1pki_default.cfg(5) PKI Default Instance Configuration pki_default.cfg(5)
2
6 pki_default.cfg - Certificate Server instance default config file.
7
10 /etc/pki/default.cfg
11
14 This file contains the default settings for a Certificate Server
15 instance created using pkispawn. This file should not be edited, as it
16 can be modified when the Certificate Server packages are updated.
17 Instead, when setting up a Certificate Server instance, a user should
18 provide pkispawn with a configuration file containing overrides to the
19 defaults in /etc/pki/default.cfg. See pkispawn(8) for details.
20
23 default.cfg contains parameters that are grouped into sections. These
24 sections are stacked, so that parameters defined in earlier sections
25 can be overwritten by parameters defined in later sections. The sec‐
26 tions are read in the following order: [DEFAULT], [Tomcat], and the
27 subsystem section ([CA], [KRA], [OCSP], [TKS], or [TPS]). This allows
28 the ability to specify parameters to be shared by all subsystems in
29 [DEFAULT] or [Tomcat], and subsystem-specific customization.
30 There are a small number of bootstrap parameters which are passed in
32 the configuration file by pkispawn. Other parameter's values can be
33 interpolated tokens rather than explicit values. For example:
34 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
36 This substitutes the value of pki_instance_name into the parameter
38 value. It is possible to interpolate any non-password parameter within
39 a section or in [DEFAULT]. Any parameter used in interpolation can ONLY
40 be overridden within the same section. So, for example,
41 pki_instance_name should only be overridden in [DEFAULT]; otherwise,
42 interpolations can fail.
43 Note: Any non-password related parameter values in the configuration
45 file that needs to contain a % character must be properly
46 escaped. For example, a value of foo%bar would be specified as
47 foo%%bar in the configuration file.
48
51 Once the configuration parameters have been constructed from the above
52 sections and overrides, pkispawn will perform a series of basic tests
53 to determine if the parameters being passed in are valid and consis‐
54 tent, before starting any installation. In pre-check mode, these tests
55 are executed and then pkispawn exits.
56 It is possible to disable specific tests by setting the directives
58 below. While all these tests should pass to ensure a successful
59 installation, it may be reasonable to skip tests in pre-check mode.
60 pki_skip_ds_verify
62 Skip verification of the Directory Server credentials. In this
64 test, pkispawn attempts to bind to the directory server instance
65 for the internal database using the provided credentials. This
66 could be skipped if the directory server instance does not yet
67 exist or is inaccessible. Defaults to False.
68 pki_skip_sd_verify
70 Skip verification of the security domain user/password. In this
72 test, pkispawn attempts to log onto the security domain using
73 the provided credentials. This can be skipped if the security
74 domain is unavailable. Defaults to False.
75
78 The parameters described below, as well as the parameters located in
79 the following sections, can be customized as part of a deployment.
80 This list is not exhaustive.
81 pki_instance_name
83 Name of the instance. The instance is located at
85 /var/lib/pki/<instance_name>. For Java subsystems, the default
86 is specified as pki-tomcat.
87 pki_https_port, pki_http_port
89 Secure and unsecure ports. Defaults to standard Tomcat ports
91 8443 and 8080, respectively, for Java subsystems.
92 pki_ajp_port, pki_tomcat_server_port
94 Ports for Tomcat subsystems. Defaults to standard Tomcat ports
96 of 8009 and 8005, respectively.
97 pki_ajp_host
99 Host on which to listen for AJP requests. Defaults to localhost
101 to listen to local traffic only.
102 pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
104 Ports for an Apache proxy server. Certificate Server instances
106 can be run behind an Apache proxy server, which will communicate
107 with the Tomcat instance through the AJP port. See the Red Hat
108 Certificate System documentation at https://access.red‐
109 hat.com/knowledge/docs/Red_Hat_Certificate_System/ for details.
110 pki_user, pki_group, pki_audit_group
112 Specifies the default administrative user, group, and auditor
114 group identities for PKI instances. The default user and group
115 are both specified as pkiuser, and the default audit group is
116 specified as pkiaudit.
117 pki_token_name, pki_token_password
119 The token and password where this instance's system certificate
121 and keys are stored. Defaults to the NSS internal software
122 token.
123 pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
125 If an optional hardware security module (HSM) is being utilized
127 (rather than the default software security module included in
128 NSS), then the pki_hsm_enable parameter must be set to 'True'
129 (by default this parameter is 'False'), and values must be sup‐
130 plied for both the pki_hsm_libfile (e. g. - pki_hsm_lib‐
131 file=/opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modu‐
132 lename parameters (e. g. - pki_hsm_modulename=nethsm).
133 SYSTEM CERTIFICATE PARAMETERS
136 pkispawn sets up a number of system certificates for each subsystem.
137 The system certificates which are required differ between subsystems.
138 Each system certificate is denoted by a tag, as noted below. The dif‐
139 ferent system certificates are:
140 * signing certificate ("ca_signing"). Used to sign other cer‐
142 tificates. Required for CA.
143 * OCSP signing certificate ("ocsp_signing" in CA, "signing" in
145 OCSP). Used to sign CRLs. Required for OCSP and CA.
146 * storage certificate ("storage"). Used to encrypt keys for
148 storage in KRA. Required for KRA only.
149 * transport certificate ("transport"). Used to encrypt keys in
151 transport to the KRA. Required for KRA only.
152 * subsystem certificate ("subsystem"). Used to communicate
154 between subsystems within the security domain. Issued by the
155 security domain CA. Required for all subsystems.
156 * server certificate ("sslserver"). Used for communication with
158 the server. One server certificate is required for each Cer‐
159 tificate Server instance.
160 * audit signing certificate ("audit_signing"). Used to sign
162 audit logs. Required for all subsystems except the RA.
163 Each system certificate can be customized using the parameters below:
165 pki_<tag>_key_type, pki_<type>_key_size, pki_<tag>_key_algorithm
167 Characteristics of the private key. See the Red Hat Certificate
169 System documentation at https://access.redhat.com/knowl‐
170 edge/docs/Red_Hat_Certificate_System/ for possible options. The
171 defaults are RSA for the type, 2048 bits for the key size, and
172 SHA256withRSA for the algorithm.
173 pki_<tag>_signing_algorithm
175 For signing certificates, the algorithm used for signing.
177 Defaults to SHA256withRSA.
178 pki_<tag>_token
180 Location where the certificate and private key are stored.
182 Defaults to the internal software NSS token database.
183 pki_<tag>_nickname
185 Nickname for the certificate in the token database.
187 pki_<tag>_subject_dn
189 Subject DN for the certificate. The subject DN for the SSL
191 Server certificate must include CN=<hostname>.
192 ADMIN USER PARAMETERS
194 pkispawn creates a bootstrap administrative user that is a member of
195 all the necessary groups to administer the installed subsystem. On a
196 security domain CA, the CA administrative user is also a member of the
197 groups required to register a new subsystem on the security domain.
198 The certificate and keys for this administrative user are stored in a
199 PKCS #12 file in pki_client_dir, and can be imported into a browser to
200 administer the system.
201 pki_admin_name, pki_admin_uid
203 Name and UID of this administrative user. Defaults to caadmin
205 for CA, kraadmin for KRA, etc.
206 pki_admin_password
208 Password for the admin user. This password is used to log into
210 the pki-console (unless client authentication is enabled), as
211 well as log into the security domain CA.
212 pki_admin_email
214 Email address for the admin user.
216 pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type,
218 pki_admin_key_algorithm
219 Settings for the administrator certificate and keys.
221 pki_admin_subject_dn
223 Subject DN for the administrator certificate. Defaults to
225 cn=PKI Administrator, e=%(pki_admin_email)s, o=%(pki_secu‐
226 rity_domain_name)s.
227 pki_admin_nickname
229 Nickname for the administrator certificate.
230 pki_import_admin_cert
232 Set to True to import an existing admin certificate for the
234 admin user, rather than generating a new one. A subsystem-spe‐
235 cific administrator will still be created within the subsystem's
236 LDAP tree. This is useful to allow multiple subsystems within
237 the same instance to be more easily administered from the same
238 browser by using a single certificate.
239 By default, this is set to False for CA subsystems and true for
241 KRA, OCSP, TKS, and TPS subsystems. In this case, the admin
242 certificate is read from the file ca_admin.cert in
243 pki_client_dir.
244 Note that cloned subsystems do not create a new administrative
246 user. The administrative user of the master subsystem is used
247 instead, and the details of this master user are replicated dur‐
248 ing the install.
249 pki_client_admin_cert_p12
251 Location for the PKCS #12 file containing the administrative
253 user's certificate and keys. For a CA, this defaults to
254 ca_admin_cert.p12 in the pki_client_dir directory.
255 BACKUP PARAMETERS
257 pki_backup_keys, pki_backup_password
258 Set to True to back up the subsystem certificates and keys to a
260 PKCS #12 file. This file will be located in
261 /var/lib/pki/<instance_name>/alias. pki_backup_password is the
262 password of the PKCS#12 file.
263 Important:
265 Since HSM keys are stored in the HSM (hardware), they cannot be
266 backed up to a PKCS #12 file (software). Therefore, if
267 pki_hsm_enable is set to True, pki_backup_keys should be set to
268 False and pki_backup_password should be left unset (the default
269 values in /etc/pki/default.cfg). Failure to do so will result
270 in pkispawn reporting this error and exiting.
271 CLIENT DIRECTORY PARAMETERS
274 pki_client_dir
275 This is the location where all client data used during the
277 installation is stored. At the end of the invocation of
278 pkispawn, the administrative user's certificate and keys are
279 stored in a PKCS #12 file in this location.
280 Note: When using an HSM, it is currently recommended to NOT
282 specify a value for pki_client_dir that is different from the
283 default value.
284 pki_client_database_dir, pki_client_database_password
286 Location where an NSS token database is created in order to gen‐
288 erate a key for the administrative user. Usually, the data in
289 this location is removed at the end of the installation, as the
290 keys and certificates are stored in a PKCS #12 file in
291 pki_client_dir.
292 pki_client_database_purge
294 Set to True to remove pki_client_database_dir at the end of the
296 installation. Defaults to True.
297 INTERNAL DATABASE PARAMETERS
299 pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
301 Hostname and ports for the internal database. Defaults to
303 localhost, 389, and 636, respectively.
304 pki_ds_bind_dn, pki_ds_password
306 Credentials to connect to the database during installation.
308 Directory Manager-level access is required during installation
309 to set up the relevant schema and database. During the instal‐
310 lation, a more restricted Certificate Server user is set up to
311 client authentication connections to the database. Some addi‐
312 tional configuration is required, including setting up the
313 directory server to use SSL. See the documentation for details.
314 pki_ds_secure_connection
316 Sets whether to require connections to the Directory Server
318 using LDAPS. This requires SSL to be set up on the Directory
319 Server first. Defaults to false.
320 pki_ds_secure_connection_ca_nickname
322 Once a Directory Server CA certificate has been imported into
324 the PKI security databases (see pki_ds_secure_connec‐
325 tion_ca_pem_file), pki_ds_secure_connection_ca_nickname will
326 contain the nickname under which it is stored. The default.cfg
327 file contains a default value for this nickname. This parameter
328 is only utilized when pki_ds_secure_connection has been set to
329 true.
330 pki_ds_secure_connection_ca_pem_file
332 The pki_ds_secure_connection_ca_pem_file parameter will consist
334 of the fully-qualified path including the filename of a file
335 which contains an exported copy of a Directory Server's CA cer‐
336 tificate. While this parameter is only utilized when
337 pki_ds_secure_connection has been set to true, a valid value is
338 required for this parameter whenever this condition exists.
339 pki_ds_remove_data
341 Sets whether to remove any data from the base DN before starting
343 the installation. Defaults to True.
344 pki_ds_base_dn
346 The base DN for the internal database. It is advised that the
348 Certificate Server have its own base DN for its internal data‐
349 base. If the base DN does not exist, it will be created during
350 the running of pkispawn. For a cloned subsystem, the base DN
351 for the clone subsystem MUST be the same as for the master sub‐
352 system.
353 pki_ds_database
355 Name of the back-end database. It is advised that the Certifi‐
357 cate Server have its own base DN for its internal database. If
358 the back-end does not exist, it will be created during the run‐
359 ning of pkispawn.
360 ISSUING CA PARAMETERS
362 pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
364 Hostname and port, or URI of the issuing CA. Required for
366 installations of subordinate CA and non-CA subsystems. This
367 should point to the CA that will issue the relevant system cer‐
368 tificates for the subsystem. In a default install, this
369 defaults to the CA subsystem within the same instance. The URI
370 has the format https://<ca_hostname>:<ca_https_port>.
371 MISCELLANEOUS PARAMETERS
373 pki_restart_configured_instance
375 Sets whether to restart the instance after configuration is com‐
377 plete. Defaults to True.
378 pki_enable_access_log
380 Located in the [Tomcat] section, this variable determines
382 whether the instance will enable (True) or disable (False) Tom‐
383 cat access logging. Defaults to True.
384 pki_enable_java_debugger
386 Sets whether to attach a Java debugger such as Eclipse to the
388 instance for troubleshooting. Defaults to False.
389 pki_enable_on_system_boot
391 Sets whether or not PKI instances should be started upon system
393 boot.
394 Currently, if this PKI subsystem exists within a shared
396 instance, and it has been configured to start upon system boot,
397 then ALL other previously configured PKI subsystems within this
398 shared instance will start upon system boot.
399 Similarly, if this PKI subsystem exists within a shared
401 instance, and it has been configured to NOT start upon system
402 boot, then ALL other previously configured PKI subsystems within
403 this shared instance will NOT start upon system boot.
404 Additionally, if more than one PKI instance exists, no granular‐
406 ity exists which allows one PKI instance to be enabled while
407 another PKI instance is disabled (i.e. - PKI instances are
408 either all enabled or all disabled). To provide this capabil‐
409 ity, the PKI instances must reside on separate machines.
410 Defaults to True (see the following note on why this was previ‐
412 ously 'False').
413 Note: Since this parameter did not exist prior to Dogtag 10.2.3, the
415 default behavior of PKI instances in Dogtag 10.2.2 and prior was
416 False. To manually enable this behavior, obtain superuser priv‐
417 ileges, and execute 'systemctl enable pki-tomcatd.target'; to
418 manually disable this behavior, execute 'systemctl disable pki-
419 tomcatd.target'.
420 pki_security_manager
422 Enables the Java security manager policies provided by the JDK
424 to be used with the instance. Defaults to True.
425 SECURITY DOMAIN PARAMETERS
427 The security domain is a component that facilitates communication
428 between subsystems. The first CA installed hosts this component and is
429 used to register subsequent subsystems with the security domain. These
430 subsystems can communicate with each other using their subsystem cer‐
431 tificate, which is issued by the security domain CA. For more informa‐
432 tion about the security domain component, see the Red Hat Certificate
433 System documentation at https://access.redhat.com/knowl‐
434 edge/docs/Red_Hat_Certificate_System/.
435 pki_security_domain_hostname, pki_security_domain_https_port
437 Location of the security domain. Required for KRA, OCSP, TKS,
439 and TPS subsystems and for CA subsystems joining a security
440 domain. Defaults to the location of the CA subsystem within the
441 same instance.
442 pki_security_domain_user, pki_security_domain_password
444 Administrative user of the security domain. Required for KRA,
446 OCSP, TKS, and TPS subsystems, and for CA subsystems joining a
447 security domain. Defaults to the administrative user for the CA
448 subsystem within the same instance (caadmin).
449 pki_security_domain_name
451 The name of the security domain. This is required for the secu‐
453 rity domain CA.
454 CLONE PARAMETERS
457 pki_clone
458 Installs a clone, rather than original, subsystem.
460 pki_clone_pkcs12_password, pki_clone_pkcs12_path
462 Location and password of the PKCS #12 file containing the system
464 certificates for the master subsystem being cloned. This file
465 should be readable by the user that the Certificate Server is
466 running as (default of pkiuser), and have the correct selinux
467 context (pki_tomcat_cert_t). This can be achieved by placing
468 the file in /var/lib/pki/<instance_name>/alias.
469 Important:
471 Since HSM keys are stored in the HSM (hardware), they cannot be
472 copied to a PKCS #12 file (software). For the case of clones
473 using an HSM, this means that the HSM keys must be shared
474 between the master and its clones. Therefore, if pki_hsm_enable
475 is set to True, both pki_clone_pkcs12_path and
476 pki_clone_pkcs12_password should be left unset (the default val‐
477 ues in /etc/pki/default.cfg). Failure to do so will result in
478 pkispawn reporting this error and exiting.
479 pki_clone_setup_replication
481 Defaults to True. If set to False, the installer does not set
483 up replication agreements from the master to the clone as part
484 of the subsystem configuration. In this case, it is expected
485 that the top level suffix already exists, and that the data has
486 already been replicated. This option is useful if you want to
487 use other tools to create and manage your replication topology,
488 or if the baseDN is already replicated as part of a top-level
489 suffix.
490 pki_clone_reindex_data
492 Defaults to False. This parameter is only relevant when
494 pki_clone_setup_replication is set to False. In this case, it
495 is expected that the database has been prepared and replicated
496 as noted above. Part of that preparation could involve adding
497 indexes and indexing the data. If you would like the Dogtag in‐
498 staller to add the indexes and reindex the data instead, set
499 pki_clone_reindex_data to True.
500 pki_clone_replication_master_port, pki_clone_replication_clone_port
502 Ports on which replication occurs. These are the ports on the
504 master and clone databases respectively. Defaults to the inter‐
505 nal database port.
506 pki_clone_replicate_schema
508 Replicate schema when the replication agreement is set up and
510 the new instance (consumer) is initialized. Otherwise, the
511 schema must be installed in the clone as a separate step before‐
512 hand. This does not usually have to be changed. Defaults to
513 True.
514 pki_clone_replication_security
516 The type of security used for the replication data. This can be
518 set to SSL (using LDAPS), TLS, or None. Defaults to None. For
519 SSL and TLS, SSL must be set up for the database instances
520 beforehand.
521 pki_master_hostname, pki_master_https_port, pki_clone_uri
523 Hostname and port, or URI of the subsystem being cloned. The
525 URI format is https://<master_hostname>:<master_https_port>
526 where the default master hostname and https port are set to be
527 the security domain's hostname and https port.
528 CA SERIAL NUMBER PARAMETERS
531 pki_serial_number_range_start, pki_serial_number_range_end
533 Sets the range of serial numbers to be used when issuing cer‐
535 tificates. Values here are hexadecimal (without the 0x prefix).
536 It is useful to override these values when migrating data from
537 another CA, so that serial number conflicts do not occur.
538 Defaults to 1 and 10000000 respectively.
539 pki_request_number_range_start, pki_request_number_range_end
541 Sets the range of request numbers to be used by the CA. Values
543 here are decimal. It is useful to override these values when
544 migrating data from another CA, so that request number conflicts
545 do not occur. Defaults to 1 and 10000000 respectively.
546 pki_replica_number_range_start, pki_replica_number_range_end
548 Sets the range of replica numbers to be used by the CA. These
550 numbers are used to identify database replicas in a replication
551 topology. Values here are decimal. Defaults to 1 and 100
552 respectively.
553 EXTERNAL CA CERTIFICATE PARAMETERS
556 pki_external
558 Sets whether the new CA will have a signing certificate that
560 will be issued by an external CA. This is a two step process.
561 In the first step, a CSR to be presented to the external CA is
562 generated. In the second step, the issued signing certificate
563 and certificate chain are provided to the pkispawn utility to
564 complete the installation. Defaults to False.
565 pki_ca_signing_csr_path
567 Required in the first step of the external CA signing process.
569 The CSR will be printed to the screen and stored in this loca‐
570 tion.
571 pki_external_step_two
573 Specifies that this is the second step of the external CA
575 process. Defaults to False.
576 pki_ca_signing_cert_path, pki_cert_chain_path
578 Required for the second step of the external CA signing process.
580 This is the location of the CA signing cert (as issued by the
581 external CA) and the external CA's certificate chain.
582 SUBORDINATE CA CERTIFICATE PARAMETERS
584 pki_subordinate
586 Specifies whether the new CA which will be a subordinate of
588 another CA. The master CA is specified by pki_issuing_ca.
589 Defaults to False.
590 pki_subordinate_create_new_security_domain
592 Set to True if the subordinate CA will host its own security
594 domain. Defaults to False.
595 pki_subordinate_security_domain_name
597 Used when pki_subordinate_create_security_domain is set to True.
599 Specifies the name of the security domain to be hosted on the
600 subordinate CA.
601 STANDALONE PKI PARAMETERS
604 A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that
605 does not contain a CA as a part of its deployment, and functions as its
606 own security domain. Currently, only stand-alone KRAs are supported.
607 pki_standalone
609 Sets whether or not the new PKI subsystem will be stand-alone.
611 This is a two step process. In the first step, CSRs for each of
612 this stand-alone PKI subsystem's certificates will be generated
613 so that they may be presented to the external CA. In the second
614 step, the issued certificates, external CA certificate, and
615 external CA certificate chain are provided to the pkispawn util‐
616 ity to complete the installation. Defaults to False.
617 pki_external_admin_csr_path
619 Will be generated by the first step of a stand-alone PKI
621 process. This is the location of the file containing the admin‐
622 istrator's CSR (which will be presented to the external CA).
623 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
624 tem_type)s_admin.csr'.
625 pki_external_audit_signing_csr_path
627 Will be generated by the first step of a stand-alone PKI
629 process. This is the location of the file containing the audit
630 signing CSR (which will be presented to the external CA).
631 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
632 tem_type)s_audit_signing.csr'.
633 pki_external_sslserver_csr_path
635 Will be generated by the first step of a stand-alone PKI
637 process. This is the location of the file containing the SSL
638 server CSR (which will be presented to the external CA).
639 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
640 tem_type)s_sslserver.csr'.
641 pki_external_storage_csr_path
643 [KRA ONLY] Will be generated by the first step of a stand-alone
645 KRA process. This is the location of the file containing the
646 storage CSR (which will be presented to the external CA).
647 Defaults to '%(pki_instance_configuration_path)s/kra_stor‐
648 age.csr'.
649 pki_external_subsystem_csr_path
651 Will be generated by the first step of a stand-alone PKI
653 process. This is the location of the file containing the sub‐
654 system CSR (which will be presented to the external CA).
655 Defaults to '%(pki_instance_configuration_path)s/%(pki_subsys‐
656 tem_type)s_subsystem.csr'.
657 pki_external_transport_csr_path
659 [KRA ONLY] Will be generated by the first step of a stand-alone
661 KRA process. This is the location of the file containing the
662 transport CSR (which will be presented to the external CA).
663 Defaults to '%(pki_instance_configuration_path)s/kra_trans‐
664 port.csr'.
665 pki_external_step_two
667 Specifies that this is the second step of a standalone PKI
669 process. Defaults to False.
670 pki_cert_chain_path
672 Required for the second step of a stand-alone PKI process. This
674 is the location of the file containing the external CA signing
675 certificate (as issued by the external CA). Defaults to
676 '%(pki_instance_configuration_path)s/external_ca.cert'.
677 pki_ca_signing_cert_path
679 Required for the second step of a stand-alone PKI process. This
681 is the location of the file containing the external CA's cer‐
682 tificate chain (as issued by the external CA). Defaults to
683 empty.
684 pki_external_admin_cert_path
686 Required for the second step of a stand-alone PKI process. This
688 is the location of the file containing the administrator's cer‐
689 tificate (as issued by the external CA). Defaults to
690 '%(pki_instance_configuration_path)s/%(pki_subsys‐
691 tem_type)s_admin.cert'.
692 pki_external_audit_signing_cert_path
694 Required for the second step of a stand-alone PKI process. This
696 is the location of the file containing the audit signing cer‐
697 tificate (as issued by the external CA). Defaults to
698 '%(pki_instance_configuration_path)s/%(pki_subsys‐
699 tem_type)s_audit_signing.cert'.
700 pki_external_sslserver_cert_path
702 Required for the second step of a stand-alone PKI process. This
704 is the location of the file containing the sslserver certificate
705 (as issued by the external CA). Defaults to
706 '%(pki_instance_configuration_path)s/%(pki_subsys‐
707 tem_type)s_sslserver.cert'.
708 pki_external_storage_cert_path
710 [KRA ONLY] Required for the second step of a stand-alone KRA
712 process. This is the location of the file containing the stor‐
713 age certificate (as issued by the external CA). Defaults to
714 '%(pki_instance_configuration_path)s/kra_storage.cert'.
715 pki_external_subsystem_cert_path
717 Required for the second step of a stand-alone PKI process. This
719 is the location of the file containing the subsystem certificate
720 (as issued by the external CA). Defaults to
721 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sub‐
722 system.cert'.
723 pki_external_transport_cert_path
725 [KRA ONLY] Required for the second step of a stand-alone KRA
727 process. This is the location of the file containing the trans‐
728 port certificate (as issued by the external CA). Defaults to
729 '%(pki_instance_configuration_path)s/kra_transport.cert'.
730 KRA PARAMETERS
733 pki_kra_ephemeral_requests
736 Specifies to use ephemeral requests for archivals and
738 retrievals. Defaults to False.
739 TPS PARAMETERS
742 pki_authdb_basedn
745 Specifies the base DN of TPS authentication database.
747 pki_authdb_hostname
749 Specifies the hostname of TPS authentication database. Defaults
751 to localhost.
752 pki_authdb_port
754 Specifies the port number of TPS authentication database.
756 Defaults to 389.
757 pki_authdb_secure_conn
759 Specifies whether to use a secure connection to TPS authentica‐
761 tion database. Defaults to False.
762 pki_enable_server_side_keygen
764 Specifies whether to enable server-side key generation. Defaults
766 to False. The location of the KRA instance should be specified
767 in the pki_kra_uri parameter.
768 pki_ca_uri
770 Specifies the URI of the CA instance used by TPS to create and
772 revoke user certificates. Defaults to the instance in which the
773 TPS is running.
774 pki_kra_uri
776 Specifies the URI of the KRA instance used by TPS to archive and
778 recover keys. Required if server-side key generation is enabled
779 using the pki_enable_server_side_keygen parameter. Defaults to
780 the instance in which the TPS is running.
781 pki_tks_uri
783 Specifies the URI of the TKS instance used by TPS to generate
785 symmetric keys. Defaults to the instance in which the TPS is
786 running.
787
790 Ade Lee <alee@redhat.com>. pkispawn was written by the Dogtag project.
791
794 Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU General
795 Public License, version 2 (GPLv2). A copy of this license is available
796 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
797
800 pkispawn(8)
801version 1.0 December 13, 2012 pki_default.cfg(5)