freeipa/install/share/ipaca_default.ini
Rob Crittenden 6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00

170 lines
4.6 KiB
INI

#
# Dogtag PKI configuration file
#
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
# by a user without breaking IPA internals.
#
# Note: "%" must be quoted as "%%".
#
[DEFAULT]
ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
# ipa_admin_cert_p12=
# ipa_admin_user=
# sensitive dynamic values
# pki_admin_password=
# pki_ds_password=
# Dogtag defaults
pki_instance_name=pki-tomcat
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
pki_admin_cert_request_type=pkcs10
pki_admin_dualkey=False
pki_admin_name=%(ipa_admin_user)s
pki_admin_nickname=ipa-ca-agent
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
pki_admin_uid=%(ipa_admin_user)s
pki_ca_hostname=%(pki_security_domain_hostname)s
pki_ca_port=%(pki_security_domain_https_port)s
# nickname and subject are hard-coded
pki_ca_signing_nickname=caSigningCert cert-pki-ca
pki_ca_signing_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
pki_client_pkcs12_password=%(pki_admin_password)s
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
# CA: o=ipaca, KRA: o=kra,o=ipaca
pki_ds_base_dn=o=ipaca
pki_ds_database=ipaca
pki_ds_hostname=%(ipa_fqdn)s
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
pki_ajp_secret=%(ipa_ajp_secret)s
pki_restart_configured_instance=False
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
pki_security_domain_name=IPA
pki_security_domain_password=%(pki_admin_password)s
pki_security_domain_user=%(ipa_admin_user)s
pki_self_signed_token=internal
pki_skip_configuration=False
pki_skip_ds_verify=False
pki_skip_installation=False
pki_skip_sd_verify=False
pki_sslserver_token=internal
pki_ssl_server_token=%(pki_sslserver_token)s
pki_sslserver_nickname=Server-Cert cert-pki-ca
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
# nickname and subject are hard-coded
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
pki_theme_enable=True
pki_theme_server_dir=/usr/share/pki/common-ui
pki_audit_group=pkiaudit
pki_group=pkiuser
pki_user=pkiuser
pki_existing=False
pki_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert
pki_cert_chain_nickname=caSigningCert External CA
pki_pkcs12_path=
pki_pkcs12_password=
[CA]
pki_ds_base_dn=o=ipaca
pki_ca_signing_record_create=True
pki_ca_signing_serial_number=1
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
pki_ca_signing_csr_path=/root/ipa.csr
pki_ca_starting_crl_number=0
pki_external=False
pki_external_step_two=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s
pki_import_admin_cert=False
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
pki_profiles_in_ldap=True
pki_subordinate=False
pki_subordinate_create_new_security_domain=False
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
pki_share_db=False
pki_master_crl_enable=True
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
pki_serial_number_range_start=1
pki_serial_number_range_end=10000000
pki_request_number_range_start=1
pki_request_number_range_end=10000000
pki_replica_number_range_start=1
pki_replica_number_range_end=100
[KRA]
pki_ds_base_dn=o=kra,o=ipaca
pki_ds_create_new_db=False
pki_ds_secure_connection=True
pki_import_admin_cert=True
pki_standalone=False
pki_external_step_two=False
pki_storage_nickname=storageCert cert-pki-kra
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
pki_transport_nickname=transportCert cert-pki-kra
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca