mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
645 lines
29 KiB
INI
645 lines
29 KiB
INI
|
###############################################################################
|
||
|
## Default Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to more than one PKI subsystem, and ##
|
||
|
## contain required information which MAY be overridden by users as ##
|
||
|
## necessary. ##
|
||
|
## ##
|
||
|
## There are also some meta-parameters that determine how the PKI ##
|
||
|
## configuratiion should work. ##
|
||
|
## ##
|
||
|
###############################################################################
|
||
|
[DEFAULT]
|
||
|
|
||
|
JAVA_HOME=%(java_home)s
|
||
|
|
||
|
# The sensitive_parameters contains a list of parameters which may contain
|
||
|
# sensitive information which must not be displayed to the console nor stored
|
||
|
# in log files for security reasons.
|
||
|
sensitive_parameters=
|
||
|
pki_admin_password
|
||
|
pki_backup_password
|
||
|
pki_client_database_password
|
||
|
pki_client_pin
|
||
|
pki_client_pkcs12_password
|
||
|
pki_clone_pkcs12_password
|
||
|
pki_ds_password
|
||
|
pki_external_pkcs12_password
|
||
|
pki_pkcs12_password
|
||
|
pki_one_time_pin
|
||
|
pki_pin
|
||
|
pki_replication_password
|
||
|
pki_security_domain_password
|
||
|
pki_server_pkcs12_password
|
||
|
pki_token_password
|
||
|
|
||
|
# The spawn_scriplets contains a list of scriplets to be executed by pkispawn.
|
||
|
spawn_scriplets=
|
||
|
initialization
|
||
|
infrastructure_layout
|
||
|
instance_layout
|
||
|
subsystem_layout
|
||
|
webapp_deployment
|
||
|
slot_substitution
|
||
|
security_databases
|
||
|
selinux_setup
|
||
|
configuration
|
||
|
finalization
|
||
|
|
||
|
# The destroy_scriplets contains a list of scriplets to be executed by pkidestroy.
|
||
|
destroy_scriplets=
|
||
|
initialization
|
||
|
configuration
|
||
|
webapp_deployment
|
||
|
subsystem_layout
|
||
|
security_databases
|
||
|
instance_layout
|
||
|
selinux_setup
|
||
|
infrastructure_layout
|
||
|
finalization
|
||
|
|
||
|
# By default, the following parameters will be set for Tomcat instances.
|
||
|
# There is no reason to uncomment these. They are provided for reference in
|
||
|
# case someone wants to override them in their config file.
|
||
|
#
|
||
|
# Tomcat instances:
|
||
|
# pki_instance_name=pki-tomcat
|
||
|
# pki_https_port=8443
|
||
|
# pki_http_port=8080
|
||
|
|
||
|
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
|
||
|
pki_admin_cert_request_type=pkcs10
|
||
|
pki_admin_dualkey=False
|
||
|
pki_admin_key_algorithm=SHA256withRSA
|
||
|
# DEPRECATED: Use 'pki_admin_key_size' instead.
|
||
|
pki_admin_keysize=2048
|
||
|
pki_admin_key_size=%(pki_admin_keysize)s
|
||
|
pki_admin_key_type=rsa
|
||
|
pki_admin_password=
|
||
|
|
||
|
pki_audit_group=pkiaudit
|
||
|
|
||
|
pki_audit_signing_key_algorithm=SHA256withRSA
|
||
|
pki_audit_signing_key_size=2048
|
||
|
pki_audit_signing_key_type=rsa
|
||
|
pki_audit_signing_signing_algorithm=SHA256withRSA
|
||
|
pki_audit_signing_token=
|
||
|
|
||
|
pki_backup_keys=False
|
||
|
pki_backup_password=
|
||
|
pki_ca_hostname=%(pki_security_domain_hostname)s
|
||
|
pki_ca_port=%(pki_security_domain_https_port)s
|
||
|
|
||
|
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
|
||
|
|
||
|
# DEPRECATED: Use 'pki_ca_signing_cert_path' instead.
|
||
|
pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
|
||
|
pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s
|
||
|
|
||
|
pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12
|
||
|
pki_client_database_password=
|
||
|
pki_client_database_purge=True
|
||
|
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
|
||
|
pki_client_pkcs12_password=
|
||
|
pki_ds_bind_dn=cn=Directory Manager
|
||
|
pki_ds_create_new_db=True
|
||
|
pki_ds_ldap_port=389
|
||
|
pki_ds_ldaps_port=636
|
||
|
pki_ds_password=
|
||
|
pki_ds_remove_data=True
|
||
|
pki_ds_secure_connection=False
|
||
|
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
||
|
pki_ds_secure_connection_ca_pem_file=
|
||
|
pki_group=pkiuser
|
||
|
pki_hsm_enable=False
|
||
|
pki_hsm_libfile=
|
||
|
pki_hsm_modulename=
|
||
|
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
|
||
|
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
|
||
|
pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
|
||
|
pki_issuing_ca=%(pki_issuing_ca_uri)s
|
||
|
pki_replication_password=
|
||
|
pki_status_request_timeout=
|
||
|
pki_restart_configured_instance=True
|
||
|
pki_security_domain_hostname=%(pki_hostname)s
|
||
|
pki_security_domain_https_port=8443
|
||
|
pki_security_domain_name=%(pki_dns_domainname)s Security Domain
|
||
|
pki_security_domain_password=
|
||
|
pki_security_domain_user=caadmin
|
||
|
pki_self_signed_token=internal
|
||
|
#for supporting server cert SAN injection
|
||
|
pki_san_inject=False
|
||
|
pki_san_for_server_cert=
|
||
|
pki_skip_configuration=False
|
||
|
pki_skip_ds_verify=False
|
||
|
pki_skip_installation=False
|
||
|
pki_skip_sd_verify=False
|
||
|
|
||
|
# DEPRECATED
|
||
|
# Use 'pki_sslserver_*' instead.
|
||
|
pki_ssl_server_key_algorithm=SHA256withRSA
|
||
|
pki_ssl_server_key_size=2048
|
||
|
pki_ssl_server_key_type=rsa
|
||
|
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
|
||
|
pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ssl_server_token=
|
||
|
|
||
|
pki_sslserver_key_algorithm=%(pki_ssl_server_key_algorithm)s
|
||
|
pki_sslserver_key_size=%(pki_ssl_server_key_size)s
|
||
|
pki_sslserver_key_type=%(pki_ssl_server_key_type)s
|
||
|
pki_sslserver_nickname=%(pki_ssl_server_nickname)s
|
||
|
pki_sslserver_subject_dn=%(pki_ssl_server_subject_dn)s
|
||
|
pki_sslserver_token=%(pki_ssl_server_token)s
|
||
|
|
||
|
pki_subsystem_key_algorithm=SHA256withRSA
|
||
|
pki_subsystem_key_size=2048
|
||
|
pki_subsystem_key_type=rsa
|
||
|
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
|
||
|
pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_subsystem_token=
|
||
|
|
||
|
pki_theme_enable=True
|
||
|
pki_theme_server_dir=/usr/share/pki/common-ui
|
||
|
pki_token_name=internal
|
||
|
pki_token_password=
|
||
|
pki_user=pkiuser
|
||
|
pki_existing=False
|
||
|
|
||
|
# DEPRECATED: Use 'pki_cert_chain_path' instead.
|
||
|
pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
|
||
|
pki_cert_chain_path=%(pki_external_ca_cert_chain_path)s
|
||
|
|
||
|
# DEPRECATED: Use 'pki_cert_chain_nickname' instead.
|
||
|
pki_external_ca_cert_chain_nickname=caSigningCert External CA
|
||
|
pki_cert_chain_nickname=%(pki_external_ca_cert_chain_nickname)s
|
||
|
|
||
|
pki_pkcs12_path=
|
||
|
pki_pkcs12_password=
|
||
|
|
||
|
# Paths:
|
||
|
# These are used in the processing of pkispawn and are not supposed
|
||
|
# to be overwritten by user configuration files.
|
||
|
#
|
||
|
pki_client_database_dir=%(pki_client_subsystem_dir)s/alias
|
||
|
pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s
|
||
|
pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf
|
||
|
pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf
|
||
|
pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert
|
||
|
pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf
|
||
|
pki_source_setup_path=/usr/share/pki/setup
|
||
|
pki_source_server_path=/usr/share/pki/server/conf
|
||
|
pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg
|
||
|
pki_source_registry=/usr/share/pki/setup/pkidaemon_registry
|
||
|
pki_source_subsystem_path=/usr/share/pki/%(pki_subsystem_type)s
|
||
|
pki_path=/var/lib/pki
|
||
|
pki_log_path=/var/log/pki
|
||
|
pki_configuration_path=/etc/pki
|
||
|
pki_registry_path=/etc/sysconfig/pki
|
||
|
pki_instance_path=%(pki_path)s/%(pki_instance_name)s
|
||
|
pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s
|
||
|
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
|
||
|
pki_database_path=%(pki_instance_configuration_path)s/alias
|
||
|
pki_instance_database_link=%(pki_instance_path)s/alias
|
||
|
pki_instance_conf_link=%(pki_instance_path)s/conf
|
||
|
pki_instance_logs_link=%(pki_instance_path)s/logs
|
||
|
pki_subsystem_path=%(pki_instance_path)s/%(pki_subsystem_type)s
|
||
|
pki_subsystem_log_path=%(pki_instance_log_path)s/%(pki_subsystem_type)s
|
||
|
pki_subsystem_archive_log_path=%(pki_subsystem_log_path)s/archive
|
||
|
pki_subsystem_configuration_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s
|
||
|
pki_subsystem_database_link=%(pki_subsystem_path)s/alias
|
||
|
pki_subsystem_conf_link=%(pki_subsystem_path)s/conf
|
||
|
pki_subsystem_logs_link=%(pki_subsystem_path)s/logs
|
||
|
pki_subsystem_registry_link=%(pki_subsystem_path)s/registry
|
||
|
|
||
|
|
||
|
###############################################################################
|
||
|
## Tomcat Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to PKI subsystems that run ##
|
||
|
## as an instance of 'Tomcat' (CA, KRA, OCSP, TKS, and TPS subsystems ##
|
||
|
## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
## ##
|
||
|
## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ##
|
||
|
## a 'TKS Clone', or a 'TPS Clone', change the value of ##
|
||
|
## 'pki_clone' from 'False' to 'True'. ##
|
||
|
## ##
|
||
|
## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
|
||
|
## are MUTUALLY EXCLUSIVE entities!!! ##
|
||
|
###############################################################################
|
||
|
[Tomcat]
|
||
|
pki_ajp_host=localhost
|
||
|
pki_ajp_port=8009
|
||
|
pki_server_pkcs12_path=
|
||
|
pki_server_pkcs12_password=
|
||
|
pki_server_external_certs_path=
|
||
|
pki_clone=False
|
||
|
pki_clone_pkcs12_password=
|
||
|
pki_clone_pkcs12_path=
|
||
|
pki_clone_replicate_schema=True
|
||
|
pki_clone_replication_master_port=
|
||
|
pki_clone_replication_clone_port=
|
||
|
pki_clone_replication_security=None
|
||
|
pki_clone_setup_replication=True
|
||
|
pki_clone_reindex_data=False
|
||
|
pki_master_hostname=%(pki_security_domain_hostname)s
|
||
|
pki_master_https_port=%(pki_security_domain_https_port)s
|
||
|
pki_clone_uri=https://%(pki_master_hostname)s:%(pki_master_https_port)s
|
||
|
pki_enable_access_log=True
|
||
|
pki_enable_java_debugger=False
|
||
|
pki_enable_on_system_boot=True
|
||
|
pki_enable_proxy=False
|
||
|
pki_proxy_http_port=80
|
||
|
pki_proxy_https_port=443
|
||
|
pki_security_manager=true
|
||
|
pki_tomcat_server_port=8005
|
||
|
|
||
|
# Paths
|
||
|
# These are used in the processing of pkispawn and are not supposed
|
||
|
# to be overwritten by user configuration files.
|
||
|
#
|
||
|
pki_systemd_service=/lib/systemd/system/pki-tomcatd@.service
|
||
|
pki_systemd_target=/lib/systemd/system/pki-tomcatd.target
|
||
|
pki_systemd_target_wants=/etc/systemd/system/pki-tomcatd.target.wants
|
||
|
pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-tomcatd@%(pki_instance_name)s.service
|
||
|
pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s
|
||
|
pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s
|
||
|
pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s
|
||
|
pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s
|
||
|
|
||
|
CATALINA_HOME=/usr/share/tomcat
|
||
|
pki_tomcat_bin_path=%(CATALINA_HOME)s/bin
|
||
|
pki_tomcat_lib_path=%(CATALINA_HOME)s/lib
|
||
|
|
||
|
pki_tomcat_systemd=/usr/sbin/tomcat
|
||
|
pki_source_server_xml=%(pki_source_server_path)s/server.xml
|
||
|
pki_source_context_xml=%(pki_source_server_path)s/context.xml
|
||
|
pki_source_tomcat_conf=%(pki_source_server_path)s/tomcat.conf
|
||
|
pki_instance_type=Tomcat
|
||
|
pki_tomcat_common_path=%(pki_instance_path)s/common
|
||
|
pki_tomcat_common_lib_path=%(pki_tomcat_common_path)s/lib
|
||
|
pki_tomcat_tmpdir_path=%(pki_instance_path)s/temp
|
||
|
pki_tomcat_webapps_path=%(pki_instance_path)s/webapps
|
||
|
pki_tomcat_common_webapps_path=%(pki_instance_path)s/common/webapps
|
||
|
pki_tomcat_work_path=%(pki_instance_path)s/work
|
||
|
pki_tomcat_work_catalina_path=%(pki_tomcat_work_path)s/Catalina
|
||
|
pki_tomcat_work_catalina_host_path=%(pki_tomcat_work_catalina_path)s/localhost
|
||
|
pki_tomcat_work_catalina_host_run_path=%(pki_tomcat_work_catalina_host_path)s/_
|
||
|
pki_tomcat_work_catalina_host_subsystem_path=%(pki_tomcat_work_catalina_host_path)s/%(pki_subsystem_type)s
|
||
|
pki_instance_conf_log4j_properties=%(pki_instance_configuration_path)s/log4j.properties
|
||
|
pki_instance_type_registry_path=%(pki_registry_path)s/tomcat
|
||
|
pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s
|
||
|
pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s
|
||
|
pki_tomcat_bin_link=%(pki_instance_path)s/bin
|
||
|
pki_instance_lib=%(pki_instance_path)s/lib
|
||
|
pki_instance_lib_log4j_properties=%(pki_instance_lib)s/log4j.properties
|
||
|
pki_instance_systemd_link=%(pki_instance_path)s/%(pki_instance_name)s
|
||
|
pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit
|
||
|
pki_tomcat_subsystem_webapps_path=%(pki_subsystem_path)s/webapps
|
||
|
pki_tomcat_webapps_subsystem_path=%(pki_tomcat_subsystem_webapps_path)s/%(pki_subsystem_type)s
|
||
|
pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes
|
||
|
pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib
|
||
|
|
||
|
|
||
|
###############################################################################
|
||
|
## CA Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to CA subsystems including 'PKI CAs', ##
|
||
|
## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
## ##
|
||
|
## EXTERNAL CAs: To specify an 'External CA', change the value ##
|
||
|
## of 'pki_external' from 'False' to 'True'. ##
|
||
|
## ##
|
||
|
## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ##
|
||
|
## of 'pki_subordinate' from 'False' to 'True'. ##
|
||
|
## ##
|
||
|
## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ##
|
||
|
## are MUTUALLY EXCLUSIVE entities!!! ##
|
||
|
###############################################################################
|
||
|
[CA]
|
||
|
pki_ca_signing_key_algorithm=SHA256withRSA
|
||
|
pki_ca_signing_key_size=2048
|
||
|
pki_ca_signing_key_type=rsa
|
||
|
pki_ca_signing_record_create=True
|
||
|
pki_ca_signing_serial_number=1
|
||
|
pki_ca_signing_signing_algorithm=SHA256withRSA
|
||
|
pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ca_signing_token=
|
||
|
|
||
|
# DEPRECATED: Use 'pki_ca_signing_csr_path' instead.
|
||
|
pki_external_csr_path=
|
||
|
pki_ca_signing_csr_path=%(pki_external_csr_path)s
|
||
|
|
||
|
pki_ocsp_signing_csr_path=
|
||
|
pki_audit_signing_csr_path=
|
||
|
pki_sslserver_csr_path=
|
||
|
pki_subsystem_csr_path=
|
||
|
|
||
|
pki_ocsp_signing_cert_path=
|
||
|
pki_audit_signing_cert_path=
|
||
|
pki_sslserver_cert_path=
|
||
|
pki_subsystem_cert_path=
|
||
|
|
||
|
pki_ca_starting_crl_number=0
|
||
|
pki_external=False
|
||
|
pki_req_ext_add=False
|
||
|
# MS subca request ext data
|
||
|
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
|
||
|
pki_req_ext_critical=False
|
||
|
pki_req_ext_data=1E0A00530075006200430041
|
||
|
pki_external_step_two=False
|
||
|
|
||
|
pki_external_pkcs12_path=%(pki_pkcs12_path)s
|
||
|
pki_external_pkcs12_password=%(pki_pkcs12_password)s
|
||
|
pki_import_admin_cert=False
|
||
|
|
||
|
pki_ocsp_signing_key_algorithm=SHA256withRSA
|
||
|
pki_ocsp_signing_key_size=2048
|
||
|
pki_ocsp_signing_key_type=rsa
|
||
|
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
|
||
|
pki_ocsp_signing_signing_algorithm=SHA256withRSA
|
||
|
pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ocsp_signing_token=
|
||
|
|
||
|
pki_profiles_in_ldap=False
|
||
|
pki_random_serial_numbers_enable=False
|
||
|
pki_subordinate=False
|
||
|
pki_subordinate_create_new_security_domain=False
|
||
|
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
|
||
|
|
||
|
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||
|
pki_admin_name=%(pki_admin_uid)s
|
||
|
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||
|
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_admin_uid=caadmin
|
||
|
|
||
|
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
|
||
|
pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
|
||
|
pki_ds_base_dn=o=%(pki_instance_name)s-CA
|
||
|
pki_ds_database=%(pki_instance_name)s-CA
|
||
|
pki_ds_hostname=%(pki_hostname)s
|
||
|
pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
|
||
|
pki_share_db=False
|
||
|
pki_master_crl_enable=True
|
||
|
|
||
|
# Default OCSP URI added by AuthInfoAccessExtDefault if the profile
|
||
|
# config is blank. If both are blank, the value is constructed
|
||
|
# based on the CMS hostname and port.
|
||
|
pki_default_ocsp_uri=
|
||
|
|
||
|
# Paths
|
||
|
# These are used in the processing of pkispawn and are not supposed
|
||
|
# to be overwritten by user configuration files.
|
||
|
#
|
||
|
pki_source_emails=/usr/share/pki/ca/emails
|
||
|
pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt
|
||
|
pki_source_profiles=/usr/share/pki/ca/profiles
|
||
|
pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf
|
||
|
pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg
|
||
|
pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile
|
||
|
pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile
|
||
|
pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile
|
||
|
pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile
|
||
|
pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile
|
||
|
pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile
|
||
|
pki_subsystem_emails_path=%(pki_subsystem_path)s/emails
|
||
|
pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles
|
||
|
|
||
|
pki_serial_number_range_start=1
|
||
|
pki_serial_number_range_end=10000000
|
||
|
pki_request_number_range_start=1
|
||
|
pki_request_number_range_end=10000000
|
||
|
pki_replica_number_range_start=1
|
||
|
pki_replica_number_range_end=100
|
||
|
|
||
|
|
||
|
###############################################################################
|
||
|
## KRA Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to KRA subsystems ##
|
||
|
## including 'PKI KRAs', 'Cloned KRAs', and 'Stand-alone KRAs' and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
## ##
|
||
|
## STAND-ALONE KRAs: To specify a 'Stand-alone KRA', change the value ##
|
||
|
## of 'pki_standalone' from 'False' to 'True', and ##
|
||
|
## specify the various 'pki_external' parameters ##
|
||
|
## as appropriate. ##
|
||
|
## ##
|
||
|
###############################################################################
|
||
|
[KRA]
|
||
|
pki_import_admin_cert=True
|
||
|
pki_standalone=False
|
||
|
pki_kra_ephemeral_requests=False
|
||
|
|
||
|
# DEPRECATED
|
||
|
# Use 'pki_*_csr_path' instead.
|
||
|
pki_external_admin_csr_path=
|
||
|
pki_external_audit_signing_csr_path=
|
||
|
pki_external_sslserver_csr_path=
|
||
|
pki_external_storage_csr_path=
|
||
|
pki_external_subsystem_csr_path=
|
||
|
pki_external_transport_csr_path=
|
||
|
|
||
|
pki_admin_csr_path=%(pki_external_admin_csr_path)s
|
||
|
pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s
|
||
|
pki_sslserver_csr_path=%(pki_external_sslserver_csr_path)s
|
||
|
pki_storage_csr_path=%(pki_external_storage_csr_path)s
|
||
|
pki_subsystem_csr_path=%(pki_external_subsystem_csr_path)s
|
||
|
pki_transport_csr_path=%(pki_external_transport_csr_path)s
|
||
|
|
||
|
pki_external_step_two=False
|
||
|
|
||
|
# DEPRECATED
|
||
|
# Use 'pki_*_cert_path' instead.
|
||
|
pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert
|
||
|
pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert
|
||
|
pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert
|
||
|
pki_external_storage_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.cert
|
||
|
pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert
|
||
|
pki_external_transport_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.cert
|
||
|
|
||
|
pki_admin_cert_path=%(pki_external_admin_cert_path)s
|
||
|
pki_audit_signing_cert_path=%(pki_external_audit_signing_cert_path)s
|
||
|
pki_sslserver_cert_path=%(pki_external_sslserver_cert_path)s
|
||
|
pki_storage_cert_path=%(pki_external_storage_cert_path)s
|
||
|
pki_subsystem_cert_path=%(pki_external_subsystem_cert_path)s
|
||
|
pki_transport_cert_path=%(pki_external_transport_cert_path)s
|
||
|
|
||
|
pki_storage_key_algorithm=SHA256withRSA
|
||
|
pki_storage_key_size=2048
|
||
|
pki_storage_key_type=rsa
|
||
|
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
|
||
|
pki_storage_signing_algorithm=SHA256withRSA
|
||
|
pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_storage_token=
|
||
|
|
||
|
pki_transport_key_algorithm=SHA256withRSA
|
||
|
pki_transport_key_size=2048
|
||
|
pki_transport_key_type=rsa
|
||
|
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
|
||
|
pki_transport_signing_algorithm=SHA256withRSA
|
||
|
pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_transport_token=
|
||
|
|
||
|
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||
|
pki_admin_name=%(pki_admin_uid)s
|
||
|
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||
|
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_admin_uid=kraadmin
|
||
|
|
||
|
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
|
||
|
pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
|
||
|
pki_ds_base_dn=o=%(pki_instance_name)s-KRA
|
||
|
pki_ds_database=%(pki_instance_name)s-KRA
|
||
|
pki_ds_hostname=%(pki_hostname)s
|
||
|
pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
|
||
|
pki_share_db=True
|
||
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
|
||
|
|
||
|
###############################################################################
|
||
|
## OCSP Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to OCSP subsystems ##
|
||
|
## including 'PKI OCSPs', 'Cloned OCSPs', and 'Stand-alone OCSPs' and ##
|
||
|
## contain required information which MAY be overridden by users as ##
|
||
|
## necessary. ##
|
||
|
## ##
|
||
|
## STAND-ALONE OCSPs: To specify a 'Stand-alone OCSP', change the ##
|
||
|
## value of 'pki_standalone' from 'False' to ##
|
||
|
## 'True', and specify the various 'pki_external' ##
|
||
|
## parameters as appropriate. ##
|
||
|
## (NOTE: Stand-alone OCSP is not yet supported!) ##
|
||
|
## ##
|
||
|
###############################################################################
|
||
|
[OCSP]
|
||
|
pki_import_admin_cert=True
|
||
|
pki_standalone=False
|
||
|
|
||
|
# DEPRECATED
|
||
|
# Use 'pki_*_csr_path' instead.
|
||
|
pki_external_admin_csr_path=
|
||
|
pki_external_audit_signing_csr_path=
|
||
|
pki_external_signing_csr_path=
|
||
|
pki_external_sslserver_csr_path=
|
||
|
pki_external_subsystem_csr_path=
|
||
|
|
||
|
pki_admin_csr_path=%(pki_external_admin_csr_path)s
|
||
|
pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s
|
||
|
pki_ocsp_signing_csr_path =%(pki_external_signing_csr_path)s
|
||
|
pki_sslserver_csr_path=%(pki_external_sslserver_csr_path)s
|
||
|
pki_subsystem_csr_path=%(pki_external_subsystem_csr_path)s
|
||
|
|
||
|
pki_external_step_two=False
|
||
|
|
||
|
# DEPRECATED
|
||
|
# Use 'pki_*_cert_path' instead.
|
||
|
pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert
|
||
|
pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert
|
||
|
pki_external_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.cert
|
||
|
pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert
|
||
|
pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert
|
||
|
|
||
|
pki_admin_cert_path=%(pki_external_admin_cert_path)s
|
||
|
pki_audit_signing_cert_path=%(pki_external_audit_signing_cert_path)s
|
||
|
pki_ocsp_signing_cert_path=%(pki_external_signing_cert_path)s
|
||
|
pki_sslserver_cert_path=%(pki_external_sslserver_cert_path)s
|
||
|
pki_subsystem_cert_path=%(pki_external_subsystem_cert_path)s
|
||
|
|
||
|
pki_ocsp_signing_key_algorithm=SHA256withRSA
|
||
|
pki_ocsp_signing_key_size=2048
|
||
|
pki_ocsp_signing_key_type=rsa
|
||
|
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
|
||
|
pki_ocsp_signing_signing_algorithm=SHA256withRSA
|
||
|
pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ocsp_signing_token=
|
||
|
|
||
|
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||
|
pki_admin_name=%(pki_admin_uid)s
|
||
|
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||
|
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_admin_uid=ocspadmin
|
||
|
|
||
|
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
|
||
|
pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
|
||
|
pki_ds_base_dn=o=%(pki_instance_name)s-OCSP
|
||
|
pki_ds_database=%(pki_instance_name)s-OCSP
|
||
|
pki_ds_hostname=%(pki_hostname)s
|
||
|
pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s
|
||
|
pki_share_db=True
|
||
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
|
||
|
|
||
|
|
||
|
###############################################################################
|
||
|
## RA Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to PKI RA subsystems, and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
###############################################################################
|
||
|
[RA]
|
||
|
|
||
|
###############################################################################
|
||
|
## TKS Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to TKS subsystems ##
|
||
|
## including 'PKI TKSs' and 'Cloned TKSs', and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
###############################################################################
|
||
|
[TKS]
|
||
|
pki_import_admin_cert=True
|
||
|
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||
|
pki_admin_name=%(pki_admin_uid)s
|
||
|
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||
|
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_admin_uid=tksadmin
|
||
|
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
|
||
|
pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ds_base_dn=o=%(pki_instance_name)s-TKS
|
||
|
pki_ds_database=%(pki_instance_name)s-TKS
|
||
|
pki_ds_hostname=%(pki_hostname)s
|
||
|
pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s
|
||
|
pki_share_db=True
|
||
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
|
||
|
|
||
|
###############################################################################
|
||
|
## TPS Configuration: ##
|
||
|
## ##
|
||
|
## Values in this section are common to PKI TPS subsystems, and contain ##
|
||
|
## required information which MAY be overridden by users as necessary. ##
|
||
|
###############################################################################
|
||
|
[TPS]
|
||
|
pki_import_admin_cert=True
|
||
|
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||
|
pki_admin_name=%(pki_admin_uid)s
|
||
|
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||
|
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_admin_uid=tpsadmin
|
||
|
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
|
||
|
pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||
|
pki_ds_base_dn=o=%(pki_instance_name)s-TPS
|
||
|
pki_ds_database=%(pki_instance_name)s-TPS
|
||
|
pki_ds_hostname=%(pki_hostname)s
|
||
|
pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s
|
||
|
pki_authdb_hostname=%(pki_hostname)s
|
||
|
pki_authdb_port=389
|
||
|
pki_authdb_secure_conn=False
|
||
|
pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s
|
||
|
pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s
|
||
|
pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s
|
||
|
pki_enable_server_side_keygen=False
|
||
|
pki_import_shared_secret=False
|
||
|
pki_share_db=True
|
||
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
|
||
|
pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml
|
||
|
pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg
|
||
|
|
||
|
# Paths
|
||
|
# These are used in the processing of pkispawn and are not supposed
|
||
|
# to be overwritten by user configuration files.
|
||
|
#
|
||
|
pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit
|
||
|
|