mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
123 lines
3.9 KiB
INI
123 lines
3.9 KiB
INI
|
#
|
||
|
# Dogtag PKI configuration file
|
||
|
#
|
||
|
# Notes:
|
||
|
# - "%" must be quoted as "%%".
|
||
|
# - options in the [CA] and [KRA] section cannot be overriden from options
|
||
|
# in the [DEFAULT] section
|
||
|
# - pki_*_token options are hard-coded to pki_token_name
|
||
|
# - pki_sslserver_token is hard-coded to 'internal'
|
||
|
# - pki_backup_keys is automatically disabled when HSM support is enabled,
|
||
|
# as HSM backup is not possible with the default mechanism.
|
||
|
#
|
||
|
# Predefined variables
|
||
|
# - ipa_ca_subject
|
||
|
# - ipa_fqdn
|
||
|
# - ipa_subject_base
|
||
|
# - pki_admin_password
|
||
|
# - pki_dns_domainname
|
||
|
# - softhsm2_so
|
||
|
|
||
|
|
||
|
[DEFAULT]
|
||
|
# default algorithms for all certificates
|
||
|
ipa_key_algorithm=SHA256withRSA
|
||
|
ipa_key_size=2048
|
||
|
ipa_key_type=rsa
|
||
|
ipa_signing_algorithm=SHA256withRSA
|
||
|
|
||
|
# Used for IPA CA
|
||
|
# signing algorithm can be overriden on command line
|
||
|
ipa_ca_signing_algorithm=%(ipa_key_algorithm)s
|
||
|
ipa_ca_key_size=%(ipa_key_size)s
|
||
|
ipa_ca_key_type=%(ipa_key_type)s
|
||
|
|
||
|
# HSM support
|
||
|
pki_hsm_enable=False
|
||
|
pki_hsm_libfile=
|
||
|
pki_hsm_modulename=
|
||
|
pki_token_name=internal
|
||
|
# backup is automatically disabled when HSM support is enabled
|
||
|
pki_backup_keys=True
|
||
|
pki_backup_password=%(pki_admin_password)s
|
||
|
|
||
|
pki_admin_email=root@localhost
|
||
|
|
||
|
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
|
||
|
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_audit_signing_key_size=%(ipa_key_size)s
|
||
|
pki_audit_signing_key_type=%(ipa_key_type)s
|
||
|
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
||
|
pki_audit_signing_token=%(pki_token_name)s
|
||
|
|
||
|
# Configures the status request timeout, i.e. the connect/data
|
||
|
# timeout on the HTTP request to get the status of Dogtag.
|
||
|
#
|
||
|
# This configuration is needed in "multiple IP address" scenarios
|
||
|
# where this server's hostname has multiple IP addresses but the
|
||
|
# HTTP server is only listening on one of them. Without a timeout,
|
||
|
# if a "wrong" IP address is tried first, it will take a long time
|
||
|
# to timeout, exceeding the overall timeout hence the request will
|
||
|
# not be re-tried. Setting a shorter timeout allows the request
|
||
|
# to be re-tried.
|
||
|
#
|
||
|
# Note that HSMs cause different behaviour so this value might
|
||
|
# not be suitable for when we implement HSM support. It is
|
||
|
# known that a value of 5s is too short in HSM environment.
|
||
|
#
|
||
|
pki_status_request_timeout=15
|
||
|
|
||
|
# for supporting server cert SAN injection
|
||
|
pki_san_inject=False
|
||
|
pki_san_for_server_cert=
|
||
|
|
||
|
## Server-Cert cert-pki-ca
|
||
|
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_sslserver_key_size=%(ipa_key_size)s
|
||
|
pki_sslserver_key_type=%(ipa_key_type)s
|
||
|
|
||
|
## subsystemCert cert-pki-ca
|
||
|
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_subsystem_key_size=%(ipa_key_size)s
|
||
|
pki_subsystem_key_type=%(ipa_key_type)s
|
||
|
pki_subsystem_token=%(pki_token_name)s
|
||
|
|
||
|
[CA]
|
||
|
pki_random_serial_numbers_enable=False
|
||
|
|
||
|
## caSigningCert cert-pki-ca
|
||
|
pki_ca_signing_key_algorithm=%(ipa_ca_signing_algorithm)s
|
||
|
pki_ca_signing_key_size=%(ipa_ca_key_size)s
|
||
|
pki_ca_signing_key_type=%(ipa_ca_key_type)s
|
||
|
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
|
||
|
pki_ca_signing_token=%(pki_token_name)s
|
||
|
|
||
|
# MS subca request ext data
|
||
|
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
|
||
|
pki_req_ext_critical=False
|
||
|
pki_req_ext_data=1E0A00530075006200430041
|
||
|
|
||
|
## ocspSigningCert cert-pki-ca
|
||
|
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_ocsp_signing_key_size=%(ipa_key_size)s
|
||
|
pki_ocsp_signing_key_type=%(ipa_key_type)s
|
||
|
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
||
|
pki_ocsp_signing_token=%(pki_token_name)s
|
||
|
|
||
|
[KRA]
|
||
|
pki_kra_ephemeral_requests=True
|
||
|
|
||
|
## storageCert cert-pki-kra
|
||
|
pki_storage_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_storage_key_size=%(ipa_key_size)s
|
||
|
pki_storage_key_type=%(ipa_key_type)s
|
||
|
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
|
||
|
pki_storage_token=%(pki_token_name)s
|
||
|
|
||
|
## transportCert cert-pki-kra
|
||
|
pki_transport_key_algorithm=%(ipa_key_algorithm)s
|
||
|
pki_transport_key_size=%(ipa_key_size)s
|
||
|
pki_transport_key_type=%(ipa_key_type)s
|
||
|
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
|
||
|
pki_transport_token=%(pki_token_name)s
|