1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4

NAME

6       pki_default.cfg - PKI server default deployment configuration file.
7
8

LOCATION

10       /usr/share/pki/server/etc/default.cfg
11
12

DESCRIPTION

14       This  file  contains  the  default  settings  for  a Certificate Server
15       instance created using pkispawn.  This file should not be edited, as it
16       can  be  modified  when  the  Certificate  Server packages are updated.
17       Instead, when setting up a Certificate Server instance, a  user  should
18       provide  pkispawn with a configuration file containing overrides to the
19       defaults in /usr/share/pki/server/etc/default.cfg.  See pkispawn(8) for
20       details.
21
22

SECTIONS

24       default.cfg  contains parameters that are grouped into sections.  These
25       sections are stacked, so that parameters defined  in  earlier  sections
26       can  be  overwritten by parameters defined in later sections.  The sec‐
27       tions are read in the following order:  [DEFAULT],  [Tomcat],  and  the
28       subsystem  section ([CA], [KRA], [OCSP], [TKS], or [TPS]).  This allows
29       the ability to specify parameters to be shared  by  all  subsystems  in
30       [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33       There  are  a  small number of bootstrap parameters which are passed in
34       the configuration file by pkispawn.  Other parameter's  values  can  be
35       interpolated tokens rather than explicit values.  For example:
36
37
38              pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42       This  substitutes  the  value  of  pki_instance_name into the parameter
43       value.  It is possible to interpolate any non-password parameter within
44       a  section  or  in  [DEFAULT].  Any parameter used in interpolation can
45       ONLY  be  overridden  within  the  same  section.   So,  for   example,
46       pki_instance_name  should  only  be overridden in [DEFAULT]; otherwise,
47       interpolations can fail.
48
49
50       Note: Any non-password related parameter values  in  the  configuration
51       file that needs to contain a % character must be properly escaped.  For
52       example, a value of foo%bar would be specified as foo%%bar in the  con‐
53       figuration file.
54
55

PRE-CHECK PARAMETERS

57       Once  the configuration parameters have been constructed from the above
58       sections and overrides, pkispawn will perform a series of  basic  tests
59       to  determine  if  the parameters being passed in are valid and consis‐
60       tent, before starting any installation.  In pre-check mode, these tests
61       are executed and then pkispawn exits.
62
63
64       It  is  possible  to  disable  specific tests by setting the directives
65       below.  While all these  tests  should  pass  to  ensure  a  successful
66       installation, it may be reasonable to skip tests in pre-check mode.
67
68
69       pki_skip_ds_verify
70       Skip  verification  of the Directory Server credentials.  In this test,
71       pkispawn attempts to bind to the  directory  server  instance  for  the
72       internal  database  using  the  provided  credentials.   This  could be
73       skipped if the directory server instance does not yet exist or is inac‐
74       cessible.  Defaults to False.
75
76
77       pki_skip_sd_verify
78       Skip  verification of the security domain user/password.  In this test,
79       pkispawn attempts to log onto the security domain  using  the  provided
80       credentials.   This  can  be skipped if the security domain is unavail‐
81       able.  Defaults to False.
82
83

GENERAL INSTANCE PARAMETERS

85       The parameters described below, as well as the  parameters  located  in
86       the  following  sections,  can  be  customized as part of a deployment.
87       This list is not exhaustive.
88
89
90       pki_instance_name
91       Name   of    the    instance.    The    instance    is    located    at
92       /var/lib/pki/instance_name.  For Java subsystems, the default is speci‐
93       fied as pki-tomcat.
94
95
96       pki_https_port, pki_http_port
97       Secure and unsecure ports.  Defaults to standard Tomcat ports 8443  and
98       8080, respectively.
99
100
101       pki_ajp_port, pki_tomcat_server_port
102       Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009
103       and 8005, respectively.
104
105
106       pki_ajp_host
107       Host on which to listen for AJP requests.   Defaults  to  localhost  to
108       listen to local traffic only.
109
110
111       pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
112       Ports  for an Apache proxy server.  Certificate Server instances can be
113       run behind an Apache proxy server, which will communicate with the Tom‐
114       cat  instance through the AJP port.  See the Red Hat Certificate System
115       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
116       tificate_System⟩ for details.
117
118
119       pki_user, pki_group, pki_audit_group
120       Specifies  the  default  administrative  user, group, and auditor group
121       identities for PKI instances.  The default  user  and  group  are  both
122       specified  as pkiuser, and the default audit group is specified as pki‐
123       audit.
124
125
126       pki_token_name, pki_token_password
127       The token and password where this  instance's  system  certificate  and
128       keys are stored.  Defaults to the NSS internal software token.
129
130
131       pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
132       If an optional hardware security module (HSM) is being utilized (rather
133       than the default software security module included in  NSS),  then  the
134       pki_hsm_enable parameter must be set to True (by default this parameter
135       is False), and values must be supplied  for  both  the  pki_hsm_libfile
136       (e.g.  /opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modulename
137       parameters (e.g. nethsm).
138
139
140   SYSTEM CERTIFICATE PARAMETERS
141       pkispawn sets up a number of system certificates  for  each  subsystem.
142       The  system  certificates which are required differ between subsystems.
143       Each system certificate is denoted by a tag, as noted below.  The  dif‐
144       ferent system certificates are:
145
146
147              · signing  certificate  ("ca_signing").  Used to sign other cer‐
148                tificates.  Required for CA.
149
150              · OCSP signing certificate ("ocsp_signing" in CA,  "signing"  in
151                OCSP).  Used to sign CRLs.  Required for OCSP and CA.
152
153              · storage  certificate  ("storage").   Used  to encrypt keys for
154                storage in KRA.  Required for KRA only.
155
156              · transport certificate ("transport").  Used to encrypt keys  in
157                transport to the KRA.  Required for KRA only.
158
159              · subsystem  certificate  ("subsystem").   Used  to  communicate
160                between subsystems within the security domain.  Issued by  the
161                security domain CA.  Required for all subsystems.
162
163              · server certificate ("sslserver").  Used for communication with
164                the server.  One server certificate is required for each  Cer‐
165                tificate Server instance.
166
167              · audit  signing  certificate  ("audit_signing").   Used to sign
168                audit logs.  Required for all subsystems except the RA.
169
170
171
172       Each system certificate can be customized using the parameters below:
173
174
175       pki_<tag>_key_type, pki_<type>_key_size, pki_<tag>_key_algorithm
176       Characteristics of the private key.  See the Red Hat Certificate System
177       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
178       tificate_System⟩ for possible options.  The defaults are  RSA  for  the
179       type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
180
181
182       pki_<tag>_signing_algorithm
183       For  signing certificates, the algorithm used for signing.  Defaults to
184       SHA256withRSA.
185
186
187       pki_<tag>_token
188       Location where the certificate and private key are stored.  Defaults to
189       the internal software NSS token database.
190
191
192       pki_<tag>_nickname
193       Nickname for the certificate in the token database.
194
195
196       pki_<tag>_subject_dn
197       Subject DN for the certificate.  The subject DN for the SSL Server cer‐
198       tificate must include CN=hostname.
199
200
201   ADMIN USER PARAMETERS
202       pkispawn creates a bootstrap administrative user that is  a  member  of
203       all  the  necessary groups to administer the installed subsystem.  On a
204       security domain CA, the CA administrative user is also a member of  the
205       groups  required  to  register  a new subsystem on the security domain.
206       The certificate and keys for this administrative user are stored  in  a
207       PKCS  #12 file in pki_client_dir, and can be imported into a browser to
208       administer the system.
209
210
211       pki_admin_name, pki_admin_uid
212       Name and UID of this administrative user.  Defaults to caadmin for  CA,
213       kraadmin for KRA, etc.
214
215
216       pki_admin_password
217       Password  for  the  admin  user.  This password is used to log into the
218       pki-console (unless client authentication is enabled), as well  as  log
219       into the security domain CA.
220
221
222       pki_admin_email
223       Email address for the admin user.
224
225
226       pki_admin_dualkey,        pki_admin_key_size,       pki_admin_key_type,
227       pki_admin_key_algorithm
228       Settings for the administrator certificate and keys.
229
230
231       pki_admin_subject_dn
232       Subject DN for  the  administrator  certificate.   Defaults  to  cn=PKI
233       Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
234
235
236       pki_admin_nickname
237       Nickname for the administrator certificate.
238
239
240       pki_import_admin_cert
241       Set to True to import an existing admin certificate for the admin user,
242       rather than generating a new one.  A  subsystem-specific  administrator
243       will still be created within the subsystem's LDAP tree.  This is useful
244       to allow multiple subsystems within the same instance to be more easily
245       administered from the same browser by using a single certificate.
246
247
248       By  default,  this  is set to False for CA subsystems and true for KRA,
249       OCSP, TKS, and TPS subsystems.  In this case, the admin certificate  is
250       read from the file ca_admin.cert in pki_client_dir.
251
252
253       Note  that  cloned  subsystems do not create a new administrative user.
254       The administrative user of the master subsystem is  used  instead,  and
255       the details of this master user are replicated during the install.
256
257
258       pki_client_admin_cert_p12
259       Location  for  the  PKCS  #12 file containing the administrative user's
260       certificate and keys.  For a CA, this defaults to ca_admin_cert.p12  in
261       the pki_client_dir directory.
262
263
264   BACKUP PARAMETERS
265       pki_backup_keys, pki_backup_password
266       Set  to  True  to back up the subsystem certificates and keys to a PKCS
267       #12     file.      This     file      will      be      located      in
268       /var/lib/pki/instance_name/alias.   pki_backup_password is the password
269       of the PKCS#12 file.
270
271
272       Important: Keys in HSM may not be extractable, so they may not be  able
273       to  be  exported into a PKCS #12 file.  Therefore, if pki_hsm_enable is
274       set  to  True,   pki_backup_keys   should   be   set   to   False   and
275       pki_backup_password  should  be  left  unset  (the  default  values  in
276       /usr/share/pki/server/etc/default.cfg).  Failure to do so  will  result
277       in pkispawn reporting this error and exiting.
278
279
280   CLIENT DIRECTORY PARAMETERS
281       pki_client_dir
282       This is the location where all client data used during the installation
283       is stored.  At the end of the invocation of pkispawn,  the  administra‐
284       tive  user's certificate and keys are stored in a PKCS #12 file in this
285       location.
286
287
288       Note: When using an HSM, it is currently recommended to NOT  specify  a
289       value for pki_client_dir that is different from the default value.
290
291
292       pki_client_database_dir, pki_client_database_password
293       Location  where an NSS token database is created in order to generate a
294       key for the administrative user.  Usually, the data in this location is
295       removed  at  the  end of the installation, as the keys and certificates
296       are stored in a PKCS #12 file in pki_client_dir.
297
298
299       pki_client_database_purge
300       Set to True to remove pki_client_database_dir at the end of the instal‐
301       lation.  Defaults to True.
302
303
304   INTERNAL DATABASE PARAMETERS
305       pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
306       Hostname  and  ports for the internal database.  Defaults to localhost,
307       389, and 636, respectively.
308
309
310       pki_ds_bind_dn, pki_ds_password
311       Credentials to connect to the database during installation.   Directory
312       Manager-level access is required during installation to set up the rel‐
313       evant schema and database.  During the installation, a more  restricted
314       PKI  user  is  set up to client authentication connections to the data‐
315       base.  Some additional configuration is required, including setting  up
316       the directory server to use SSL.  See the documentation for details.
317
318
319       pki_ds_secure_connection
320       Sets  whether  to  require  connections  to  the Directory Server using
321       LDAPS.  This requires SSL to be set up on the Directory  Server  first.
322       Defaults to false.
323
324
325       pki_ds_secure_connection_ca_nickname
326       Once  a  Directory Server CA certificate has been imported into the PKI
327       security    databases    (see    pki_ds_secure_connection_ca_pem_file),
328       pki_ds_secure_connection_ca_nickname  will  contain  the nickname under
329       which it is stored.  The default.cfg file contains a default value  for
330       this nickname.  This parameter is only utilized when pki_ds_secure_con‐
331       nection has been set to true.
332
333
334       pki_ds_secure_connection_ca_pem_file
335       The pki_ds_secure_connection_ca_pem_file parameter will consist of  the
336       fully-qualified path including the filename of a file which contains an
337       exported copy of a  Directory  Server's  CA  certificate.   While  this
338       parameter  is  only utilized when pki_ds_secure_connection has been set
339       to true, a valid value is required for  this  parameter  whenever  this
340       condition exists.
341
342
343       pki_ds_remove_data
344       Sets  whether  to  remove any data from the base DN before starting the
345       installation.  Defaults to True.
346
347
348       pki_ds_base_dn
349       The base DN for the internal database.  It is advised that the Certifi‐
350       cate  Server  have  its  own base DN for its internal database.  If the
351       base DN does not exist, it  will  be  created  during  the  running  of
352       pkispawn.   For a cloned subsystem, the base DN for the clone subsystem
353       MUST be the same as for the master subsystem.
354
355
356       pki_ds_database
357       Name of the back-end database.  It  is  advised  that  the  Certificate
358       Server have its own base DN for its internal database.  If the back-end
359       does not exist, it will be created during the running of pkispawn.
360
361
362   ISSUING CA PARAMETERS
363       pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
364       Hostname and port, or URI of the issuing CA.   Required  for  installa‐
365       tions  of  subordinate  CA and non-CA subsystems.  This should point to
366       the CA that will issue the relevant system certificates for the subsys‐
367       tem.   In  a  default install, this defaults to the CA subsystem within
368       the  same  instance.   The  URI   has   the   format   https://ca_host‐
369       name:ca_https_port.
370
371
372   MISCELLANEOUS PARAMETERS
373       pki_restart_configured_instance
374       Sets  whether  to restart the instance after configuration is complete.
375       Defaults to True.
376
377
378       pki_enable_access_log
379       Located in the [Tomcat] section, this variable determines  whether  the
380       instance  will  enable (True) or disable (False) Tomcat access logging.
381       Defaults to True.
382
383
384       pki_enable_java_debugger
385       Sets whether to attach a Java debugger such as Eclipse to the  instance
386       for troubleshooting.  Defaults to False.
387
388
389       pki_enable_on_system_boot
390       Sets whether or not PKI instances should be started upon system boot.
391
392
393       Currently,  if  this PKI subsystem exists within a shared instance, and
394       it has been configured to start upon system boot, then ALL other previ‐
395       ously  configured PKI subsystems within this shared instance will start
396       upon system boot.
397
398
399       Similarly, if this PKI subsystem exists within a shared  instance,  and
400       it  has  been  configured to NOT start upon system boot, then ALL other
401       previously configured PKI subsystems within this shared  instance  will
402       NOT start upon system boot.
403
404
405       Additionally,  if  more  than  one  PKI instance exists, no granularity
406       exists which allows one PKI instance to be enabled  while  another  PKI
407       instance  is disabled (i.e. PKI instances are either all enabled or all
408       disabled).  To provide this capability, the PKI instances  must  reside
409       on separate machines.
410
411
412       Defaults  to  True  (see  the following note on why this was previously
413       'False').
414
415
416       Note: Since this parameter did not exist prior to  Dogtag  10.2.3,  the
417       default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
418       To manually enable this behavior, obtain superuser privileges, and exe‐
419       cute  'systemctl  enable  pki-tomcatd.target'; to manually disable this
420       behavior, execute 'systemctl disable pki-tomcatd.target'.
421
422
423       pki_security_manager
424       Enables the Java security manager policies provided by the  JDK  to  be
425       used with the instance.  Defaults to True.
426
427
428   SECURITY DOMAIN PARAMETERS
429       The  security  domain  is  a  component  that facilitates communication
430       between subsystems.  The first CA installed hosts this component and is
431       used to register subsequent subsystems with the security domain.  These
432       subsystems can communicate with each other using their  subsystem  cer‐
433       tificate, which is issued by the security domain CA.  For more informa‐
434       tion about the security domain component, see the Red  Hat  Certificate
435       System          documentation         ⟨https://access.redhat.com/knowl
436       edge/docs/Red_Hat_Certificate_System⟩.
437
438
439       pki_security_domain_hostname, pki_security_domain_https_port
440       Location of the security domain.  Required for KRA, OCSP, TKS, and  TPS
441       subsystems  and  for CA subsystems joining a security domain.  Defaults
442       to the location of the CA subsystem within the same instance.
443
444
445       pki_security_domain_user, pki_security_domain_password
446       Administrative user of the security domain.  Required  for  KRA,  OCSP,
447       TKS,  and  TPS  subsystems,  and  for  CA subsystems joining a security
448       domain.  Defaults to the  administrative  user  for  the  CA  subsystem
449       within the same instance (caadmin).
450
451
452       pki_security_domain_name
453       The  name  of  the  security  domain. This is required for the security
454       domain CA.
455
456
457   CLONE PARAMETERS
458       pki_clone
459       Installs a clone, rather than original, subsystem.
460
461
462       pki_clone_pkcs12_password, pki_clone_pkcs12_path
463       Location and password of the PKCS #12 file containing the  system  cer‐
464       tificates  for  the master subsystem being cloned.  This file should be
465       readable by the user that the Certificate Server is running as (default
466       of  pkiuser), and have the correct selinux context (pki_tomcat_cert_t).
467       This    can    be    achieved    by     placing     the     file     in
468       /var/lib/pki/instance_name/alias.
469
470
471       Important:  Keys in HSM may not be extractable, so they may not be able
472       to be exported into a PKCS #12 file.  For the case of clones  using  an
473       HSM, this means that the HSM keys must be shared between the master and
474       its  clones.   Therefore,  if  pki_hsm_enable  is  set  to  True,  both
475       pki_clone_pkcs12_path  and  pki_clone_pkcs12_password  should  be  left
476       unset (the default  values  in  /usr/share/pki/server/etc/default.cfg).
477       Failure to do so will result in pkispawn reporting this error and exit‐
478       ing.
479
480
481       pki_clone_setup_replication
482       Defaults to True.  If set to False,  the  installer  does  not  set  up
483       replication agreements from the master to the clone as part of the sub‐
484       system configuration.  In this case, it is expected that the top  level
485       suffix  already  exists, and that the data has already been replicated.
486       This option is useful if you want to use other tools to create and man‐
487       age  your  replication topology, or if the baseDN is already replicated
488       as part of a top-level suffix.
489
490
491       pki_clone_reindex_data
492       Defaults to False.  This parameter is only relevant when pki_clone_set‐
493       up_replication  is set to False.  In this case, it is expected that the
494       database has been prepared and replicated as noted above.  Part of that
495       preparation could involve adding indexes and indexing the data.  If you
496       would like the Dogtag installer to add the indexes and reindex the data
497       instead, set pki_clone_reindex_data to True.
498
499
500       pki_clone_replication_master_port, pki_clone_replication_clone_port
501       Ports  on  which replication occurs.  These are the ports on the master
502       and clone databases respectively.  Defaults to  the  internal  database
503       port.
504
505
506       pki_clone_replicate_schema
507       Replicate  schema  when the replication agreement is set up and the new
508       instance (consumer) is initialized.   Otherwise,  the  schema  must  be
509       installed  in  the  clone as a separate step beforehand.  This does not
510       usually have to be changed.  Defaults to True.
511
512
513       pki_clone_replication_security
514       The type of security used for the replication data.  This can be set to
515       SSL  (using  LDAPS), TLS, or None.  Defaults to None.  For SSL and TLS,
516       SSL must be set up for the database instances beforehand.
517
518
519       pki_master_hostname, pki_master_https_port, pki_clone_uri
520       Hostname and port, or URI of the subsystem being cloned.  The URI  for‐
521       mat is https://master_hostname:master_https_port where the default mas‐
522       ter hostname and https port are set to be the security  domain's  host‐
523       name and https port.
524
525
526   CA SERIAL NUMBER PARAMETERS
527       pki_serial_number_range_start, pki_serial_number_range_end
528       Sets  the range of serial numbers to be used when issuing certificates.
529       Values here are hexadecimal (without the 0x prefix).  It is  useful  to
530       override  these  values  when  migrating  data from another CA, so that
531       serial number conflicts do not  occur.   Defaults  to  1  and  10000000
532       respectively.
533
534
535       pki_request_number_range_start, pki_request_number_range_end
536       Sets  the  range  of request numbers to be used by the CA.  Values here
537       are decimal.  It is useful to override these values when migrating data
538       from  another  CA,  so  that  request  number  conflicts  do not occur.
539       Defaults to 1 and 10000000 respectively.
540
541
542       pki_replica_number_range_start, pki_replica_number_range_end
543       Sets the range of replica numbers to be used by the CA.  These  numbers
544       are used to identify database replicas in a replication topology.  Val‐
545       ues here are decimal.  Defaults to 1 and 100 respectively.
546
547
548   EXTERNAL CA CERTIFICATE PARAMETERS
549       pki_external
550       Sets whether the new CA will have a signing certificate  that  will  be
551       issued  by  an  external CA.  This is a two step process.  In the first
552       step, a CSR to be presented to the external CA is  generated.   In  the
553       second  step,  the issued signing certificate and certificate chain are
554       provided  to  the  pkispawn  utility  to  complete  the   installation.
555       Defaults to False.
556
557
558       pki_ca_signing_csr_path
559       Required in the first step of the external CA signing process.  The CSR
560       will be printed to the screen and stored in this location.
561
562
563       pki_req_ski
564       Include a Subject Key Identifier extension in the CSR.   The  value  is
565       either  a hex-encoded byte string (without leading "0x"), or the string
566       "DEFAULT" which will derive a value from the public key.
567
568
569       pki_external_step_two
570       Specifies that this is the second step  of  the  external  CA  process.
571       Defaults to False.
572
573
574       pki_ca_signing_cert_path, pki_cert_chain_path
575       Required  for the second step of the external CA signing process.  This
576       is the location of the CA signing cert (as issued by the  external  CA)
577       and the external CA's certificate chain.
578
579
580   SUBORDINATE CA CERTIFICATE PARAMETERS
581       pki_subordinate
582       Specifies whether the new CA which will be a subordinate of another CA.
583       The master CA is specified by pki_issuing_ca.  Defaults to False.
584
585
586       pki_subordinate_create_new_security_domain
587       Set to True if the subordinate CA will host its  own  security  domain.
588       Defaults to False.
589
590
591       pki_subordinate_security_domain_name
592       Used when pki_subordinate_create_security_domain is set to True.  Spec‐
593       ifies the name of the security domain to be hosted on  the  subordinate
594       CA.
595
596
597   STANDALONE PKI PARAMETERS
598       A  stand-alone  PKI subsystem is defined as a non-CA PKI subsystem that
599       does not contain a CA as a part of its deployment, and functions as its
600       own security domain.  Currently, only stand-alone KRAs are supported.
601
602
603       pki_standalone
604       Sets whether or not the new PKI subsystem will be stand-alone.  This is
605       a two step  process.   In  the  first  step,  CSRs  for  each  of  this
606       stand-alone PKI subsystem's certificates will be generated so that they
607       may be presented to the external CA.  In the second  step,  the  issued
608       certificates,  external  CA  certificate,  and  external CA certificate
609       chain are provided to the pkispawn utility to  complete  the  installa‐
610       tion.  Defaults to False.
611
612
613       pki_external_admin_csr_path
614       Will be generated by the first step of a stand-alone PKI process.  This
615       is the location of the file containing the administrator's  CSR  (which
616       will    be    presented    to    the   external   CA).    Defaults   to
617       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
618
619
620       pki_external_audit_signing_csr_path
621       Will be generated by the first step of a stand-alone PKI process.  This
622       is  the  location  of  the file containing the audit signing CSR (which
623       will   be   presented   to   the    external    CA).     Defaults    to
624       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_sign‐
625       ing.csr'.
626
627
628       pki_external_sslserver_csr_path
629       Will be generated by the first step of a stand-alone PKI process.  This
630       is  the  location of the file containing the SSL server CSR (which will
631       be presented to the external CA).  Defaults to '%(pki_instance_configu‐
632       ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
633
634
635       pki_external_storage_csr_path
636       [KRA  ONLY]  Will  be  generated by the first step of a stand-alone KRA
637       process.  This is the location of the file containing the  storage  CSR
638       (which   will   be   presented   to  the  external  CA).   Defaults  to
639       '%(pki_instance_configuration_path)s/kra_storage.csr'.
640
641
642       pki_external_subsystem_csr_path
643       Will be generated by the first step of a stand-alone PKI process.  This
644       is the location of the file containing the subsystem CSR (which will be
645       presented to the external CA).  Defaults to  '%(pki_instance_configura‐
646       tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
647
648
649       pki_external_transport_csr_path
650       [KRA  ONLY]  Will  be  generated by the first step of a stand-alone KRA
651       process.  This is the location of the file containing the transport CSR
652       (which   will   be   presented   to  the  external  CA).   Defaults  to
653       '%(pki_instance_configuration_path)s/kra_transport.csr'.
654
655
656       pki_external_step_two
657       Specifies that this is the second step of  a  standalone  PKI  process.
658       Defaults to False.
659
660
661       pki_cert_chain_path
662       Required for the second step of a stand-alone PKI process.  This is the
663       location of the file containing the external CA signing certificate (as
664       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
665       tion_path)s/external_ca.cert'.
666
667
668       pki_ca_signing_cert_path
669       Required for the second step of a stand-alone PKI process.  This is the
670       location of the file containing the external CA's certificate chain (as
671       issued by the external CA).  Defaults to empty.
672
673
674       pki_external_admin_cert_path
675       Required for the second step of a stand-alone PKI process.  This is the
676       location  of  the  file  containing the administrator's certificate (as
677       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
678       tion_path)s/%(pki_subsystem_type)s_admin.cert'.
679
680
681       pki_external_audit_signing_cert_path
682       Required for the second step of a stand-alone PKI process.  This is the
683       location of the file  containing  the  audit  signing  certificate  (as
684       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
685       tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
686
687
688       pki_external_sslserver_cert_path
689       Required for the second step of a stand-alone PKI process.  This is the
690       location of the file containing the sslserver certificate (as issued by
691       the   external    CA).     Defaults    to    '%(pki_instance_configura‐
692       tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
693
694
695       pki_external_storage_cert_path
696       [KRA  ONLY]  Required for the second step of a stand-alone KRA process.
697       This is the location of the file containing the storage certificate (as
698       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
699       tion_path)s/kra_storage.cert'.
700
701
702       pki_external_subsystem_cert_path
703       Required for the second step of a stand-alone PKI process.  This is the
704       location of the file containing the subsystem certificate (as issued by
705       the   external    CA).     Defaults    to    '%(pki_instance_configura‐
706       tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
707
708
709       pki_external_transport_cert_path
710       [KRA  ONLY]  Required for the second step of a stand-alone KRA process.
711       This is the location of the file containing the  transport  certificate
712       (as issued by the external CA).  Defaults to '%(pki_instance_configura‐
713       tion_path)s/kra_transport.cert'.
714
715
716   KRA PARAMETERS
717       pki_kra_ephemeral_requests
718       Specifies to use  ephemeral  requests  for  archivals  and  retrievals.
719       Defaults to False.
720
721
722   TPS PARAMETERS
723       pki_authdb_basedn
724       Specifies the base DN of TPS authentication database.
725
726
727       pki_authdb_hostname
728       Specifies  the  hostname  of  TPS  authentication database. Defaults to
729       localhost.
730
731
732       pki_authdb_port
733       Specifies the port number of TPS authentication database.  Defaults  to
734       389.
735
736
737       pki_authdb_secure_conn
738       Specifies  whether  to  use  a  secure connection to TPS authentication
739       database.  Defaults to False.
740
741
742       pki_enable_server_side_keygen
743       Specifies whether to enable server-side  key  generation.  Defaults  to
744       False.   The  location  of  the KRA instance should be specified in the
745       pki_kra_uri parameter.
746
747
748       pki_ca_uri
749       Specifies the URI of the CA instance used by TPS to create  and  revoke
750       user  certificates.  Defaults  to the instance in which the TPS is run‐
751       ning.
752
753
754       pki_kra_uri
755       Specifies the URI of the KRA  instance  used  by  TPS  to  archive  and
756       recover  keys.  Required if server-side key generation is enabled using
757       the pki_enable_server_side_keygen parameter.  Defaults to the  instance
758       in which the TPS is running.
759
760
761       pki_tks_uri
762       Specifies the URI of the TKS instance used by TPS to generate symmetric
763       keys.  Defaults to the instance in which the TPS is running.
764
765

SEE ALSO

767       pkispawn(8)
768
769

AUTHORS

771       Ade Lee <alee@redhat.com>.
772
773

775       Copyright (c) 2012 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
776       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
777       available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
778
779
780
781PKI                            December 13, 2012            pki_default.cfg(5)
Impressum