CODEWITHSUNDEEP
openssltimestamp
jlanza
jlanza

Reputation: 1258

Configure TSA with openssl

I'm getting the following error when trying to generate the TSA reply.

$ openssl ts -reply -queryfile test.tsq -out test.tsr -inkey private/tsakey.pem -signer tsa.crt.pem
140234774902432:error:2F083075:time stamp routines:TS_RESP_CTX_set_signer_cert:invalid signer certificate purpose:ts_rsp_sign.c:206:

Find below the procedure followed...

$ openssl req -new -newkey rsa:2048 -keyout private/tsakey.pem -out tsareq.pem -nodes
$ openssl ca -in tsareq.pem -out tsa.crt.pem -extensions mytsa -extfile tsa.x509config
$ openssl ts -query -data test.txt -no_nonce -out test.tsq
$ openssl ts -reply -queryfile test.tsq -out test.tsr -inkey private/tsakey.pem -signer tsa.crt.pem

And the extensions file is:

[mytsa]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=timeStamping

Upvotes: 2

Views: 4850

Answers (2)

Steven Madwin
Steven Madwin

Reputation: 21

You need to mark the Extended Key Usage as critical (extendedKeyUsage=critical,timeStamping) as per RFC 3161, Section 2.3.

Upvotes: 2

jlanza
jlanza

Reputation: 1258

After looking and testing a bit more I think I found the aswer. For timestamping you have to include keyUsage only for nonRepudiation and digitalSignature.

So no my file is like shown below and it worked !!!

[mytsa]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
keyUsage = nonRepudiation, digitalSignature
extendedKeyUsage=timeStamping

I just leave it here as maybe others have the same problem.

Upvotes: 0

Related Questions