mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
Add IPA specific vars to ipaca_default.ini
Common settings like "pki_*_signing_key_algorithm" now use an IPA specific template variable. The approach makes it easier to change all signing parameters to use a different algorithm. Fixes: https://pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes
parent
0a2b02fc62
commit
70beccada2
@ -1,37 +1,88 @@
|
||||
#
|
||||
# Dogtag PKI configuration file
|
||||
#
|
||||
# Note: "%" must be quoted as "%%".
|
||||
#
|
||||
|
||||
[DEFAULT]
|
||||
ipa_admin_email=root@localhost
|
||||
# default algorithms for all certificates
|
||||
ipa_key_algorithm=SHA256withRSA
|
||||
ipa_key_size=2048
|
||||
ipa_key_type=rsa
|
||||
ipa_signing_algorithm=SHA256withRSA
|
||||
|
||||
# Used for IPA CA
|
||||
# signing algorithm can be overriden on command line
|
||||
ipa_ca_signing_algorithm=%(ipa_key_algorithm)s
|
||||
ipa_ca_key_size=%(ipa_key_size)s
|
||||
ipa_ca_key_type=%(ipa_key_type)s
|
||||
|
||||
# hard-coded IPA default settings
|
||||
ipa_security_domain_name=IPA
|
||||
ipa_ds_database=ipaca
|
||||
ipa_ds_base_dn=o=%(ipa_ds_database)s
|
||||
ipa_admin_user=admin
|
||||
ipa_admin_nickname=ipa-ca-agent
|
||||
ipa_ca_pem_file=/etc/ipa/ca.crt
|
||||
|
||||
# dynamic values
|
||||
ipa_ca_subject=
|
||||
ipa_subject_base=
|
||||
ipa_fqdn=
|
||||
ipa_ocsp_uri=
|
||||
ipa_admin_cert_p12=
|
||||
ipa_master_host=
|
||||
ipa_clone_uri=
|
||||
|
||||
# sensitive dynamic values
|
||||
pki_admin_password=
|
||||
pki_ds_password=
|
||||
pki_token_password=
|
||||
|
||||
# HSM support
|
||||
ipa_backup_keys=True
|
||||
ipa_hsm_enable=False
|
||||
ipa_hsm_libfile=
|
||||
ipa_hsm_modulename=
|
||||
ipa_token_name=internal
|
||||
|
||||
# Dogtag defaults
|
||||
pki_instance_name=pki-tomcat
|
||||
pki_configuration_path=/etc/pki
|
||||
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
|
||||
|
||||
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
|
||||
pki_admin_cert_request_type=pkcs10
|
||||
pki_admin_dualkey=False
|
||||
pki_admin_key_algorithm=SHA256withRSA
|
||||
pki_admin_key_size=2048
|
||||
pki_admin_key_type=rsa
|
||||
pki_admin_password=
|
||||
pki_admin_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_admin_key_size=%(ipa_key_size)s
|
||||
pki_admin_key_type=%(ipa_key_type)s
|
||||
|
||||
pki_audit_group=pkiaudit
|
||||
pki_audit_signing_key_algorithm=SHA256withRSA
|
||||
pki_audit_signing_key_size=2048
|
||||
pki_audit_signing_key_type=rsa
|
||||
pki_audit_signing_signing_algorithm=SHA256withRSA
|
||||
pki_audit_signing_token=
|
||||
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_audit_signing_key_size=%(ipa_key_size)s
|
||||
pki_audit_signing_key_type=%(ipa_key_type)s
|
||||
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
||||
pki_audit_signing_token=%(ipa_token_name)s
|
||||
|
||||
pki_backup_keys=False
|
||||
pki_backup_password=
|
||||
pki_backup_keys=True
|
||||
pki_backup_password=%(pki_admin_password)s
|
||||
pki_ca_hostname=%(pki_security_domain_hostname)s
|
||||
pki_ca_port=%(pki_security_domain_https_port)s
|
||||
|
||||
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
|
||||
# nickname and subject are hard-coded
|
||||
pki_ca_signing_nickname=caSigningCert cert-pki-ca
|
||||
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
|
||||
|
||||
pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12
|
||||
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
|
||||
pki_client_database_password=
|
||||
pki_client_database_purge=True
|
||||
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
|
||||
pki_client_pkcs12_password=
|
||||
pki_client_pkcs12_password=%(pki_admin_password)s
|
||||
pki_ds_bind_dn=cn=Directory Manager
|
||||
pki_ds_create_new_db=True
|
||||
pki_ds_ldap_port=389
|
||||
pki_ds_ldaps_port=636
|
||||
pki_ds_password=
|
||||
pki_ds_remove_data=True
|
||||
pki_ds_secure_connection=False
|
||||
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
||||
@ -42,16 +93,34 @@ pki_hsm_libfile=
|
||||
pki_hsm_modulename=
|
||||
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
|
||||
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
|
||||
pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
|
||||
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
|
||||
pki_issuing_ca=%(pki_issuing_ca_uri)s
|
||||
pki_replication_password=
|
||||
pki_status_request_timeout=
|
||||
pki_restart_configured_instance=True
|
||||
pki_security_domain_hostname=%(pki_hostname)s
|
||||
pki_security_domain_https_port=8443
|
||||
pki_security_domain_name=%(pki_dns_domainname)s Security Domain
|
||||
pki_security_domain_password=
|
||||
pki_security_domain_user=caadmin
|
||||
|
||||
# Configures the status request timeout, i.e. the connect/data
|
||||
# timeout on the HTTP request to get the status of Dogtag.
|
||||
#
|
||||
# This configuration is needed in "multiple IP address" scenarios
|
||||
# where this server's hostname has multiple IP addresses but the
|
||||
# HTTP server is only listening on one of them. Without a timeout,
|
||||
# if a "wrong" IP address is tried first, it will take a long time
|
||||
# to timeout, exceeding the overall timeout hence the request will
|
||||
# not be re-tried. Setting a shorter timeout allows the request
|
||||
# to be re-tried.
|
||||
#
|
||||
# Note that HSMs cause different behaviour so this value might
|
||||
# not be suitable for when we implement HSM support. It is
|
||||
# known that a value of 5s is too short in HSM environment.
|
||||
#
|
||||
pki_status_request_timeout=15
|
||||
|
||||
pki_enable_proxy=True
|
||||
pki_restart_configured_instance=False
|
||||
pki_security_domain_hostname=%(ipa_fqdn)s
|
||||
pki_security_domain_https_port=443
|
||||
pki_security_domain_name=%(ipa_security_domain_name)s
|
||||
pki_security_domain_password=%(pki_admin_password)s
|
||||
pki_security_domain_user=%(ipa_admin_user)s
|
||||
pki_self_signed_token=internal
|
||||
|
||||
# for supporting server cert SAN injection
|
||||
@ -62,24 +131,26 @@ pki_skip_ds_verify=False
|
||||
pki_skip_installation=False
|
||||
pki_skip_sd_verify=False
|
||||
|
||||
pki_sslserver_key_algorithm=SHA256withRSA
|
||||
pki_sslserver_key_size=2048
|
||||
pki_sslserver_key_type=rsa
|
||||
pki_sslserver_nickname=Server-Cert cert-%(pki_instance_name)s
|
||||
pki_sslserver_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_sslserver_token=
|
||||
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_sslserver_key_size=%(ipa_key_size)s
|
||||
pki_sslserver_key_type=%(ipa_key_type)s
|
||||
pki_sslserver_token=internal
|
||||
# nickname and subject are hard-coded
|
||||
pki_sslserver_nickname=Server-Cert cert-pki-ca
|
||||
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
|
||||
|
||||
pki_subsystem_key_algorithm=SHA256withRSA
|
||||
pki_subsystem_key_size=2048
|
||||
pki_subsystem_key_type=rsa
|
||||
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
|
||||
pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_subsystem_token=
|
||||
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_subsystem_key_size=%(ipa_key_size)s
|
||||
pki_subsystem_key_type=%(ipa_key_type)s
|
||||
pki_subsystem_token=%(ipa_token_name)s
|
||||
# nickname and subject are hard-coded
|
||||
pki_subsystem_nickname=subsystemCert cert-pki-ca
|
||||
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
|
||||
|
||||
pki_theme_enable=True
|
||||
pki_theme_server_dir=/usr/share/pki/common-ui
|
||||
pki_token_name=internal
|
||||
pki_token_password=
|
||||
pki_token_name=%(ipa_token_name)s
|
||||
# pki_token_password
|
||||
pki_user=pkiuser
|
||||
pki_existing=False
|
||||
|
||||
@ -89,18 +160,21 @@ pki_cert_chain_nickname=caSigningCert External CA
|
||||
pki_pkcs12_path=
|
||||
pki_pkcs12_password=
|
||||
|
||||
pki_ds_base_dn=%(ipa_ds_base_dn)s
|
||||
pki_ds_database=%(ipa_ds_database)s
|
||||
pki_ds_hostname=%(ipa_fqdn)s
|
||||
|
||||
|
||||
[CA]
|
||||
pki_ca_signing_key_algorithm=SHA256withRSA
|
||||
pki_ca_signing_key_size=2048
|
||||
pki_ca_signing_key_type=rsa
|
||||
pki_ca_signing_key_algorithm=%(ipa_ca_signing_algorithm)s
|
||||
pki_ca_signing_key_size=%(ipa_ca_key_size)s
|
||||
pki_ca_signing_key_type=%(ipa_ca_key_type)s
|
||||
pki_ca_signing_record_create=True
|
||||
pki_ca_signing_serial_number=1
|
||||
pki_ca_signing_signing_algorithm=SHA256withRSA
|
||||
pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_ca_signing_token=
|
||||
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
|
||||
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
|
||||
pki_ca_signing_token=%(ipa_token_name)s
|
||||
|
||||
# DEPRECATED: Use 'pki_ca_signing_csr_path' instead.
|
||||
pki_ca_signing_csr_path=%(pki_instance_configuration_path)s/external_ca.csr
|
||||
|
||||
pki_ocsp_signing_csr_path=
|
||||
@ -126,37 +200,35 @@ pki_external_pkcs12_path=%(pki_pkcs12_path)s
|
||||
pki_external_pkcs12_password=%(pki_pkcs12_password)s
|
||||
pki_import_admin_cert=False
|
||||
|
||||
pki_ocsp_signing_key_algorithm=SHA256withRSA
|
||||
pki_ocsp_signing_key_size=2048
|
||||
pki_ocsp_signing_key_type=rsa
|
||||
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
|
||||
pki_ocsp_signing_signing_algorithm=SHA256withRSA
|
||||
pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_ocsp_signing_token=
|
||||
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_ocsp_signing_key_size=%(ipa_key_size)s
|
||||
pki_ocsp_signing_key_type=%(ipa_key_type)s
|
||||
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
||||
pki_ocsp_signing_token=%(ipa_token_name)s
|
||||
# nickname and subject are hard-coded
|
||||
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
|
||||
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
|
||||
|
||||
pki_profiles_in_ldap=False
|
||||
pki_profiles_in_ldap=True
|
||||
pki_random_serial_numbers_enable=False
|
||||
pki_subordinate=False
|
||||
pki_subordinate_create_new_security_domain=False
|
||||
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
|
||||
|
||||
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||||
pki_admin_name=%(pki_admin_uid)s
|
||||
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||||
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_admin_uid=caadmin
|
||||
pki_admin_email=%(ipa_admin_email)s
|
||||
pki_admin_name=%(ipa_admin_user)s
|
||||
pki_admin_nickname=%(ipa_admin_nickname)s
|
||||
pki_admin_subject_dn=cn=%(ipa_admin_nickname)s,%(ipa_subject_base)s
|
||||
pki_admin_uid=%(ipa_admin_user)s
|
||||
|
||||
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
|
||||
pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
# nickname and subject are hard-coded
|
||||
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
|
||||
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
|
||||
|
||||
pki_ds_base_dn=o=%(pki_instance_name)s-CA
|
||||
pki_ds_database=%(pki_instance_name)s-CA
|
||||
pki_ds_hostname=%(pki_hostname)s
|
||||
pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s
|
||||
pki_share_db=False
|
||||
pki_master_crl_enable=True
|
||||
|
||||
pki_default_ocsp_uri=
|
||||
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
|
||||
|
||||
pki_serial_number_range_start=1
|
||||
pki_serial_number_range_end=10000000
|
||||
@ -169,52 +241,49 @@ pki_replica_number_range_end=100
|
||||
[KRA]
|
||||
pki_import_admin_cert=True
|
||||
pki_standalone=False
|
||||
pki_kra_ephemeral_requests=False
|
||||
pki_kra_ephemeral_requests=True
|
||||
pki_ds_create_new_db=True
|
||||
|
||||
pki_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr
|
||||
pki_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr
|
||||
pki_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr
|
||||
pki_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr
|
||||
pki_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr
|
||||
pki_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr
|
||||
# pki_admin_csr_path=
|
||||
# pki_audit_signing_csr_path=
|
||||
# pki_sslserver_csr_path=
|
||||
# pki_storage_csr_path=
|
||||
# pki_subsystem_csr_path=
|
||||
# pki_transport_csr_path=
|
||||
|
||||
pki_external_step_two=False
|
||||
|
||||
pki_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert
|
||||
pki_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert
|
||||
pki_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert
|
||||
pki_storage_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.cert
|
||||
pki_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert
|
||||
pki_transport_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.cert
|
||||
# pki_admin_cert_path=
|
||||
# pki_audit_signing_cert_path=
|
||||
# pki_sslserver_cert_path=
|
||||
# pki_storage_cert_path=
|
||||
# pki_subsystem_cert_path=
|
||||
# pki_transport_cert_path=
|
||||
|
||||
pki_storage_key_algorithm=SHA256withRSA
|
||||
pki_storage_key_size=2048
|
||||
pki_storage_key_type=rsa
|
||||
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
|
||||
pki_storage_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_storage_key_size=%(ipa_key_size)s
|
||||
pki_storage_key_type=%(ipa_key_type)s
|
||||
pki_storage_nickname=storageCert cert-pki-kra
|
||||
pki_storage_signing_algorithm=SHA256withRSA
|
||||
pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_storage_token=
|
||||
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
|
||||
pki_storage_token=%(ipa_token_name)s
|
||||
|
||||
pki_transport_key_algorithm=SHA256withRSA
|
||||
pki_transport_key_size=2048
|
||||
pki_transport_key_type=rsa
|
||||
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
|
||||
pki_transport_key_algorithm=%(ipa_key_algorithm)s
|
||||
pki_transport_key_size=%(ipa_key_size)s
|
||||
pki_transport_key_type=%(ipa_key_type)s
|
||||
pki_transport_nickname=transportCert cert-pki-kra
|
||||
pki_transport_signing_algorithm=SHA256withRSA
|
||||
pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_transport_token=
|
||||
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
|
||||
pki_transport_token=%(ipa_token_name)s
|
||||
|
||||
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
|
||||
pki_admin_name=%(pki_admin_uid)s
|
||||
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
|
||||
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_admin_uid=kraadmin
|
||||
pki_admin_email=%(ipa_admin_email)s
|
||||
pki_admin_name=%(ipa_admin_user)s
|
||||
pki_admin_nickname=%(ipa_admin_nickname)s
|
||||
pki_admin_subject_dn=cn=%(ipa_admin_nickname)s,%(ipa_subject_base)s
|
||||
pki_admin_uid=%(ipa_admin_user)s
|
||||
|
||||
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
|
||||
pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
|
||||
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
|
||||
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
|
||||
|
||||
pki_ds_base_dn=o=%(pki_instance_name)s-KRA
|
||||
pki_ds_database=%(pki_instance_name)s-KRA
|
||||
pki_ds_hostname=%(pki_hostname)s
|
||||
pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s
|
||||
pki_share_db=True
|
||||
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA
|
||||
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(ipa_ds_database)s
|
||||
|
||||
Loading…
Reference in New Issue
Block a user