freeipa/install/share/ipaca_customize.ini

#
# Dogtag PKI configuration file
#
# Notes:
#  - "%" must be quoted as "%%".
#  - options in the [CA] and [KRA] section cannot be overriden from options
#    in the [DEFAULT] section
#  - pki_*_token options are hard-coded to pki_token_name
#  - pki_sslserver_token is hard-coded to 'internal'
#  - pki_backup_keys is automatically disabled when HSM support is enabled,
#    as HSM backup is not possible with the default mechanism.
#
# Predefined variables
#  - ipa_ca_subject
#  - ipa_fqdn
#  - ipa_subject_base
#  - pki_admin_password
#  - pki_dns_domainname
#  - softhsm2_so


[DEFAULT]
# default algorithms for all certificates
ipa_key_algorithm=SHA256withRSA
ipa_key_size=2048
ipa_key_type=rsa
ipa_signing_algorithm=SHA256withRSA

# Used for IPA CA
# signing algorithm can be overriden on command line
ipa_ca_key_algorithm=%(ipa_key_algorithm)s
ipa_ca_key_size=3072
ipa_ca_key_type=%(ipa_key_type)s
ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s

# HSM support
pki_hsm_enable=False
pki_hsm_libfile=
pki_hsm_modulename=
pki_token_name=internal
# backup is automatically disabled when HSM support is enabled
pki_backup_keys=True
pki_backup_password=%(pki_admin_password)s

pki_admin_email=root@localhost

## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
pki_audit_signing_key_size=%(ipa_key_size)s
pki_audit_signing_key_type=%(ipa_key_type)s
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_audit_signing_token=%(pki_token_name)s

# Configures the status request timeout, i.e. the connect/data
# timeout on the HTTP request to get the status of Dogtag.
#
# This configuration is needed in "multiple IP address" scenarios
# where this server's hostname has multiple IP addresses but the
# HTTP server is only listening on one of them.  Without a timeout,
# if a "wrong" IP address is tried first, it will take a long time
# to timeout, exceeding the overall timeout hence the request will
# not be re-tried.  Setting a shorter timeout allows the request
# to be re-tried.
#
# Note that HSMs cause different behaviour so this value might
# not be suitable for when we implement HSM support.  It is
# known that a value of 5s is too short in HSM environment.
#
pki_status_request_timeout=15

# for supporting server cert SAN injection
pki_san_inject=False
pki_san_for_server_cert=

## Server-Cert cert-pki-ca
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
pki_sslserver_key_size=%(ipa_key_size)s
pki_sslserver_key_type=%(ipa_key_type)s

## subsystemCert cert-pki-ca
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
pki_subsystem_key_size=%(ipa_key_size)s
pki_subsystem_key_type=%(ipa_key_type)s
pki_subsystem_token=%(pki_token_name)s

[CA]
pki_random_serial_numbers_enable=False

## caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
pki_ca_signing_key_size=%(ipa_ca_key_size)s
pki_ca_signing_key_type=%(ipa_ca_key_type)s
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_token=%(pki_token_name)s

## ocspSigningCert cert-pki-ca
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s
pki_ocsp_signing_key_type=%(ipa_key_type)s
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_ocsp_signing_token=%(pki_token_name)s

[KRA]
pki_kra_ephemeral_requests=True

## storageCert cert-pki-kra
pki_storage_key_algorithm=%(ipa_key_algorithm)s
pki_storage_key_size=%(ipa_key_size)s
pki_storage_key_type=%(ipa_key_type)s
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
pki_storage_token=%(pki_token_name)s

## transportCert cert-pki-kra
pki_transport_key_algorithm=%(ipa_key_algorithm)s
pki_transport_key_size=%(ipa_key_size)s
pki_transport_key_type=%(ipa_key_type)s
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
pki_transport_token=%(pki_token_name)s
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-03 05:45:30 -05:00			`#`
			`# Dogtag PKI configuration file`
			`#`
			`# Notes:`
			`# - "%" must be quoted as "%%".`
			`# - options in the [CA] and [KRA] section cannot be overriden from options`
			`# in the [DEFAULT] section`
			`# - pki_*_token options are hard-coded to pki_token_name`
			`# - pki_sslserver_token is hard-coded to 'internal'`
			`# - pki_backup_keys is automatically disabled when HSM support is enabled,`
			`# as HSM backup is not possible with the default mechanism.`
			`#`
			`# Predefined variables`
			`# - ipa_ca_subject`
			`# - ipa_fqdn`
			`# - ipa_subject_base`
			`# - pki_admin_password`
			`# - pki_dns_domainname`
			`# - softhsm2_so`


			`[DEFAULT]`
			`# default algorithms for all certificates`
			`ipa_key_algorithm=SHA256withRSA`
			`ipa_key_size=2048`
			`ipa_key_type=rsa`
			`ipa_signing_algorithm=SHA256withRSA`

			`# Used for IPA CA`
			`# signing algorithm can be overriden on command line`
Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`ipa_ca_key_algorithm=%(ipa_key_algorithm)s`
Increase default key size for CA to 3072 bits The signing key for IPA's CA certificate now uses a 3072 bit RSA key by default. According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4 recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit strength. Fixes: https://pagure.io/freeipa/issue/6790 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-15 07:37:25 -05:00			`ipa_ca_key_size=3072`
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-03 05:45:30 -05:00			`ipa_ca_key_type=%(ipa_key_type)s`
Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s`
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-03 05:45:30 -05:00
			`# HSM support`
			`pki_hsm_enable=False`
			`pki_hsm_libfile=`
			`pki_hsm_modulename=`
			`pki_token_name=internal`
			`# backup is automatically disabled when HSM support is enabled`
			`pki_backup_keys=True`
			`pki_backup_password=%(pki_admin_password)s`

			`pki_admin_email=root@localhost`

			`## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra`
			`pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s`
			`pki_audit_signing_key_size=%(ipa_key_size)s`
			`pki_audit_signing_key_type=%(ipa_key_type)s`
			`pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s`
			`pki_audit_signing_token=%(pki_token_name)s`

			`# Configures the status request timeout, i.e. the connect/data`
			`# timeout on the HTTP request to get the status of Dogtag.`
			`#`
			`# This configuration is needed in "multiple IP address" scenarios`
			`# where this server's hostname has multiple IP addresses but the`
			`# HTTP server is only listening on one of them. Without a timeout,`
			`# if a "wrong" IP address is tried first, it will take a long time`
			`# to timeout, exceeding the overall timeout hence the request will`
			`# not be re-tried. Setting a shorter timeout allows the request`
			`# to be re-tried.`
			`#`
			`# Note that HSMs cause different behaviour so this value might`
			`# not be suitable for when we implement HSM support. It is`
			`# known that a value of 5s is too short in HSM environment.`
			`#`
			`pki_status_request_timeout=15`

			`# for supporting server cert SAN injection`
			`pki_san_inject=False`
			`pki_san_for_server_cert=`

			`## Server-Cert cert-pki-ca`
			`pki_sslserver_key_algorithm=%(ipa_key_algorithm)s`
			`pki_sslserver_key_size=%(ipa_key_size)s`
			`pki_sslserver_key_type=%(ipa_key_type)s`

			`## subsystemCert cert-pki-ca`
			`pki_subsystem_key_algorithm=%(ipa_key_algorithm)s`
			`pki_subsystem_key_size=%(ipa_key_size)s`
			`pki_subsystem_key_type=%(ipa_key_type)s`
			`pki_subsystem_token=%(pki_token_name)s`

			`[CA]`
			`pki_random_serial_numbers_enable=False`

			`## caSigningCert cert-pki-ca`
Fix and extend pki config override test * override ipa_ca_key_size * test with SHA512withRSA Related: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2019-04-24 01:06:58 -05:00			`pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s`
Add pki.ini override option Allow to specify a pki.ini overlay file on the command line. The override file can be used to override pkispawn settings. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-03 05:45:30 -05:00			`pki_ca_signing_key_size=%(ipa_ca_key_size)s`
			`pki_ca_signing_key_type=%(ipa_ca_key_type)s`
			`pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s`
			`pki_ca_signing_token=%(pki_token_name)s`

			`## ocspSigningCert cert-pki-ca`
			`pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s`
			`pki_ocsp_signing_key_size=%(ipa_key_size)s`
			`pki_ocsp_signing_key_type=%(ipa_key_type)s`
			`pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s`
			`pki_ocsp_signing_token=%(pki_token_name)s`

			`[KRA]`
			`pki_kra_ephemeral_requests=True`

			`## storageCert cert-pki-kra`
			`pki_storage_key_algorithm=%(ipa_key_algorithm)s`
			`pki_storage_key_size=%(ipa_key_size)s`
			`pki_storage_key_type=%(ipa_key_type)s`
			`pki_storage_signing_algorithm=%(ipa_signing_algorithm)s`
			`pki_storage_token=%(pki_token_name)s`

			`## transportCert cert-pki-kra`
			`pki_transport_key_algorithm=%(ipa_key_algorithm)s`
			`pki_transport_key_size=%(ipa_key_size)s`
			`pki_transport_key_type=%(ipa_key_type)s`
			`pki_transport_signing_algorithm=%(ipa_signing_algorithm)s`
			`pki_transport_token=%(pki_token_name)s`