# requests made: # openssl ts -query -data -cert -sha512 -out .tsq # your duty: stamping # openssl ts -reply -config tsa.conf -queryfile .tsq -out .tsr -inkey # then you deliver .tsq together with chain.pem (courtesy) to your requestor and then she (and others) can verify the result: # openssl ts -reply -config tsa.conf -in .tsr -text # and # openssl ts -verify -config tsa.conf -queryfile .tsq -in .tsr -CAfile chain.pem name_opt = multiline,-esc_msb,utf8 # Display UTF-8 characters #openssl_conf = openssl_init # Library config section oid_section = new_oids [ new_oids ] # Add a simple OID literal like this: # someoid1=1.2.3.4 # config file substitution is also available like this: # someoid2=${someoid1}.5.6 # Baseline policy - compare: https://www.ietf.org/rfc/rfc3628.txt. baseline_ts_policy = 0.4.0.2023.1.1 [ tsa ] default_tsa = tsa_config [ tsa_config ] # These are used by the TSA reply generation only. dir = . # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/Dama 11 TSA.crt # The TSA signing certificate certs = $dir/chain.pem # Certificate chain to include in reply #signer_key = $dir/##key## # The TSA private key (optional) signer_digest = sha512 # The TSA private key (optional) default_policy = baseline_ts_policy #other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = md5, sha1, sha256, sha512 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:0, microsecs:0 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # default: no tsa_name = yes # default: no ess_cert_id_chain = yes # Must the ESS cert id chain be included?