freeipa/install/share/ipaca_customize.ini
Christian Heimes dd47cfc75a Add pki.ini override option
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00

124 lines
3.9 KiB
INI

#
# Dogtag PKI configuration file
#
# Notes:
# - "%" must be quoted as "%%".
# - options in the [CA] and [KRA] section cannot be overriden from options
# in the [DEFAULT] section
# - pki_*_token options are hard-coded to pki_token_name
# - pki_sslserver_token is hard-coded to 'internal'
# - pki_backup_keys is automatically disabled when HSM support is enabled,
# as HSM backup is not possible with the default mechanism.
#
# Predefined variables
# - ipa_ca_subject
# - ipa_ds_base_dn
# - ipa_fqdn
# - ipa_subject_base
# - pki_admin_password
# - pki_dns_domainname
# - softhsm2_so
[DEFAULT]
# default algorithms for all certificates
ipa_key_algorithm=SHA256withRSA
ipa_key_size=2048
ipa_key_type=rsa
ipa_signing_algorithm=SHA256withRSA
# Used for IPA CA
# signing algorithm can be overriden on command line
ipa_ca_signing_algorithm=%(ipa_key_algorithm)s
ipa_ca_key_size=%(ipa_key_size)s
ipa_ca_key_type=%(ipa_key_type)s
# HSM support
pki_hsm_enable=False
pki_hsm_libfile=
pki_hsm_modulename=
pki_token_name=internal
# backup is automatically disabled when HSM support is enabled
pki_backup_keys=True
pki_backup_password=%(pki_admin_password)s
pki_admin_email=root@localhost
## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
pki_audit_signing_key_size=%(ipa_key_size)s
pki_audit_signing_key_type=%(ipa_key_type)s
pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_audit_signing_token=%(pki_token_name)s
# Configures the status request timeout, i.e. the connect/data
# timeout on the HTTP request to get the status of Dogtag.
#
# This configuration is needed in "multiple IP address" scenarios
# where this server's hostname has multiple IP addresses but the
# HTTP server is only listening on one of them. Without a timeout,
# if a "wrong" IP address is tried first, it will take a long time
# to timeout, exceeding the overall timeout hence the request will
# not be re-tried. Setting a shorter timeout allows the request
# to be re-tried.
#
# Note that HSMs cause different behaviour so this value might
# not be suitable for when we implement HSM support. It is
# known that a value of 5s is too short in HSM environment.
#
pki_status_request_timeout=15
# for supporting server cert SAN injection
pki_san_inject=False
pki_san_for_server_cert=
## Server-Cert cert-pki-ca
pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
pki_sslserver_key_size=%(ipa_key_size)s
pki_sslserver_key_type=%(ipa_key_type)s
## subsystemCert cert-pki-ca
pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
pki_subsystem_key_size=%(ipa_key_size)s
pki_subsystem_key_type=%(ipa_key_type)s
pki_subsystem_token=%(pki_token_name)s
[CA]
pki_random_serial_numbers_enable=False
## caSigningCert cert-pki-ca
pki_ca_signing_key_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_key_size=%(ipa_ca_key_size)s
pki_ca_signing_key_type=%(ipa_ca_key_type)s
pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
pki_ca_signing_token=%(pki_token_name)s
# MS subca request ext data
pki_req_ext_oid=1.3.6.1.4.1.311.20.2
pki_req_ext_critical=False
pki_req_ext_data=1E0A00530075006200430041
## ocspSigningCert cert-pki-ca
pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
pki_ocsp_signing_key_size=%(ipa_key_size)s
pki_ocsp_signing_key_type=%(ipa_key_type)s
pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
pki_ocsp_signing_token=%(pki_token_name)s
[KRA]
pki_kra_ephemeral_requests=True
## storageCert cert-pki-kra
pki_storage_key_algorithm=%(ipa_key_algorithm)s
pki_storage_key_size=%(ipa_key_size)s
pki_storage_key_type=%(ipa_key_type)s
pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
pki_storage_token=%(pki_token_name)s
## transportCert cert-pki-kra
pki_transport_key_algorithm=%(ipa_key_algorithm)s
pki_transport_key_size=%(ipa_key_size)s
pki_transport_key_type=%(ipa_key_type)s
pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
pki_transport_token=%(pki_token_name)s