# # Dogtag PKI configuration file # # Notes: # - "%" must be quoted as "%%". # - options in the [CA] and [KRA] section cannot be overriden from options # in the [DEFAULT] section # - pki_*_token options are hard-coded to pki_token_name # - pki_sslserver_token is hard-coded to 'internal' # - pki_backup_keys is automatically disabled when HSM support is enabled, # as HSM backup is not possible with the default mechanism. # # Predefined variables # - ipa_ca_subject # - ipa_fqdn # - ipa_subject_base # - pki_admin_password # - pki_dns_domainname # - softhsm2_so [DEFAULT] # default algorithms for all certificates ipa_key_algorithm=SHA256withRSA ipa_key_size=2048 ipa_key_type=rsa ipa_signing_algorithm=SHA256withRSA # Used for IPA CA # signing algorithm can be overriden on command line ipa_ca_key_algorithm=%(ipa_key_algorithm)s ipa_ca_key_size=3072 ipa_ca_key_type=%(ipa_key_type)s ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s # HSM support pki_hsm_enable=False pki_hsm_libfile= pki_hsm_modulename= pki_token_name=internal # backup is automatically disabled when HSM support is enabled pki_backup_keys=True pki_backup_password=%(pki_admin_password)s pki_admin_email=root@localhost ## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s pki_audit_signing_key_size=%(ipa_key_size)s pki_audit_signing_key_type=%(ipa_key_type)s pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s pki_audit_signing_token=%(pki_token_name)s # Configures the status request timeout, i.e. the connect/data # timeout on the HTTP request to get the status of Dogtag. # # This configuration is needed in "multiple IP address" scenarios # where this server's hostname has multiple IP addresses but the # HTTP server is only listening on one of them. Without a timeout, # if a "wrong" IP address is tried first, it will take a long time # to timeout, exceeding the overall timeout hence the request will # not be re-tried. Setting a shorter timeout allows the request # to be re-tried. # # Note that HSMs cause different behaviour so this value might # not be suitable for when we implement HSM support. It is # known that a value of 5s is too short in HSM environment. # pki_status_request_timeout=15 # for supporting server cert SAN injection pki_san_inject=False pki_san_for_server_cert= ## Server-Cert cert-pki-ca pki_sslserver_key_algorithm=%(ipa_key_algorithm)s pki_sslserver_key_size=%(ipa_key_size)s pki_sslserver_key_type=%(ipa_key_type)s ## subsystemCert cert-pki-ca pki_subsystem_key_algorithm=%(ipa_key_algorithm)s pki_subsystem_key_size=%(ipa_key_size)s pki_subsystem_key_type=%(ipa_key_type)s pki_subsystem_token=%(pki_token_name)s [CA] pki_random_serial_numbers_enable=False ## caSigningCert cert-pki-ca pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s pki_ca_signing_key_size=%(ipa_ca_key_size)s pki_ca_signing_key_type=%(ipa_ca_key_type)s pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s pki_ca_signing_token=%(pki_token_name)s # MS subca request ext data pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041 ## ocspSigningCert cert-pki-ca pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s pki_ocsp_signing_key_size=%(ipa_key_size)s pki_ocsp_signing_key_type=%(ipa_key_type)s pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s pki_ocsp_signing_token=%(pki_token_name)s [KRA] pki_kra_ephemeral_requests=True ## storageCert cert-pki-kra pki_storage_key_algorithm=%(ipa_key_algorithm)s pki_storage_key_size=%(ipa_key_size)s pki_storage_key_type=%(ipa_key_type)s pki_storage_signing_algorithm=%(ipa_signing_algorithm)s pki_storage_token=%(pki_token_name)s ## transportCert cert-pki-kra pki_transport_key_algorithm=%(ipa_key_algorithm)s pki_transport_key_size=%(ipa_key_size)s pki_transport_key_type=%(ipa_key_type)s pki_transport_signing_algorithm=%(ipa_signing_algorithm)s pki_transport_token=%(pki_token_name)s