1pki_default.cfg(5) PKI Default Instance Configuration pki_default.cfg(5)
2
3
4
6 pki_default.cfg - Certificate Server instance default config file.
7
8
10 /etc/pki/default.cfg
11
12
14 This file contains the default settings for a Certificate Server
15 instance created using pkispawn. This file should not be edited, as it
16 can be modified when the Certificate Server packages are updated.
17 Instead, when setting up a Certificate Server instance, a user should
18 provide pkispawn with a configuration file containing overrides to the
19 defaults in /etc/pki/default.cfg. See pkispawn(8) for details.
20
21
23 default.cfg contains parameters that are grouped into sections. These
24 sections are stacked, so that parameters defined in earlier sections
25 can be overwritten by parameters defined in later sections. The sec‐
26 tions are read in the following order: [DEFAULT], [Tomcat], and the
27 subsystem section ([CA], [KRA], [OCSP], [TKS], or [TPS]). This allows
28 the ability to specify parameters to be shared by all subsystems in
29 [DEFAULT] or [Tomcat], and subsystem-specific customization.
30
31 There are a small number of bootstrap parameters which are passed in
32 the configuration file by pkispawn. Other parameter's values can be
33 interpolated tokens rather than explicit values. For example:
34
35 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
36
37 This substitutes the value of pki_instance_name into the parameter
38 value. It is possible to interpolate any non-password parameter within
39 a section or in [DEFAULT]. Any parameter used in interpolation can ONLY
40 be overridden within the same section. So, for example,
41 pki_instance_name should only be overridden in [DEFAULT]; otherwise,
42 interpolations can fail.
43
44 Note: Any non-password related parameter values in the configuration
45 file that needs to contain a % character must be properly
46 escaped. For example, a value of foo%bar would be specified as
47 foo%%bar in the configuration file.
48
49
51 Once the configuration parameters have been constructed from the above
52 sections and overrides, pkispawn will perform a series of basic tests
53 to determine if the parameters being passed in are valid and consis‐
54 tent, before starting any installation. In pre-check mode, these tests
55 are executed and then pkispawn exits.
56
57 It is possible to disable specific tests by setting the directives
58 below. While all these tests should pass to ensure a successful
59 installation, it may be reasonable to skip tests in pre-check mode.
60
61 pki_skip_ds_verify
62
63 Skip verification of the Directory Server credentials. In this
64 test, pkispawn attempts to bind to the directory server instance
65 for the internal database using the provided credentials. This
66 could be skipped if the directory server instance does not yet
67 exist or is inaccessible. Defaults to False.
68
69 pki_skip_sd_verify
70
71 Skip verification of the security domain user/password. In this
72 test, pkispawn attempts to log onto the security domain using
73 the provided credentials. This can be skipped if the security
74 domain is unavailable. Defaults to False.
75
76
78 The parameters described below, as well as the parameters located in
79 the following sections, can be customized as part of a deployment.
80 This list is not exhaustive.
81
82 pki_instance_name
83
84 Name of the instance. The instance is located at
85 /var/lib/pki/<instance_name>. For Java subsystems, the default
86 is specified as pki-tomcat.
87
88 pki_https_port, pki_http_port
89
90 Secure and unsecure ports. Defaults to standard Tomcat ports
91 8443 and 8080, respectively, for Java subsystems.
92
93 pki_ajp_port, pki_tomcat_server_port
94
95 Ports for Tomcat subsystems. Defaults to standard Tomcat ports
96 of 8009 and 8005, respectively.
97
98 pki_ajp_host
99
100 Host on which to listen for AJP requests. Defaults to localhost
101 to listen to local traffic only.
102
103 pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
104
105 Ports for an Apache proxy server. Certificate Server instances
106 can be run behind an Apache proxy server, which will communicate
107 with the Tomcat instance through the AJP port. See the Red Hat
108 Certificate System documentation at https://access.red‐
109 hat.com/knowledge/docs/Red_Hat_Certificate_System/ for details.
110
111 pki_user, pki_group, pki_audit_group
112
113 Specifies the default administrative user, group, and auditor
114 group identities for PKI instances. The default user and group
115 are both specified as pkiuser, and the default audit group is
116 specified as pkiaudit.
117
118 pki_token_name, pki_token_password
119
120 The token and password where this instance's system certificate
121 and keys are stored. Defaults to the NSS internal software
122 token.
123
124 pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
125
126 If an optional hardware security module (HSM) is being utilized
127 (rather than the default software security module included in
128 NSS), then the pki_hsm_enable parameter must be set to 'True'
129 (by default this parameter is 'False'), and values must be sup‐
130 plied for both the pki_hsm_libfile (e. g. - pki_hsm_lib‐
131 file=/opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modu‐
132 lename parameters (e. g. - pki_hsm_modulename=nethsm).
133
134
135 SYSTEM CERTIFICATE PARAMETERS
136 pkispawn sets up a number of system certificates for each subsystem.
137 The system certificates which are required differ between subsystems.
138 Each system certificate is denoted by a tag, as noted below. The dif‐
139 ferent system certificates are:
140
141 * signing certificate ("ca_signing"). Used to sign other cer‐
142 tificates. Required for CA.
143
144 * OCSP signing certificate ("ocsp_signing" in CA, "signing" in
145 OCSP). Used to sign CRLs. Required for OCSP and CA.
146
147 * storage certificate ("storage"). Used to encrypt keys for
148 storage in KRA. Required for KRA only.
149
150 * transport certificate ("transport"). Used to encrypt keys in
151 transport to the KRA. Required for KRA only.
152
153 * subsystem certificate ("subsystem"). Used to communicate
154 between subsystems within the security domain. Issued by the
155 security domain CA. Required for all subsystems.
156
157 * server certificate ("sslserver"). Used for communication with
158 the server. One server certificate is required for each Cer‐
159 tificate Server instance.
160
161 * audit signing certificate ("audit_signing"). Used to sign
162 audit logs. Required for all subsystems except the RA.
163
164 Each system certificate can be customized using the parameters below:
165
166 pki_<tag>_key_type, pki_<type>_key_size, pki_<tag>_key_algorithm
167
168 Characteristics of the private key. See the Red Hat Certificate
169 System documentation at https://access.redhat.com/knowl‐
170 edge/docs/Red_Hat_Certificate_System/ for possible options. The
171 defaults are RSA for the type, 2048 bits for the key size, and
172 SHA256withRSA for the algorithm.
173
174 pki_<tag>_signing_algorithm
175
176 For signing certificates, the algorithm used for signing.
177 Defaults to SHA256withRSA.
178
179 pki_<tag>_token
180
181 Location where the certificate and private key are stored.
182 Defaults to the internal software NSS token database.
183
184 pki_<tag>_nickname
185
186 Nickname for the certificate in the token database.
187
188 pki_<tag>_subject_dn
189
190 Subject DN for the certificate. The subject DN for the SSL
191 Server certificate must include CN=<hostname>.
192
193 ADMIN USER PARAMETERS
194 pkispawn creates a bootstrap administrative user that is a member of
195 all the necessary groups to administer the installed subsystem. On a
196 security domain CA, the CA administrative user is also a member of the
197 groups required to register a new subsystem on the security domain.
198 The certificate and keys for this administrative user are stored in a
199 PKCS #12 file in pki_client_dir, and can be imported into a browser to
200 administer the system.
201
202 pki_admin_name, pki_admin_uid
203
204 Name and UID of this administrative user. Defaults to caadmin
205 for CA, kraadmin for KRA, etc.
206
207 pki_admin_password
208
209 Password for the admin user. This password is used to log into
210 the pki-console (unless client authentication is enabled), as
211 well as log into the security domain CA.
212
213 pki_admin_email
214
215 Email address for the admin user.
216
217 pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type,
218 pki_admin_key_algorithm
219
220 Settings for the administrator certificate and keys.
221
222 pki_admin_subject_dn
223
224 Subject DN for the administrator certificate. Defaults to
225 cn=PKI Administrator, e=%(pki_admin_email)s, o=%(pki_secu‐
226 rity_domain_name)s.
227
228 pki_admin_nickname
229 Nickname for the administrator certificate.
230
231 pki_import_admin_cert
232
233 Set to True to import an existing admin certificate for the
234 admin user, rather than generating a new one. A subsystem-spe‐
235 cific administrator will still be created within the subsystem's
236 LDAP tree. This is useful to allow multiple subsystems within
237 the same instance to be more easily administered from the same
238 browser by using a single certificate.
239
240 By default, this is set to False for CA subsystems and true for
241 KRA, OCSP, TKS, and TPS subsystems. In this case, the admin
242 certificate is read from the file ca_admin.cert in
243 pki_client_dir.
244
245 Note that cloned subsystems do not create a new administrative
246 user. The administrative user of the master subsystem is used
247 instead, and the details of this master user are replicated dur‐
248 ing the install.
249
250 pki_client_admin_cert_p12
251
252 Location for the PKCS #12 file containing the administrative
253 user's certificate and keys. For a CA, this defaults to
254 ca_admin_cert.p12 in the pki_client_dir directory.
255
256 BACKUP PARAMETERS
257 pki_backup_keys, pki_backup_password
258
259 Set to True to back up the subsystem certificates and keys to a
260 PKCS #12 file. This file will be located in
261 /var/lib/pki/<instance_name>/alias. pki_backup_password is the
262 password of the PKCS#12 file.
263
264 Important:
265 Since HSM keys are stored in the HSM (hardware), they cannot be
266 backed up to a PKCS #12 file (software). Therefore, if
267 pki_hsm_enable is set to True, pki_backup_keys should be set to
268 False and pki_backup_password should be left unset (the default
269 values in /etc/pki/default.cfg). Failure to do so will result
270 in pkispawn reporting this error and exiting.
271
272
273 CLIENT DIRECTORY PARAMETERS
274 pki_client_dir
275
276 This is the location where all client data used during the
277 installation is stored. At the end of the invocation of
278 pkispawn, the administrative user's certificate and keys are
279 stored in a PKCS #12 file in this location.
280
281 Note: When using an HSM, it is currently recommended to NOT
282 specify a value for pki_client_dir that is different from the
283 default value.
284
285 pki_client_database_dir, pki_client_database_password
286
287 Location where an NSS token database is created in order to gen‐
288 erate a key for the administrative user. Usually, the data in
289 this location is removed at the end of the installation, as the
290 keys and certificates are stored in a PKCS #12 file in
291 pki_client_dir.
292
293 pki_client_database_purge
294
295 Set to True to remove pki_client_database_dir at the end of the
296 installation. Defaults to True.
297
298 INTERNAL DATABASE PARAMETERS
299
300 pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
301
302 Hostname and ports for the internal database. Defaults to
303 localhost, 389, and 636, respectively.
304
305 pki_ds_bind_dn, pki_ds_password
306
307 Credentials to connect to the database during installation.
308 Directory Manager-level access is required during installation
309 to set up the relevant schema and database. During the instal‐
310 lation, a more restricted Certificate Server user is set up to
311 client authentication connections to the database. Some addi‐
312 tional configuration is required, including setting up the
313 directory server to use SSL. See the documentation for details.
314
315 pki_ds_secure_connection
316
317 Sets whether to require connections to the Directory Server
318 using LDAPS. This requires SSL to be set up on the Directory
319 Server first. Defaults to false.
320
321 pki_ds_secure_connection_ca_nickname
322
323 Once a Directory Server CA certificate has been imported into
324 the PKI security databases (see pki_ds_secure_connec‐
325 tion_ca_pem_file), pki_ds_secure_connection_ca_nickname will
326 contain the nickname under which it is stored. The default.cfg
327 file contains a default value for this nickname. This parameter
328 is only utilized when pki_ds_secure_connection has been set to
329 true.
330
331 pki_ds_secure_connection_ca_pem_file
332
333 The pki_ds_secure_connection_ca_pem_file parameter will consist
334 of the fully-qualified path including the filename of a file
335 which contains an exported copy of a Directory Server's CA cer‐
336 tificate. While this parameter is only utilized when
337 pki_ds_secure_connection has been set to true, a valid value is
338 required for this parameter whenever this condition exists.
339
340 pki_ds_remove_data
341
342 Sets whether to remove any data from the base DN before starting
343 the installation. Defaults to True.
344
345 pki_ds_base_dn
346
347 The base DN for the internal database. It is advised that the
348 Certificate Server have its own base DN for its internal data‐
349 base. If the base DN does not exist, it will be created during
350 the running of pkispawn. For a cloned subsystem, the base DN
351 for the clone subsystem MUST be the same as for the master sub‐
352 system.
353
354 pki_ds_database
355
356 Name of the back-end database. It is advised that the Certifi‐
357 cate Server have its own base DN for its internal database. If
358 the back-end does not exist, it will be created during the run‐
359 ning of pkispawn.
360
361 ISSUING CA PARAMETERS
362
363 pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
364
365 Hostname and port, or URI of the issuing CA. Required for
366 installations of subordinate CA and non-CA subsystems. This
367 should point to the CA that will issue the relevant system cer‐
368 tificates for the subsystem. In a default install, this
369 defaults to the CA subsystem within the same instance. The URI
370 has the format https://<ca_hostname>:<ca_https_port>.
371
372 MISCELLANEOUS PARAMETERS
373
374 pki_restart_configured_instance
375
376 Sets whether to restart the instance after configuration is com‐
377 plete. Defaults to True.
378
379 pki_enable_access_log
380
381 Located in the [Tomcat] section, this variable determines
382 whether the instance will enable (True) or disable (False) Tom‐
383 cat access logging. Defaults to True.
384
385 pki_enable_java_debugger
386
387 Sets whether to attach a Java debugger such as Eclipse to the
388 instance for troubleshooting. Defaults to False.
389
390 pki_enable_on_system_boot
391
392 Sets whether or not PKI instances should be started upon system
393 boot.
394
395 Currently, if this PKI subsystem exists within a shared
396 instance, and it has been configured to start upon system boot,
397 then ALL other previously configured PKI subsystems within this
398 shared instance will start upon system boot.
399
400 Similarly, if this PKI subsystem exists within a shared
401 instance, and it has been configured to NOT start upon system
402 boot, then ALL other previously configured PKI subsystems within
403 this shared instance will NOT start upon system boot.
404
405 Additionally, if more than one PKI instance exists, no granular‐
406 ity exists which allows one PKI instance to be enabled while
407 another PKI instance is disabled (i.e. - PKI instances are
408 either all enabled or all disabled). To provide this capabil‐
409 ity, the PKI instances must reside on separate machines.
410
411 Defaults to True (see the following note on why this was previ‐
412 ously 'False').
413
414 Note: Since this parameter did not exist prior to Dogtag 10.2.3, the
415 default behavior of PKI instances in Dogtag 10.2.2 and prior was
416 False. To manually enable this behavior, obtain superuser priv‐
417 ileges, and execute 'systemctl enable pki-tomcatd.target'; to
418 manually disable this behavior, execute 'systemctl disable pki-
419 tomcatd.target'.
420
421 pki_security_manager
422
423 Enables the Java security manager policies provided by the JDK
424 to be used with the instance. Defaults to True.
425
426 SECURITY DOMAIN PARAMETERS
427 The security domain is a component that facilitates communication
428 between subsystems. The first CA installed hosts this component and is
429 used to register subsequent subsystems with the security domain. These
430 subsystems can communicate with each other using their subsystem cer‐
431 tificate, which is issued by the security domain CA. For more informa‐
432 tion about the security domain component, see the Red Hat Certificate
433 System documentation at https://access.redhat.com/knowl‐
434 edge/docs/Red_Hat_Certificate_System/.
435
436 pki_security_domain_hostname, pki_security_domain_https_port
437
438 Location of the security domain. Required for KRA, OCSP, TKS,
439 and TPS subsystems and for CA subsystems joining a security
440 domain. Defaults to the location of the CA subsystem within the
441 same instance.
442
443 pki_security_domain_user, pki_security_domain_password
444
445 Administrative user of the security domain. Required for KRA,
446 OCSP, TKS, and TPS subsystems, and for CA subsystems joining a
447 security domain. Defaults to the administrative user for the CA
448 subsystem within the same instance (caadmin).
449
450 pki_security_domain_name
451
452 The name of the security domain. This is required for the secu‐
453 rity domain CA.
454
455
456 CLONE PARAMETERS
457 pki_clone
458
459 Installs a clone, rather than original, subsystem.
460
461 pki_clone_pkcs12_password, pki_clone_pkcs12_path
462
463 Location and password of the PKCS #12 file containing the system
464 certificates for the master subsystem being cloned. This file
465 should be readable by the user that the Certificate Server is
466 running as (default of pkiuser), and have the correct selinux
467 context (pki_tomcat_cert_t). This can be achieved by placing
468 the file in /var/lib/pki/<instance_name>/alias.
469
470 Important:
471 Since HSM keys are stored in the HSM (hardware), they cannot be
472 copied to a PKCS #12 file (software). For the case of clones
473 using an HSM, this means that the HSM keys must be shared
474 between the master and its clones. Therefore, if pki_hsm_enable
475 is set to True, both pki_clone_pkcs12_path and
476 pki_clone_pkcs12_password should be left unset (the default val‐
477 ues in /etc/pki/default.cfg). Failure to do so will result in
478 pkispawn reporting this error and exiting.
479
480 pki_clone_setup_replication
481
482 Defaults to True. If set to False, the installer does not set
483 up replication agreements from the master to the clone as part
484 of the subsystem configuration. In this case, it is expected
485 that the top level suffix already exists, and that the data has
486 already been replicated. This option is useful if you want to
487 use other tools to create and manage your replication topology,
488 or if the baseDN is already replicated as part of a top-level
489 suffix.
490
491 pki_clone_reindex_data
492
493 Defaults to False. This parameter is only relevant when
494 pki_clone_setup_replication is set to False. In this case, it
495 is expected that the database has been prepared and replicated
496 as noted above. Part of that preparation could involve adding
497 indexes and indexing the data. If you would like the Dogtag in‐
498 staller to add the indexes and reindex the data instead, set
499 pki_clone_reindex_data to True.
500
501 pki_clone_replication_master_port, pki_clone_replication_clone_port
502
503 Ports on which replication occurs. These are the ports on the
504 master and clone databases respectively. Defaults to the inter‐
505 nal database port.
506
507 pki_clone_replicate_schema
508
509 Replicate schema when the replication agreement is set up and
510 the new instance (consumer) is initialized. Otherwise, the
511 schema must be installed in the clone as a separate step before‐
512 hand. This does not usually have to be changed. Defaults to
513 True.
514
515 pki_clone_replication_security
516
517 The type of security used for the replication data. This can be
518 set to SSL (using LDAPS), TLS, or None. Defaults to None. For
519 SSL and TLS, SSL must be set up for the database instances
520 beforehand.
521
522 pki_master_hostname, pki_master_https_port, pki_clone_uri
523
524 Hostname and port, or URI of the subsystem being cloned. The
525 URI format is https://<master_hostname>:<master_https_port>
526 where the default master hostname and https port are set to be
527 the security domain's hostname and https port.
528
529
530 CA SERIAL NUMBER PARAMETERS
531
532 pki_serial_number_range_start, pki_serial_number_range_end
533
534 Sets the range of serial numbers to be used when issuing cer‐
535 tificates. Values here are hexadecimal (without the 0x prefix).
536 It is useful to override these values when migrating data from
537 another CA, so that serial number conflicts do not occur.
538 Defaults to 1 and 10000000 respectively.
539
540 pki_request_number_range_start, pki_request_number_range_end
541
542 Sets the range of request numbers to be used by the CA. Values
543 here are decimal. It is useful to override these values when
544 migrating data from another CA, so that request number conflicts
545 do not occur. Defaults to 1 and 10000000 respectively.
546
547 pki_replica_number_range_start, pki_replica_number_range_end
548
549 Sets the range of replica numbers to be used by the CA. These
550 numbers are used to identify database replicas in a replication
551 topology. Values here are decimal. Defaults to 1 and 100
552 respectively.
553
554
555 EXTERNAL CA CERTIFICATE PARAMETERS
556
557 pki_external
558
559 Sets whether the new CA will have a signing certificate that
560 will be issued by an external CA. This is a two step process.
561 In the first step, a CSR to be presented to the external CA is
562 generated. In the second step, the issued signing certificate
563 and certificate chain are provided to the pkispawn utility to
564 complete the installation. Defaults to False.
565
566 pki_ca_signing_csr_path
567
568 Required in the first step of the external CA signing process.
569 The CSR will be printed to the screen and stored in this loca‐
570 tion.
571
572 pki_external_step_two
573
574 Specifies that this is the second step of the external CA
575 process. Defaults to False.
576
577 pki_ca_signing_cert_path, pki_cert_chain_path
578
579 Required for the second step of the external CA signing process.
580 This is the location of the CA signing cert (as issued by the
581 external CA) and the external CA's certificate chain.
582
583 SUBORDINATE CA CERTIFICATE PARAMETERS
584
585 pki_subordinate
586
587 Specifies whether the new CA which will be a subordinate of
588 another CA. The master CA is specified by pki_issuing_ca.
589 Defaults to False.
590
591 pki_subordinate_create_new_security_domain
592
593 Set to True if the subordinate CA will host its own security
594 domain. Defaults to False.
595
596 pki_subordinate_security_domain_name
597
598 Used when pki_subordinate_create_security_domain is set to True.
599 Specifies the name of the security domain to be hosted on the
600 subordinate CA.
601
602
603 STANDALONE PKI PARAMETERS
604 A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that
605 does not contain a CA as a part of its deployment, and functions as its
606 own security domain. Currently, only stand-alone KRAs are supported.
607
608 pki_standalone
609
610 Sets whether or not the new PKI subsystem will be stand-alone.
611 This is a two step process. In the first step, CSRs for each of
612 this stand-alone PKI subsystem's certificates will be generated
613 so that they may be presented to the external CA. In the second
614 step, the issued certificates, external CA certificate, and
615 external CA certificate chain are provided to the pkispawn util‐
616 ity to complete the installation. Defaults to False.
617
618 pki_external_admin_csr_path
619
620 Will be generated by the first step of a stand-alone PKI
621 process. This is the location of the file containing the admin‐
622 istrator's CSR (which will be presented to the external CA).
623 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
624 tem_type)s_admin.csr'.
625
626 pki_external_audit_signing_csr_path
627
628 Will be generated by the first step of a stand-alone PKI
629 process. This is the location of the file containing the audit
630 signing CSR (which will be presented to the external CA).
631 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
632 tem_type)s_audit_signing.csr'.
633
634 pki_external_sslserver_csr_path
635
636 Will be generated by the first step of a stand-alone PKI
637 process. This is the location of the file containing the SSL
638 server CSR (which will be presented to the external CA).
639 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
640 tem_type)s_sslserver.csr'.
641
642 pki_external_storage_csr_path
643
644 [KRA ONLY] Will be generated by the first step of a stand-alone
645 KRA process. This is the location of the file containing the
646 storage CSR (which will be presented to the external CA).
647 Defaults to '%(pki_instance_configuration_path)s/kra_stor‐
648 age.csr'.
649
650 pki_external_subsystem_csr_path
651
652 Will be generated by the first step of a stand-alone PKI
653 process. This is the location of the file containing the sub‐
654 system CSR (which will be presented to the external CA).
655 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
656 tem_type)s_subsystem.csr'.
657
658 pki_external_transport_csr_path
659
660 [KRA ONLY] Will be generated by the first step of a stand-alone
661 KRA process. This is the location of the file containing the
662 transport CSR (which will be presented to the external CA).
663 Defaults to '%(pki_instance_configuration_path)s/kra_trans‐
664 port.csr'.
665
666 pki_external_step_two
667
668 Specifies that this is the second step of a standalone PKI
669 process. Defaults to False.
670
671 pki_cert_chain_path
672
673 Required for the second step of a stand-alone PKI process. This
674 is the location of the file containing the external CA signing
675 certificate (as issued by the external CA). Defaults to
676 '%(pki_instance_configuration_path)s/external_ca.cert'.
677
678 pki_ca_signing_cert_path
679
680 Required for the second step of a stand-alone PKI process. This
681 is the location of the file containing the external CA's cer‐
682 tificate chain (as issued by the external CA). Defaults to
683 empty.
684
685 pki_external_admin_cert_path
686
687 Required for the second step of a stand-alone PKI process. This
688 is the location of the file containing the administrator's cer‐
689 tificate (as issued by the external CA). Defaults to
690 '%(pki_instance_configuration_path)s/%(pki_subsys‐
691 tem_type)s_admin.cert'.
692
693 pki_external_audit_signing_cert_path
694
695 Required for the second step of a stand-alone PKI process. This
696 is the location of the file containing the audit signing cer‐
697 tificate (as issued by the external CA). Defaults to
698 '%(pki_instance_configuration_path)s/%(pki_subsys‐
699 tem_type)s_audit_signing.cert'.
700
701 pki_external_sslserver_cert_path
702
703 Required for the second step of a stand-alone PKI process. This
704 is the location of the file containing the sslserver certificate
705 (as issued by the external CA). Defaults to
706 '%(pki_instance_configuration_path)s/%(pki_subsys‐
707 tem_type)s_sslserver.cert'.
708
709 pki_external_storage_cert_path
710
711 [KRA ONLY] Required for the second step of a stand-alone KRA
712 process. This is the location of the file containing the stor‐
713 age certificate (as issued by the external CA). Defaults to
714 '%(pki_instance_configuration_path)s/kra_storage.cert'.
715
716 pki_external_subsystem_cert_path
717
718 Required for the second step of a stand-alone PKI process. This
719 is the location of the file containing the subsystem certificate
720 (as issued by the external CA). Defaults to
721 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sub‐
722 system.cert'.
723
724 pki_external_transport_cert_path
725
726 [KRA ONLY] Required for the second step of a stand-alone KRA
727 process. This is the location of the file containing the trans‐
728 port certificate (as issued by the external CA). Defaults to
729 '%(pki_instance_configuration_path)s/kra_transport.cert'.
730
731
732 KRA PARAMETERS
733
734
735 pki_kra_ephemeral_requests
736
737 Specifies to use ephemeral requests for archivals and
738 retrievals. Defaults to False.
739
740
741 TPS PARAMETERS
742
743
744 pki_authdb_basedn
745
746 Specifies the base DN of TPS authentication database.
747
748 pki_authdb_hostname
749
750 Specifies the hostname of TPS authentication database. Defaults
751 to localhost.
752
753 pki_authdb_port
754
755 Specifies the port number of TPS authentication database.
756 Defaults to 389.
757
758 pki_authdb_secure_conn
759
760 Specifies whether to use a secure connection to TPS authentica‐
761 tion database. Defaults to False.
762
763 pki_enable_server_side_keygen
764
765 Specifies whether to enable server-side key generation. Defaults
766 to False. The location of the KRA instance should be specified
767 in the pki_kra_uri parameter.
768
769 pki_ca_uri
770
771 Specifies the URI of the CA instance used by TPS to create and
772 revoke user certificates. Defaults to the instance in which the
773 TPS is running.
774
775 pki_kra_uri
776
777 Specifies the URI of the KRA instance used by TPS to archive and
778 recover keys. Required if server-side key generation is enabled
779 using the pki_enable_server_side_keygen parameter. Defaults to
780 the instance in which the TPS is running.
781
782 pki_tks_uri
783
784 Specifies the URI of the TKS instance used by TPS to generate
785 symmetric keys. Defaults to the instance in which the TPS is
786 running.
787
788
790 Ade Lee <alee@redhat.com>. pkispawn was written by the Dogtag project.
791
792
794 Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General
795 Public License, version 2 (GPLv2). A copy of this license is available
796 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
797
798
800 pkispawn(8)
801
802
803
804version 1.0 December 13, 2012 pki_default.cfg(5)