mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
21a9a7107a
Commit dd47cfc75a
removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
119 lines
3.8 KiB
INI
119 lines
3.8 KiB
INI
#
|
|
# Dogtag PKI configuration file
|
|
#
|
|
# Notes:
|
|
# - "%" must be quoted as "%%".
|
|
# - options in the [CA] and [KRA] section cannot be overriden from options
|
|
# in the [DEFAULT] section
|
|
# - pki_*_token options are hard-coded to pki_token_name
|
|
# - pki_sslserver_token is hard-coded to 'internal'
|
|
# - pki_backup_keys is automatically disabled when HSM support is enabled,
|
|
# as HSM backup is not possible with the default mechanism.
|
|
#
|
|
# Predefined variables
|
|
# - ipa_ca_subject
|
|
# - ipa_fqdn
|
|
# - ipa_subject_base
|
|
# - pki_admin_password
|
|
# - pki_dns_domainname
|
|
# - softhsm2_so
|
|
|
|
|
|
[DEFAULT]
|
|
# default algorithms for all certificates
|
|
ipa_key_algorithm=SHA256withRSA
|
|
ipa_key_size=2048
|
|
ipa_key_type=rsa
|
|
ipa_signing_algorithm=SHA256withRSA
|
|
|
|
# Used for IPA CA
|
|
# signing algorithm can be overriden on command line
|
|
ipa_ca_key_algorithm=%(ipa_key_algorithm)s
|
|
ipa_ca_key_size=3072
|
|
ipa_ca_key_type=%(ipa_key_type)s
|
|
ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
|
|
|
|
# HSM support
|
|
pki_hsm_enable=False
|
|
pki_hsm_libfile=
|
|
pki_hsm_modulename=
|
|
pki_token_name=internal
|
|
# backup is automatically disabled when HSM support is enabled
|
|
pki_backup_keys=True
|
|
pki_backup_password=%(pki_admin_password)s
|
|
|
|
pki_admin_email=root@localhost
|
|
|
|
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
|
|
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_audit_signing_key_size=%(ipa_key_size)s
|
|
pki_audit_signing_key_type=%(ipa_key_type)s
|
|
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_audit_signing_token=%(pki_token_name)s
|
|
|
|
# Configures the status request timeout, i.e. the connect/data
|
|
# timeout on the HTTP request to get the status of Dogtag.
|
|
#
|
|
# This configuration is needed in "multiple IP address" scenarios
|
|
# where this server's hostname has multiple IP addresses but the
|
|
# HTTP server is only listening on one of them. Without a timeout,
|
|
# if a "wrong" IP address is tried first, it will take a long time
|
|
# to timeout, exceeding the overall timeout hence the request will
|
|
# not be re-tried. Setting a shorter timeout allows the request
|
|
# to be re-tried.
|
|
#
|
|
# Note that HSMs cause different behaviour so this value might
|
|
# not be suitable for when we implement HSM support. It is
|
|
# known that a value of 5s is too short in HSM environment.
|
|
#
|
|
pki_status_request_timeout=15
|
|
|
|
# for supporting server cert SAN injection
|
|
pki_san_inject=False
|
|
pki_san_for_server_cert=
|
|
|
|
## Server-Cert cert-pki-ca
|
|
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_sslserver_key_size=%(ipa_key_size)s
|
|
pki_sslserver_key_type=%(ipa_key_type)s
|
|
|
|
## subsystemCert cert-pki-ca
|
|
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_subsystem_key_size=%(ipa_key_size)s
|
|
pki_subsystem_key_type=%(ipa_key_type)s
|
|
pki_subsystem_token=%(pki_token_name)s
|
|
|
|
[CA]
|
|
pki_random_serial_numbers_enable=False
|
|
|
|
## caSigningCert cert-pki-ca
|
|
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
|
|
pki_ca_signing_key_size=%(ipa_ca_key_size)s
|
|
pki_ca_signing_key_type=%(ipa_ca_key_type)s
|
|
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
|
|
pki_ca_signing_token=%(pki_token_name)s
|
|
|
|
## ocspSigningCert cert-pki-ca
|
|
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_ocsp_signing_key_size=%(ipa_key_size)s
|
|
pki_ocsp_signing_key_type=%(ipa_key_type)s
|
|
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_ocsp_signing_token=%(pki_token_name)s
|
|
|
|
[KRA]
|
|
pki_kra_ephemeral_requests=True
|
|
|
|
## storageCert cert-pki-kra
|
|
pki_storage_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_storage_key_size=%(ipa_key_size)s
|
|
pki_storage_key_type=%(ipa_key_type)s
|
|
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_storage_token=%(pki_token_name)s
|
|
|
|
## transportCert cert-pki-kra
|
|
pki_transport_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_transport_key_size=%(ipa_key_size)s
|
|
pki_transport_key_type=%(ipa_key_type)s
|
|
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_transport_token=%(pki_token_name)s
|