mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
06183a061a
The pki_restart_configured_instance param is no longer used by pkispawn so it has been removed. https://github.com/dogtagpki/pki/blob/master/docs/changes/v11.3.0/Server-Changes.adoc Signed-off-by: Endi S. Dewata <edewata@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
168 lines
4.5 KiB
INI
168 lines
4.5 KiB
INI
#
|
|
# Dogtag PKI configuration file
|
|
#
|
|
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
|
|
# by a user without breaking IPA internals.
|
|
#
|
|
# Note: "%" must be quoted as "%%".
|
|
#
|
|
|
|
[DEFAULT]
|
|
ipa_ca_pem_file=/etc/ipa/ca.crt
|
|
|
|
## dynamic values
|
|
# ipa_ca_subject=
|
|
# ipa_ajp_secret=
|
|
# ipa_subject_base=
|
|
# ipa_fqdn=
|
|
# ipa_ocsp_uri=
|
|
# ipa_admin_cert_p12=
|
|
# ipa_admin_user=
|
|
|
|
# sensitive dynamic values
|
|
# pki_admin_password=
|
|
# pki_ds_password=
|
|
|
|
# Dogtag defaults
|
|
pki_instance_name=pki-tomcat
|
|
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
|
|
|
|
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
|
|
pki_admin_cert_request_type=pkcs10
|
|
pki_admin_dualkey=False
|
|
pki_admin_name=%(ipa_admin_user)s
|
|
pki_admin_nickname=ipa-ca-agent
|
|
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
|
|
pki_admin_uid=%(ipa_admin_user)s
|
|
|
|
pki_ca_hostname=%(pki_security_domain_hostname)s
|
|
pki_ca_port=%(pki_security_domain_https_port)s
|
|
|
|
# nickname and subject are hard-coded
|
|
pki_ca_signing_nickname=caSigningCert cert-pki-ca
|
|
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
|
|
|
|
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
|
|
pki_client_database_password=
|
|
pki_client_database_purge=True
|
|
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
|
|
pki_client_pkcs12_password=%(pki_admin_password)s
|
|
pki_ds_bind_dn=cn=Directory Manager
|
|
pki_ds_ldap_port=389
|
|
pki_ds_ldaps_port=636
|
|
# CA: o=ipaca, KRA: o=kra,o=ipaca
|
|
pki_ds_base_dn=o=ipaca
|
|
pki_ds_database=ipaca
|
|
pki_ds_hostname=%(ipa_fqdn)s
|
|
pki_ds_remove_data=True
|
|
pki_ds_secure_connection=False
|
|
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
|
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
|
|
|
|
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
|
|
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
|
|
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
|
|
pki_issuing_ca=%(pki_issuing_ca_uri)s
|
|
pki_replication_password=
|
|
|
|
pki_enable_proxy=True
|
|
pki_ajp_secret=%(ipa_ajp_secret)s
|
|
pki_security_domain_hostname=%(ipa_fqdn)s
|
|
pki_security_domain_https_port=443
|
|
pki_security_domain_name=IPA
|
|
pki_security_domain_password=%(pki_admin_password)s
|
|
pki_security_domain_user=%(ipa_admin_user)s
|
|
pki_self_signed_token=internal
|
|
|
|
pki_skip_configuration=False
|
|
pki_skip_ds_verify=False
|
|
pki_skip_installation=False
|
|
pki_skip_sd_verify=False
|
|
|
|
pki_sslserver_token=internal
|
|
pki_sslserver_nickname=Server-Cert cert-pki-ca
|
|
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
|
|
|
|
# nickname and subject are hard-coded
|
|
pki_subsystem_nickname=subsystemCert cert-pki-ca
|
|
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
|
|
|
|
pki_theme_enable=True
|
|
pki_theme_server_dir=/usr/share/pki/common-ui
|
|
pki_audit_group=pkiaudit
|
|
pki_group=pkiuser
|
|
pki_user=pkiuser
|
|
pki_existing=False
|
|
|
|
pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
|
|
pki_cert_chain_nickname=caSigningCert External CA
|
|
|
|
pki_pkcs12_path=
|
|
pki_pkcs12_password=
|
|
|
|
|
|
[CA]
|
|
pki_ds_base_dn=o=ipaca
|
|
|
|
pki_ca_signing_record_create=True
|
|
pki_ca_signing_serial_number=1
|
|
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
|
|
|
|
pki_ca_signing_csr_path=/root/ipa.csr
|
|
|
|
pki_ca_starting_crl_number=0
|
|
|
|
pki_external=False
|
|
pki_external_step_two=False
|
|
|
|
pki_external_pkcs12_path=%(pki_pkcs12_path)s
|
|
pki_external_pkcs12_password=%(pki_pkcs12_password)s
|
|
pki_import_admin_cert=False
|
|
|
|
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
|
|
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
|
|
|
|
pki_profiles_in_ldap=True
|
|
pki_subordinate=False
|
|
pki_subordinate_create_new_security_domain=False
|
|
|
|
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
|
|
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
|
|
|
|
pki_share_db=False
|
|
pki_master_crl_enable=True
|
|
|
|
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
|
|
|
|
pki_serial_number_range_start=1
|
|
pki_serial_number_range_end=10000000
|
|
pki_request_number_range_start=1
|
|
pki_request_number_range_end=10000000
|
|
pki_replica_number_range_start=1
|
|
pki_replica_number_range_end=100
|
|
|
|
|
|
[KRA]
|
|
pki_ds_base_dn=o=kra,o=ipaca
|
|
pki_ds_create_new_db=False
|
|
pki_ds_secure_connection=True
|
|
|
|
pki_import_admin_cert=True
|
|
pki_standalone=False
|
|
|
|
pki_external_step_two=False
|
|
|
|
pki_storage_nickname=storageCert cert-pki-kra
|
|
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
|
|
|
|
pki_transport_nickname=transportCert cert-pki-kra
|
|
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
|
|
|
|
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
|
|
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
|
|
|
|
# Needed because CA and KRA share the same database
|
|
# We will use the dbuser created for the CA.
|
|
pki_share_db=True
|
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
|