# # Dogtag PKI configuration file # # The ipaca_default.ini contains hard-coded defaults that cannot be modified # by a user without breaking FreeIPA internals. # # Note: "%" must be quoted as "%%". # [DEFAULT] ipa_ca_pem_file=/etc/ipa/ca.crt ## dynamic values # ipa_ca_subject= # ipa_subject_base= # ipa_fqdn= # ipa_ocsp_uri= # ipa_admin_cert_p12= # ipa_admin_user= # sensitive dynamic values # pki_admin_password= # pki_ds_password= # Dogtag defaults pki_instance_name=pki-tomcat pki_configuration_path=/etc/pki pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert pki_admin_cert_request_type=pkcs10 pki_admin_dualkey=False pki_admin_name=%(ipa_admin_user)s pki_admin_nickname=ipa-ca-agent pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s pki_admin_uid=%(ipa_admin_user)s pki_ca_hostname=%(pki_security_domain_hostname)s pki_ca_port=%(pki_security_domain_https_port)s # nickname and subject are hard-coded pki_ca_signing_nickname=caSigningCert cert-pki-ca pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s pki_client_database_password= pki_client_database_purge=True pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s pki_client_pkcs12_password=%(pki_admin_password)s pki_ds_bind_dn=cn=Directory Manager pki_ds_ldap_port=389 pki_ds_ldaps_port=636 # CA: o=ipaca, KRA: o=kra,o=ipaca pki_ds_base_dn=o=ipaca pki_ds_database=ipaca pki_ds_hostname=%(ipa_fqdn)s pki_ds_remove_data=True pki_ds_secure_connection=False pki_ds_secure_connection_ca_nickname=Directory Server CA certificate pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(ipa_fqdn)s:443 pki_issuing_ca=%(pki_issuing_ca_uri)s pki_replication_password= pki_enable_proxy=True pki_restart_configured_instance=False pki_security_domain_hostname=%(ipa_fqdn)s pki_security_domain_https_port=443 pki_security_domain_name=IPA pki_security_domain_password=%(pki_admin_password)s pki_security_domain_user=%(ipa_admin_user)s pki_self_signed_token=internal pki_skip_configuration=False pki_skip_ds_verify=False pki_skip_installation=False pki_skip_sd_verify=False pki_sslserver_token=internal pki_ssl_server_token=%(pki_sslserver_token)s pki_sslserver_nickname=Server-Cert cert-pki-ca pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s # nickname and subject are hard-coded pki_subsystem_nickname=subsystemCert cert-pki-ca pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui pki_audit_group=pkiaudit pki_group=pkiuser pki_user=pkiuser pki_existing=False pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert pki_cert_chain_nickname=caSigningCert External CA pki_pkcs12_path= pki_pkcs12_password= [CA] pki_ds_base_dn=o=ipaca pki_ca_signing_record_create=True pki_ca_signing_serial_number=1 pki_ca_signing_subject_dn=%(ipa_ca_subject)s pki_ca_signing_csr_path=/root/ipa.csr pki_ca_starting_crl_number=0 pki_external=False pki_external_step_two=False pki_external_pkcs12_path=%(pki_pkcs12_path)s pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_import_admin_cert=False pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s pki_profiles_in_ldap=True pki_subordinate=False pki_subordinate_create_new_security_domain=False pki_audit_signing_nickname=auditSigningCert cert-pki-ca pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s pki_share_db=False pki_master_crl_enable=True pki_default_ocsp_uri=%(ipa_ocsp_uri)s pki_serial_number_range_start=1 pki_serial_number_range_end=10000000 pki_request_number_range_start=1 pki_request_number_range_end=10000000 pki_replica_number_range_start=1 pki_replica_number_range_end=100 [KRA] pki_ds_base_dn=o=kra,o=ipaca pki_ds_create_new_db=False pki_ds_secure_connection=True pki_import_admin_cert=True pki_standalone=False pki_external_step_two=False pki_storage_nickname=storageCert cert-pki-kra pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s pki_transport_nickname=transportCert cert-pki-kra pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s pki_audit_signing_nickname=auditSigningCert cert-pki-kra pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s # Needed because CA and KRA share the same database # We will use the dbuser created for the CA. pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca