mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
beaa0562dc
Dogtag has implemented a new random serial number scheme they are calling RSNv3. https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3 Given the known issues reported this will be supported in IPA for new installations only. There is no mixing of random servers and non-random servers allowed. Instructions for installing a CA: https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc Instructions for installing a KRA: https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc The version of random serial numbers is stored within the CA entry of the server. It is stored as a version to allow for future upgrades. If a CA has RSN enabled then any KRA installed will also have it enabled for its identifiers. A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA entry to track the version number in case PKI has future major revisions. This can also be used to determine if RSN is enabled or not. Fixes: https://pagure.io/freeipa/issue/2016 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
119 lines
3.8 KiB
INI
119 lines
3.8 KiB
INI
#
|
|
# Dogtag PKI configuration file
|
|
#
|
|
# Notes:
|
|
# - "%" must be quoted as "%%".
|
|
# - options in the [CA] and [KRA] section cannot be overriden from options
|
|
# in the [DEFAULT] section
|
|
# - pki_*_token options are hard-coded to pki_token_name
|
|
# - pki_sslserver_token is hard-coded to 'internal'
|
|
# - pki_backup_keys is automatically disabled when HSM support is enabled,
|
|
# as HSM backup is not possible with the default mechanism.
|
|
#
|
|
# Predefined variables
|
|
# - ipa_ca_subject
|
|
# - ipa_ajp_secret
|
|
# - ipa_fqdn
|
|
# - ipa_subject_base
|
|
# - pki_admin_password
|
|
# - pki_dns_domainname
|
|
# - softhsm2_so
|
|
|
|
|
|
[DEFAULT]
|
|
# default algorithms for all certificates
|
|
ipa_key_algorithm=SHA256withRSA
|
|
ipa_key_size=2048
|
|
ipa_key_type=rsa
|
|
ipa_signing_algorithm=SHA256withRSA
|
|
|
|
# Used for IPA CA
|
|
# signing algorithm can be overriden on command line
|
|
ipa_ca_key_algorithm=%(ipa_key_algorithm)s
|
|
ipa_ca_key_size=3072
|
|
ipa_ca_key_type=%(ipa_key_type)s
|
|
ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
|
|
|
|
# HSM support
|
|
pki_hsm_enable=False
|
|
pki_hsm_libfile=
|
|
pki_hsm_modulename=
|
|
pki_token_name=internal
|
|
# backup is automatically disabled when HSM support is enabled
|
|
pki_backup_keys=True
|
|
pki_backup_password=%(pki_admin_password)s
|
|
|
|
pki_admin_email=root@localhost
|
|
|
|
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
|
|
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_audit_signing_key_size=%(ipa_key_size)s
|
|
pki_audit_signing_key_type=%(ipa_key_type)s
|
|
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_audit_signing_token=%(pki_token_name)s
|
|
|
|
# Configures the status request timeout, i.e. the connect/data
|
|
# timeout on the HTTP request to get the status of Dogtag.
|
|
#
|
|
# This configuration is needed in "multiple IP address" scenarios
|
|
# where this server's hostname has multiple IP addresses but the
|
|
# HTTP server is only listening on one of them. Without a timeout,
|
|
# if a "wrong" IP address is tried first, it will take a long time
|
|
# to timeout, exceeding the overall timeout hence the request will
|
|
# not be re-tried. Setting a shorter timeout allows the request
|
|
# to be re-tried.
|
|
#
|
|
# Note that HSMs cause different behaviour so this value might
|
|
# not be suitable for when we implement HSM support. It is
|
|
# known that a value of 5s is too short in HSM environment.
|
|
#
|
|
pki_status_request_timeout=15
|
|
|
|
# for supporting server cert SAN injection
|
|
pki_san_inject=False
|
|
pki_san_for_server_cert=
|
|
|
|
## Server-Cert cert-pki-ca
|
|
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_sslserver_key_size=%(ipa_key_size)s
|
|
pki_sslserver_key_type=%(ipa_key_type)s
|
|
|
|
## subsystemCert cert-pki-ca
|
|
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_subsystem_key_size=%(ipa_key_size)s
|
|
pki_subsystem_key_type=%(ipa_key_type)s
|
|
pki_subsystem_token=%(pki_token_name)s
|
|
|
|
[CA]
|
|
|
|
## caSigningCert cert-pki-ca
|
|
pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
|
|
pki_ca_signing_key_size=%(ipa_ca_key_size)s
|
|
pki_ca_signing_key_type=%(ipa_ca_key_type)s
|
|
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
|
|
pki_ca_signing_token=%(pki_token_name)s
|
|
|
|
## ocspSigningCert cert-pki-ca
|
|
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_ocsp_signing_key_size=%(ipa_key_size)s
|
|
pki_ocsp_signing_key_type=%(ipa_key_type)s
|
|
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_ocsp_signing_token=%(pki_token_name)s
|
|
|
|
[KRA]
|
|
pki_kra_ephemeral_requests=True
|
|
|
|
## storageCert cert-pki-kra
|
|
pki_storage_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_storage_key_size=%(ipa_key_size)s
|
|
pki_storage_key_type=%(ipa_key_type)s
|
|
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_storage_token=%(pki_token_name)s
|
|
|
|
## transportCert cert-pki-kra
|
|
pki_transport_key_algorithm=%(ipa_key_algorithm)s
|
|
pki_transport_key_size=%(ipa_key_size)s
|
|
pki_transport_key_type=%(ipa_key_type)s
|
|
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
|
|
pki_transport_token=%(pki_token_name)s
|