};
/* Debug information:
# dpkg list:
-ii linux-image-4.6.0-1-amd64 4.6.2-2 amd64 Linux 4.6 for 64-bit PCs
+rc linux-image-4.6.0-1-amd64 4.6.2-2 amd64 Linux 4.6 for 64-bit PCs
ii linux-image-4.7.0-1-amd64 4.7.8-1 amd64 Linux 4.7 for 64-bit PCs (signed)
-iF linux-image-4.8.0-1-amd64 4.8.5-1 amd64 Linux 4.8 for 64-bit PCs (signed)
-iU linux-image-amd64 4.8+76 amd64 Linux for 64-bit PCs (meta-package)
+iF linux-image-4.8.0-1-amd64 4.8.7-1 amd64 Linux 4.8 for 64-bit PCs (signed)
+ii linux-image-amd64 4.8+76 amd64 Linux for 64-bit PCs (meta-package)
# list of installed kernel packages:
-4.6.0-1-amd64 4.6.2-2
4.7.0-1-amd64 4.7.8-1
-4.8.0-1-amd64 4.8.5-1
+4.8.0-1-amd64 4.8.7-1
# list of different kernel versions:
-4.8.5-1
+4.8.7-1
4.7.8-1
-4.6.2-2
-# Installing kernel: 4.8.5-1 (4.8.0-1-amd64)
-# Running kernel: 4.7.8-1 (4.7.0-1-amd64)
-# Last kernel: 4.8.5-1
+# Installing kernel: 4.8.7-1 (4.8.0-1-amd64)
+# Running kernel: 4.8.7-1 (4.8.0-1-amd64)
+# Last kernel: 4.8.7-1
# Previous kernel: 4.7.8-1
# Kernel versions list to keep:
4.7.8-1
-4.8.5-1
+4.8.7-1
# Kernel packages (version part) to protect:
4\.7\.0-1-amd64
4\.8\.0-1-amd64
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
+ # several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
-x509_extensions = usr_cert # The extentions to add to the cert
+x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
-x509_extensions = v3_ca # The extentions to add to the self signed cert
+x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
authorityKeyIdentifier=keyid:always,issuer
-# This is what PKIX recommends but some broken software chokes on critical
-# extensions.
-#basicConstraints = critical,CA:true
-# So we do this instead.
-basicConstraints = CA:true
+basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
-digests = md5, sha1 # Acceptable message digests (mandatory)
+digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?