appended.
listening_ports = 127.0.0.1:2020s
#listening_ports = 80,443s

# Allows clients to reuse TCP connection for subsequent HTTP requests, which improves performance.
enable_keep_alive = no

# Number of worker threads
num_threads = 10

# Switch to given user credentials after startup.
# Required to run on privileged ports and not be run as root.
#run_as_user = uts-server

# Limit download speed for clients. throttle is a comma-separated list of key=value pairs:
# *                   limit speed for all connections
# x.x.x.x/mask        limit speed for specified subnet
# The value is a floating-point number of bytes per second, optionally followed by a k or m character
# meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate
throttle = *=0
#throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0

# Timeout for network read and network write operations, in milliseconds.
request_timeout_ms = 30000

# Path to the SSL certificate file. (PEM format containing private key and certificate)
ssl_certificate = ./pki/ssl_keycerts1.pem

# Enable client's certificate verification by the server.
ssl_verify_peer = no

# Name of a directory containing trusted CA certificates
#ssl_ca_path = /etc/ssl/ca/

# Path to a .pem file containing trusted certificates. The file may contain more than one certificate.
ssl_ca_file = ./pki/tsaca.pem

# Sets maximum depth of certificate chain.
# If client's certificate chain is longer than the depth set here connection is refused.
#ssl_verify_depth = 9

# Loads default trusted certificates locations set at openssl compile time.
#ssl_default_verify_paths = yes

# see https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed
ssl_cipher_list = ALL:!eNULL

# Sets the minimal accepted version of SSL/TLS protocol according to the table:
# SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2  0
# SSL3+TLS1.0+TLS1.1+TLS1.2       1
# TLS1.0+TLS1.1+TLS1.2            2
# TLS1.1+TLS1.2                   3
# TLS1.2                          4

ssl_protocol_version = 3

# Enables the use of short lived certificates
#ssl_short_trust = no

# comma separated list of IP subnets to accept/deny
# deny all accesses, only allow 192.168/16 subnet
#access_control_allow_origin = -0.0.0.0/0,+192.168/16

# Enable TCP_NODELAY socket option on client connections.
tcp_nodelay = 0

# loglevel
# debug, info, notice, warn, err, emerg, crit
log_level = info

####################################################################
[ tsa ]

# TSA root directory
dir		= ./pki

# OpenSSL engine to use for signing
crypto_device	= builtin

# The TSA signing certificat
# (optional)
signer_cert	= $dir/tsa_cert1.pem

# Certificate chain to include in reply
# (optional)
certs		= $dir/tsaca.pem

# The TSA private key
# (optional)
signer_key	= $dir/tsa_key1.pem

# Policy if request did not specify it
# (optional)
default_policy	= tsa_policy1

# Acceptable policies
# (optional)
other_policies	= tsa_policy2, tsa_policy3

# Acceptable message digests
# (mandatory)
digests		= md5, sha1

# (optional)
accuracy	= secs:1, millisecs:500, microsecs:100

# Number of digits after dot.
# (optional)
clock_precision_digits  = 0

# Is ordering defined for timestamps?
# (optional, default: no)
ordering		= yes

# Must the TSA name be included in the reply?
## (optional, default: no)
tsa_name		= yes

# Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_chain	= no