mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
6518a600b4
In order to simplify the build process between upstream FreeIPA and downstream builds (such as CentOS Stream) we are changing some file references from FreeIPA to IPA (and Identity Management). https://pagure.io/freeipa/issue/8669 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
170 lines
4.6 KiB
INI
170 lines
4.6 KiB
INI
#
|
|
# Dogtag PKI configuration file
|
|
#
|
|
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
|
|
# by a user without breaking IPA internals.
|
|
#
|
|
# Note: "%" must be quoted as "%%".
|
|
#
|
|
|
|
[DEFAULT]
|
|
ipa_ca_pem_file=/etc/ipa/ca.crt
|
|
|
|
## dynamic values
|
|
# ipa_ca_subject=
|
|
# ipa_ajp_secret=
|
|
# ipa_subject_base=
|
|
# ipa_fqdn=
|
|
# ipa_ocsp_uri=
|
|
# ipa_admin_cert_p12=
|
|
# ipa_admin_user=
|
|
|
|
# sensitive dynamic values
|
|
# pki_admin_password=
|
|
# pki_ds_password=
|
|
|
|
# Dogtag defaults
|
|
pki_instance_name=pki-tomcat
|
|
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
|
|
|
|
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
|
|
pki_admin_cert_request_type=pkcs10
|
|
pki_admin_dualkey=False
|
|
pki_admin_name=%(ipa_admin_user)s
|
|
pki_admin_nickname=ipa-ca-agent
|
|
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
|
|
pki_admin_uid=%(ipa_admin_user)s
|
|
|
|
pki_ca_hostname=%(pki_security_domain_hostname)s
|
|
pki_ca_port=%(pki_security_domain_https_port)s
|
|
|
|
# nickname and subject are hard-coded
|
|
pki_ca_signing_nickname=caSigningCert cert-pki-ca
|
|
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
|
|
|
|
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
|
|
pki_client_database_password=
|
|
pki_client_database_purge=True
|
|
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
|
|
pki_client_pkcs12_password=%(pki_admin_password)s
|
|
pki_ds_bind_dn=cn=Directory Manager
|
|
pki_ds_ldap_port=389
|
|
pki_ds_ldaps_port=636
|
|
# CA: o=ipaca, KRA: o=kra,o=ipaca
|
|
pki_ds_base_dn=o=ipaca
|
|
pki_ds_database=ipaca
|
|
pki_ds_hostname=%(ipa_fqdn)s
|
|
pki_ds_remove_data=True
|
|
pki_ds_secure_connection=False
|
|
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
|
|
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
|
|
|
|
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
|
|
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
|
|
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
|
|
pki_issuing_ca=%(pki_issuing_ca_uri)s
|
|
pki_replication_password=
|
|
|
|
pki_enable_proxy=True
|
|
pki_ajp_secret=%(ipa_ajp_secret)s
|
|
pki_restart_configured_instance=False
|
|
pki_security_domain_hostname=%(ipa_fqdn)s
|
|
pki_security_domain_https_port=443
|
|
pki_security_domain_name=IPA
|
|
pki_security_domain_password=%(pki_admin_password)s
|
|
pki_security_domain_user=%(ipa_admin_user)s
|
|
pki_self_signed_token=internal
|
|
|
|
pki_skip_configuration=False
|
|
pki_skip_ds_verify=False
|
|
pki_skip_installation=False
|
|
pki_skip_sd_verify=False
|
|
|
|
pki_sslserver_token=internal
|
|
pki_ssl_server_token=%(pki_sslserver_token)s
|
|
pki_sslserver_nickname=Server-Cert cert-pki-ca
|
|
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
|
|
|
|
# nickname and subject are hard-coded
|
|
pki_subsystem_nickname=subsystemCert cert-pki-ca
|
|
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
|
|
|
|
pki_theme_enable=True
|
|
pki_theme_server_dir=/usr/share/pki/common-ui
|
|
pki_audit_group=pkiaudit
|
|
pki_group=pkiuser
|
|
pki_user=pkiuser
|
|
pki_existing=False
|
|
|
|
pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
|
|
pki_cert_chain_nickname=caSigningCert External CA
|
|
|
|
pki_pkcs12_path=
|
|
pki_pkcs12_password=
|
|
|
|
|
|
[CA]
|
|
pki_ds_base_dn=o=ipaca
|
|
|
|
pki_ca_signing_record_create=True
|
|
pki_ca_signing_serial_number=1
|
|
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
|
|
|
|
pki_ca_signing_csr_path=/root/ipa.csr
|
|
|
|
pki_ca_starting_crl_number=0
|
|
|
|
pki_external=False
|
|
pki_external_step_two=False
|
|
|
|
pki_external_pkcs12_path=%(pki_pkcs12_path)s
|
|
pki_external_pkcs12_password=%(pki_pkcs12_password)s
|
|
pki_import_admin_cert=False
|
|
|
|
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
|
|
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
|
|
|
|
pki_profiles_in_ldap=True
|
|
pki_subordinate=False
|
|
pki_subordinate_create_new_security_domain=False
|
|
|
|
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
|
|
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
|
|
|
|
pki_share_db=False
|
|
pki_master_crl_enable=True
|
|
|
|
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
|
|
|
|
pki_serial_number_range_start=1
|
|
pki_serial_number_range_end=10000000
|
|
pki_request_number_range_start=1
|
|
pki_request_number_range_end=10000000
|
|
pki_replica_number_range_start=1
|
|
pki_replica_number_range_end=100
|
|
|
|
|
|
[KRA]
|
|
pki_ds_base_dn=o=kra,o=ipaca
|
|
pki_ds_create_new_db=False
|
|
pki_ds_secure_connection=True
|
|
|
|
pki_import_admin_cert=True
|
|
pki_standalone=False
|
|
|
|
pki_external_step_two=False
|
|
|
|
pki_storage_nickname=storageCert cert-pki-kra
|
|
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
|
|
|
|
pki_transport_nickname=transportCert cert-pki-kra
|
|
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
|
|
|
|
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
|
|
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
|
|
|
|
# Needed because CA and KRA share the same database
|
|
# We will use the dbuser created for the CA.
|
|
pki_share_db=True
|
|
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
|