mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-12 09:11:55 -06:00
3ecea7800a
By default, PKI's AJP secret is generated as a 75-bit password. By generating it in IPA, we can guarantee the strength of the AJP secret. It makes sense to use a stronger AJP secret because it typically isn't rotated; access to AJP allows an attacker to impersonate an admin while talking to PKI. Fixes: https://pagure.io/freeipa/issue/8372 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447 Related: https://github.com/dogtagpki/pki/pull/437 Signed-off-by: Alexander Scheel <ascheel@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
120 lines
3.8 KiB
INI
120 lines
3.8 KiB
INI
#
|
|
# Dogtag PKI configuration file
|
|
#
|
|
# Notes:
|
|
# - "%" must be quoted as "%%".
|
|
# - options in the [CA] and [KRA] section cannot be overriden from options
|
|
# in the [DEFAULT] section
|
|
# - pki_*_token options are hard-coded to pki_token_name
|
|
# - pki_sslserver_token is hard-coded to 'internal'
|
|
# - pki_backup_keys is automatically disabled when HSM support is enabled,
|
|
# as HSM backup is not possible with the default mechanism.
|
|
#
|
|
# Predefined variables
|
|
# - ipa_ca_subject
|
|
# - ipa_ajp_secret
|
|
# - ipa_fqdn
|
|
# - ipa_subject_base
|
|
# - pki_admin_password
|
|
# - pki_dns_domainname
|
|
# - softhsm2_so
|
|
|
|
|
|
[DEFAULT]
|
|
# default algorithms for all certificates
|
|
ipa_key_algorithm=SHA256withRSA
|
|
ipa_key_size=2048
|
|
ipa_key_type=rsa
|
|
ipa_signing_algorithm=SHA256withRSA
|
|
|
|
# Used for IPA CA
|
|
# signing algorithm can be overriden on command line
|
|
ipa_ca_key_algorithm=%(ipa_key_algorithm)s
|
|
ipa_ca_key_size=3072
|
|
ipa_ca_key_type=%(ipa_key_type)s
|
|
ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
|
|
|
|
# HSM support
|
|
pki_hsm_enable=False
|
|
pki_hsm_libfile=
|
|
pki_hsm_modulename=
|
|
pki_token_name=internal
|
|
# backup is automatically disabled when HSM support is enabled
|
|
pki_backup_keys=True
|
|
pki_backup_password=%(pki_admin_password)s
|
|
|
|
pki_admin_email=root@localhost
|
|
|
|
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
|
|
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_audit_signing_key_size=%(ipa_key_size)s
|
|
pki_audit_signing_key_type=%(ipa_key_type)s
|
|
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_audit_signing_token=%(pki_token_name)s
|
|
|
|
# Configures the status request timeout, i.e. the connect/data
|
|
# timeout on the HTTP request to get the status of Dogtag.
|
|
#
|
|
# This configuration is needed in "multiple IP address" scenarios
|
|
# where this server's hostname has multiple IP addresses but the
|
|
# HTTP server is only listening on one of them. Without a timeout,
|
|
# if a "wrong" IP address is tried first, it will take a long time
|
|
# to timeout, exceeding the overall timeout hence the request will
|
|
# not be re-tried. Setting a shorter timeout allows the request
|
|
# to be re-tried.
|
|
#
|
|
# Note that HSMs cause different behaviour so this value might
|
|
# not be suitable for when we implement HSM support. It is
|
|
# known that a value of 5s is too short in HSM environment.
|
|
#
|
|
pki_status_request_timeout=15
|
|
|
|
# for supporting server cert SAN injection
|
|
pki_san_inject=False
|
|
pki_san_for_server_cert=
|
|
|
|
## Server-Cert cert-pki-ca
|
|
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_sslserver_key_size=%(ipa_key_size)s
|
|
pki_sslserver_key_type=%(ipa_key_type)s
|
|
|
|
## subsystemCert cert-pki-ca
|
|
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_subsystem_key_size=%(ipa_key_size)s
|
|
pki_subsystem_key_type=%(ipa_key_type)s
|
|
pki_subsystem_token=%(pki_token_name)s
|
|
|
|
[CA]
|
|
pki_random_serial_numbers_enable=False
|
|
|
|
## caSigningCert cert-pki-ca
|
|
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
|
|
pki_ca_signing_key_size=%(ipa_ca_key_size)s
|
|
pki_ca_signing_key_type=%(ipa_ca_key_type)s
|
|
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
|
|
pki_ca_signing_token=%(pki_token_name)s
|
|
|
|
## ocspSigningCert cert-pki-ca
|
|
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_ocsp_signing_key_size=%(ipa_key_size)s
|
|
pki_ocsp_signing_key_type=%(ipa_key_type)s
|
|
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_ocsp_signing_token=%(pki_token_name)s
|
|
|
|
[KRA]
|
|
pki_kra_ephemeral_requests=True
|
|
|
|
## storageCert cert-pki-kra
|
|
pki_storage_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_storage_key_size=%(ipa_key_size)s
|
|
pki_storage_key_type=%(ipa_key_type)s
|
|
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_storage_token=%(pki_token_name)s
|
|
|
|
## transportCert cert-pki-kra
|
|
pki_transport_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_transport_key_size=%(ipa_key_size)s
|
|
pki_transport_key_type=%(ipa_key_type)s
|
|
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_transport_token=%(pki_token_name)s
|