1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4

NAME

6       pki_default.cfg - PKI server default deployment configuration file.
7
8

LOCATION

10       /usr/share/pki/server/etc/default.cfg
11
12

DESCRIPTION

14       This  file  contains  the  default  settings  for  a Certificate Server
15       instance created using pkispawn.  This file should not be edited, as it
16       can  be  modified  when  the  Certificate  Server packages are updated.
17       Instead, when setting up a Certificate Server instance, a  user  should
18       provide  pkispawn with a configuration file containing overrides to the
19       defaults in /usr/share/pki/server/etc/default.cfg.  See pkispawn(8) for
20       details.
21
22

SECTIONS

24       default.cfg  contains parameters that are grouped into sections.  These
25       sections are stacked, so that parameters defined  in  earlier  sections
26       can  be  overwritten by parameters defined in later sections.  The sec‐
27       tions are read in the following order:  [DEFAULT],  [Tomcat],  and  the
28       subsystem  section ([CA], [KRA], [OCSP], [TKS], or [TPS]).  This allows
29       the ability to specify parameters to be shared  by  all  subsystems  in
30       [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33       There  are  a  small number of bootstrap parameters which are passed in
34       the configuration file by pkispawn.  Other parameter's  values  can  be
35       interpolated tokens rather than explicit values.  For example:
36
37
38              pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42       This  substitutes  the  value  of  pki_instance_name into the parameter
43       value.  It is possible to interpolate any non-password parameter within
44       a  section  or  in  [DEFAULT].  Any parameter used in interpolation can
45       ONLY  be  overridden  within  the  same  section.   So,  for   example,
46       pki_instance_name  should  only  be overridden in [DEFAULT]; otherwise,
47       interpolations can fail.
48
49
50       Note: Any non-password related parameter values  in  the  configuration
51       file that needs to contain a % character must be properly escaped.  For
52       example, a value of foo%bar would be specified as foo%%bar in the  con‐
53       figuration file.
54
55

PRE-CHECK PARAMETERS

57       Once  the configuration parameters have been constructed from the above
58       sections and overrides, pkispawn will perform a series of  basic  tests
59       to  determine  if  the parameters being passed in are valid and consis‐
60       tent, before starting any installation.  In pre-check mode, these tests
61       are executed and then pkispawn exits.
62
63
64       It  is  possible  to  disable  specific tests by setting the directives
65       below.  While all these  tests  should  pass  to  ensure  a  successful
66       installation, it may be reasonable to skip tests in pre-check mode.
67
68
69       pki_skip_ds_verify
70       Skip  verification  of the Directory Server credentials.  In this test,
71       pkispawn attempts to bind to the  directory  server  instance  for  the
72       internal  database  using  the  provided  credentials.   This  could be
73       skipped if the directory server instance does not yet exist or is inac‐
74       cessible.  Defaults to False.
75
76
77       pki_skip_sd_verify
78       Skip  verification of the security domain user/password.  In this test,
79       pkispawn attempts to log onto the security domain  using  the  provided
80       credentials.   This  can  be skipped if the security domain is unavail‐
81       able.  Defaults to False.
82
83

GENERAL INSTANCE PARAMETERS

85       The parameters described below, as well as the  parameters  located  in
86       the  following  sections,  can  be  customized as part of a deployment.
87       This list is not exhaustive.
88
89
90       pki_instance_name
91       Name   of    the    instance.    The    instance    is    located    at
92       /var/lib/pki/instance_name.  For Java subsystems, the default is speci‐
93       fied as pki-tomcat.
94
95
96       pki_https_port, pki_http_port
97       Secure and unsecure ports.  Defaults to standard Tomcat ports 8443  and
98       8080, respectively.
99
100
101       pki_ajp_port, pki_tomcat_server_port
102       Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009
103       and 8005, respectively.
104
105
106       pki_ajp_host
107       Host on which to listen for AJP requests.   Defaults  to  localhost  to
108       listen to local traffic only.
109
110
111       pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
112       Ports  for an Apache proxy server.  Certificate Server instances can be
113       run behind an Apache proxy server, which will communicate with the Tom‐
114       cat  instance through the AJP port.  See the Red Hat Certificate System
115       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
116       tificate_System⟩ for details.
117
118
119       pki_user, pki_group, pki_audit_group
120       Specifies  the  default  administrative  user, group, and auditor group
121       identities for PKI instances.  The default  user  and  group  are  both
122       specified  as pkiuser, and the default audit group is specified as pki‐
123       audit.
124
125
126       pki_token_name, pki_token_password
127       The token and password where this  instance's  system  certificate  and
128       keys are stored.  Defaults to the NSS internal software token.
129
130
131       pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
132       If an optional hardware security module (HSM) is being utilized (rather
133       than the default software security module included in  NSS),  then  the
134       pki_hsm_enable parameter must be set to True (by default this parameter
135       is False), and values must be supplied  for  both  the  pki_hsm_libfile
136       (e.g.  /opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modulename
137       parameters (e.g. nethsm).
138
139
140   SYSTEM CERTIFICATE PARAMETERS
141       pkispawn sets up a number of system certificates  for  each  subsystem.
142       The  system  certificates which are required differ between subsystems.
143       Each system certificate is denoted by a tag, as noted below.  The  dif‐
144       ferent system certificates are:
145
146
147              · signing  certificate  ("ca_signing").  Used to sign other cer‐
148                tificates.  Required for CA.
149
150              · OCSP signing certificate ("ocsp_signing" in CA,  "signing"  in
151                OCSP).  Used to sign CRLs.  Required for OCSP and CA.
152
153              · storage  certificate  ("storage").   Used  to encrypt keys for
154                storage in KRA.  Required for KRA only.
155
156              · transport certificate ("transport").  Used to encrypt keys  in
157                transport to the KRA.  Required for KRA only.
158
159              · subsystem  certificate  ("subsystem").   Used  to  communicate
160                between subsystems within the security domain.  Issued by  the
161                security domain CA.  Required for all subsystems.
162
163              · server certificate ("sslserver").  Used for communication with
164                the server.  One server certificate is required for each  Cer‐
165                tificate Server instance.
166
167              · audit  signing  certificate  ("audit_signing").   Used to sign
168                audit logs.  Required for all subsystems except the RA.
169
170
171
172       Each system certificate can be customized using the parameters below:
173
174
175       pki_lt;taggt;_key_type,                        pki_lt;typegt;_key_size,
176       pki_lt;taggt;_key_algorithm
177       Characteristics of the private key.  See the Red Hat Certificate System
178       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
179       tificate_System⟩  for  possible  options.  The defaults are RSA for the
180       type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
181
182
183       pki_lt;taggt;_signing_algorithm
184       For signing certificates, the algorithm used for signing.  Defaults  to
185       SHA256withRSA.
186
187
188       pki_lt;taggt;_token
189       Location where the certificate and private key are stored.  Defaults to
190       the internal software NSS token database.
191
192
193       pki_lt;taggt;_nickname
194       Nickname for the certificate in the token database.
195
196
197       pki_lt;taggt;_subject_dn
198       Subject DN for the certificate.  The subject DN for the SSL Server cer‐
199       tificate must include CN=hostname.
200
201
202   ADMIN USER PARAMETERS
203       pkispawn  creates  a  bootstrap administrative user that is a member of
204       all the necessary groups to administer the installed subsystem.   On  a
205       security  domain CA, the CA administrative user is also a member of the
206       groups required to register a new subsystem  on  the  security  domain.
207       The  certificate  and keys for this administrative user are stored in a
208       PKCS #12 file in pki_client_dir, and can be imported into a browser  to
209       administer the system.
210
211
212       pki_admin_name, pki_admin_uid
213       Name  and UID of this administrative user.  Defaults to caadmin for CA,
214       kraadmin for KRA, etc.
215
216
217       pki_admin_password
218       Password for the admin user.  This password is used  to  log  into  the
219       pki-console  (unless  client authentication is enabled), as well as log
220       into the security domain CA.
221
222
223       pki_admin_email
224       Email address for the admin user.
225
226
227       pki_admin_dualkey,       pki_admin_key_size,        pki_admin_key_type,
228       pki_admin_key_algorithm
229       Settings for the administrator certificate and keys.
230
231
232       pki_admin_subject_dn
233       Subject  DN  for  the  administrator  certificate.   Defaults to cn=PKI
234       Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
235
236
237       pki_admin_nickname
238       Nickname for the administrator certificate.
239
240
241       pki_import_admin_cert
242       Set to True to import an existing admin certificate for the admin user,
243       rather  than  generating a new one.  A subsystem-specific administrator
244       will still be created within the subsystem's LDAP tree.  This is useful
245       to allow multiple subsystems within the same instance to be more easily
246       administered from the same browser by using a single certificate.
247
248
249       By default, this is set to False for CA subsystems and  true  for  KRA,
250       OCSP,  TKS, and TPS subsystems.  In this case, the admin certificate is
251       read from the file ca_admin.cert in pki_client_dir.
252
253
254       Note that cloned subsystems do not create a  new  administrative  user.
255       The  administrative  user  of the master subsystem is used instead, and
256       the details of this master user are replicated during the install.
257
258
259       pki_client_admin_cert_p12
260       Location for the PKCS #12 file  containing  the  administrative  user's
261       certificate  and keys.  For a CA, this defaults to ca_admin_cert.p12 in
262       the pki_client_dir directory.
263
264
265   BACKUP PARAMETERS
266       pki_backup_keys, pki_backup_file, pki_backup_password
267       Set pki_backup_keys to True to back up the subsystem  certificates  and
268       keys  to  a  PKCS  #12  file  specified  in pki_backup_file (default is
269       /etc/pki/instance_name/alias/subsystem_backup_keys.p12).
270       pki_backup_password is the password of the PKCS#12 file.
271
272
273       Important:  Keys in HSM may not be extractable, so they may not be able
274       to be exported into a PKCS #12 file.  Therefore, if  pki_hsm_enable  is
275       set   to   True,   pki_backup_keys   should   be   set   to  False  and
276       pki_backup_password  should  be  left  unset  (the  default  values  in
277       /usr/share/pki/server/etc/default.cfg).   Failure  to do so will result
278       in pkispawn reporting this error and exiting.
279
280
281   CLIENT DIRECTORY PARAMETERS
282       pki_client_dir
283       This is the location where all client data used during the installation
284       is  stored.   At the end of the invocation of pkispawn, the administra‐
285       tive user's certificate and keys are stored in a PKCS #12 file in  this
286       location.
287
288
289       Note:  When  using an HSM, it is currently recommended to NOT specify a
290       value for pki_client_dir that is different from the default value.
291
292
293       pki_client_database_dir, pki_client_database_password
294       Location where an NSS token database is created in order to generate  a
295       key for the administrative user.  Usually, the data in this location is
296       removed at the end of the installation, as the  keys  and  certificates
297       are stored in a PKCS #12 file in pki_client_dir.
298
299
300       pki_client_database_purge
301       Set to True to remove pki_client_database_dir at the end of the instal‐
302       lation.  Defaults to True.
303
304
305   INTERNAL DATABASE PARAMETERS
306       pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
307       Hostname and ports for the internal database.  Defaults  to  localhost,
308       389, and 636, respectively.
309
310
311       pki_ds_bind_dn, pki_ds_password
312       Credentials  to connect to the database during installation.  Directory
313       Manager-level access is required during installation to set up the rel‐
314       evant  schema and database.  During the installation, a more restricted
315       PKI user is set up to client authentication connections  to  the  data‐
316       base.   Some additional configuration is required, including setting up
317       the directory server to use SSL.  See the documentation for details.
318
319
320       pki_ds_secure_connection
321       Sets whether to require  connections  to  the  Directory  Server  using
322       LDAPS.   This  requires SSL to be set up on the Directory Server first.
323       Defaults to false.
324
325
326       pki_ds_secure_connection_ca_nickname
327       Once a Directory Server CA certificate has been imported into  the  PKI
328       security    databases    (see    pki_ds_secure_connection_ca_pem_file),
329       pki_ds_secure_connection_ca_nickname will contain  the  nickname  under
330       which  it is stored.  The default.cfg file contains a default value for
331       this nickname.  This parameter is only utilized when pki_ds_secure_con‐
332       nection has been set to true.
333
334
335       pki_ds_secure_connection_ca_pem_file
336       The  pki_ds_secure_connection_ca_pem_file parameter will consist of the
337       fully-qualified path including the filename of a file which contains an
338       exported  copy  of  a  Directory  Server's  CA certificate.  While this
339       parameter is only utilized when pki_ds_secure_connection has  been  set
340       to  true,  a  valid  value is required for this parameter whenever this
341       condition exists.
342
343
344       pki_ds_remove_data
345       Sets whether to remove any data from the base DN  before  starting  the
346       installation.  Defaults to True.
347
348
349       pki_ds_base_dn
350       The base DN for the internal database.  It is advised that the Certifi‐
351       cate Server have its own base DN for its  internal  database.   If  the
352       base  DN  does  not  exist,  it  will  be created during the running of
353       pkispawn.  For a cloned subsystem, the base DN for the clone  subsystem
354       MUST be the same as for the master subsystem.
355
356
357       pki_ds_database
358       Name  of  the  back-end  database.   It is advised that the Certificate
359       Server have its own base DN for its internal database.  If the back-end
360       does not exist, it will be created during the running of pkispawn.
361
362
363   ISSUING CA PARAMETERS
364       pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
365       Hostname  and  port,  or URI of the issuing CA.  Required for installa‐
366       tions of subordinate CA and non-CA subsystems.  This  should  point  to
367       the CA that will issue the relevant system certificates for the subsys‐
368       tem.  In a default install, this defaults to the  CA  subsystem  within
369       the   same   instance.    The   URI  has  the  format  https://ca_host‐
370       name:ca_https_port.
371
372
373   MISCELLANEOUS PARAMETERS
374       pki_restart_configured_instance
375       Sets whether to restart the instance after configuration  is  complete.
376       Defaults to True.
377
378
379       pki_enable_access_log
380       Located  in  the [Tomcat] section, this variable determines whether the
381       instance will enable (True) or disable (False) Tomcat  access  logging.
382       Defaults to True.
383
384
385       pki_enable_java_debugger
386       Sets  whether to attach a Java debugger such as Eclipse to the instance
387       for troubleshooting.  Defaults to False.
388
389
390       pki_enable_on_system_boot
391       Sets whether or not PKI instances should be started upon system boot.
392
393
394       Currently, if this PKI subsystem exists within a shared  instance,  and
395       it has been configured to start upon system boot, then ALL other previ‐
396       ously configured PKI subsystems within this shared instance will  start
397       upon system boot.
398
399
400       Similarly,  if  this PKI subsystem exists within a shared instance, and
401       it has been configured to NOT start upon system boot,  then  ALL  other
402       previously  configured  PKI subsystems within this shared instance will
403       NOT start upon system boot.
404
405
406       Additionally, if more than one  PKI  instance  exists,  no  granularity
407       exists  which  allows  one PKI instance to be enabled while another PKI
408       instance is disabled (i.e. PKI instances are either all enabled or  all
409       disabled).   To  provide this capability, the PKI instances must reside
410       on separate machines.
411
412
413       Defaults to True (see the following note on  why  this  was  previously
414       'False').
415
416
417       Note:  Since  this  parameter did not exist prior to Dogtag 10.2.3, the
418       default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
419       To manually enable this behavior, obtain superuser privileges, and exe‐
420       cute 'systemctl enable pki-tomcatd.target'; to  manually  disable  this
421       behavior, execute 'systemctl disable pki-tomcatd.target'.
422
423
424       pki_security_manager
425       Enables  the  Java  security manager policies provided by the JDK to be
426       used with the instance.  Defaults to True.
427
428
429   SECURITY DOMAIN PARAMETERS
430       The security domain  is  a  component  that  facilitates  communication
431       between subsystems.  The first CA installed hosts this component and is
432       used to register subsequent subsystems with the security domain.  These
433       subsystems  can  communicate with each other using their subsystem cer‐
434       tificate, which is issued by the security domain CA.  For more informa‐
435       tion  about  the security domain component, see the Red Hat Certificate
436       System         documentation          ⟨https://access.redhat.com/knowl
437       edge/docs/Red_Hat_Certificate_System⟩.
438
439
440       pki_security_domain_hostname, pki_security_domain_https_port
441       Location  of the security domain.  Required for KRA, OCSP, TKS, and TPS
442       subsystems and for CA subsystems joining a security  domain.   Defaults
443       to the location of the CA subsystem within the same instance.
444
445
446       pki_security_domain_user, pki_security_domain_password
447       Administrative  user  of  the security domain.  Required for KRA, OCSP,
448       TKS, and TPS subsystems, and  for  CA  subsystems  joining  a  security
449       domain.   Defaults  to  the  administrative  user  for the CA subsystem
450       within the same instance (caadmin).
451
452
453       pki_security_domain_name
454       The name of the security domain. This  is  required  for  the  security
455       domain CA.
456
457
458   CLONE PARAMETERS
459       pki_clone
460       Installs a clone, rather than original, subsystem.
461
462
463       pki_clone_pkcs12_password, pki_clone_pkcs12_path
464       Location  and  password of the PKCS #12 file containing the system cer‐
465       tificates for the master subsystem being cloned.  This file  should  be
466       readable by the user that the Certificate Server is running as (default
467       of pkiuser), and have the correct selinux context  (pki_tomcat_cert_t).
468       This     can     be     achieved     by    placing    the    file    in
469       /var/lib/pki/instance_name/alias.
470
471
472       Important: Keys in HSM may not be extractable, so they may not be  able
473       to  be  exported into a PKCS #12 file.  For the case of clones using an
474       HSM, this means that the HSM keys must be shared between the master and
475       its  clones.   Therefore,  if  pki_hsm_enable  is  set  to  True,  both
476       pki_clone_pkcs12_path  and  pki_clone_pkcs12_password  should  be  left
477       unset  (the  default  values in /usr/share/pki/server/etc/default.cfg).
478       Failure to do so will result in pkispawn reporting this error and exit‐
479       ing.
480
481
482       pki_clone_setup_replication
483       Defaults  to  True.   If  set  to  False, the installer does not set up
484       replication agreements from the master to the clone as part of the sub‐
485       system  configuration.  In this case, it is expected that the top level
486       suffix already exists, and that the data has already  been  replicated.
487       This option is useful if you want to use other tools to create and man‐
488       age your replication topology, or if the baseDN is  already  replicated
489       as part of a top-level suffix.
490
491
492       pki_clone_reindex_data
493       Defaults to False.  This parameter is only relevant when pki_clone_set‐
494       up_replication is set to False.  In this case, it is expected that  the
495       database has been prepared and replicated as noted above.  Part of that
496       preparation could involve adding indexes and indexing the data.  If you
497       would like the Dogtag installer to add the indexes and reindex the data
498       instead, set pki_clone_reindex_data to True.
499
500
501       pki_clone_replication_master_port, pki_clone_replication_clone_port
502       Ports on which replication occurs.  These are the ports on  the  master
503       and  clone  databases  respectively.  Defaults to the internal database
504       port.
505
506
507       pki_clone_replicate_schema
508       Replicate schema when the replication agreement is set up and  the  new
509       instance  (consumer)  is  initialized.   Otherwise,  the schema must be
510       installed in the clone as a separate step beforehand.   This  does  not
511       usually have to be changed.  Defaults to True.
512
513
514       pki_clone_replication_security
515       The type of security used for the replication data.  This can be set to
516       SSL (using LDAPS), TLS, or None.  Defaults to None.  For SSL  and  TLS,
517       SSL must be set up for the database instances beforehand.
518
519
520       pki_master_hostname, pki_master_https_port, pki_clone_uri
521       Hostname  and port, or URI of the subsystem being cloned.  The URI for‐
522       mat is https://master_hostname:master_https_port where the default mas‐
523       ter  hostname  and https port are set to be the security domain's host‐
524       name and https port.
525
526
527   CA SERIAL NUMBER PARAMETERS
528       pki_serial_number_range_start, pki_serial_number_range_end
529       Sets the range of serial numbers to be used when issuing  certificates.
530       Values  here  are hexadecimal (without the 0x prefix).  It is useful to
531       override these values when migrating data  from  another  CA,  so  that
532       serial  number  conflicts  do  not  occur.   Defaults to 1 and 10000000
533       respectively.
534
535
536       pki_request_number_range_start, pki_request_number_range_end
537       Sets the range of request numbers to be used by the  CA.   Values  here
538       are decimal.  It is useful to override these values when migrating data
539       from another CA,  so  that  request  number  conflicts  do  not  occur.
540       Defaults to 1 and 10000000 respectively.
541
542
543       pki_replica_number_range_start, pki_replica_number_range_end
544       Sets  the range of replica numbers to be used by the CA.  These numbers
545       are used to identify database replicas in a replication topology.  Val‐
546       ues here are decimal.  Defaults to 1 and 100 respectively.
547
548
549   EXTERNAL CA CERTIFICATE PARAMETERS
550       pki_external
551       Sets  whether  the  new CA will have a signing certificate that will be
552       issued by an external CA.  This is a two step process.   In  the  first
553       step,  a  CSR  to be presented to the external CA is generated.  In the
554       second step, the issued signing certificate and certificate  chain  are
555       provided   to  the  pkispawn  utility  to  complete  the  installation.
556       Defaults to False.
557
558
559       pki_ca_signing_csr_path
560       Required in the first step of the external CA signing process.  The CSR
561       will be printed to the screen and stored in this location.
562
563
564       pki_req_ski
565       Include  a  Subject  Key Identifier extension in the CSR.  The value is
566       either a hex-encoded byte string (without leading "0x"), or the  string
567       "DEFAULT" which will derive a value from the public key.
568
569
570       pki_external_step_two
571       Specifies  that  this  is  the  second step of the external CA process.
572       Defaults to False.
573
574
575       pki_ca_signing_cert_path, pki_cert_chain_path
576       Required for the second step of the external CA signing process.   This
577       is  the  location of the CA signing cert (as issued by the external CA)
578       and the external CA's certificate chain.
579
580
581   SUBORDINATE CA CERTIFICATE PARAMETERS
582       pki_subordinate
583       Specifies whether the new CA which will be a subordinate of another CA.
584       The master CA is specified by pki_issuing_ca.  Defaults to False.
585
586
587       pki_subordinate_create_new_security_domain
588       Set  to  True  if the subordinate CA will host its own security domain.
589       Defaults to False.
590
591
592       pki_subordinate_security_domain_name
593       Used when pki_subordinate_create_security_domain is set to True.  Spec‐
594       ifies  the  name of the security domain to be hosted on the subordinate
595       CA.
596
597
598   STANDALONE PKI PARAMETERS
599       A stand-alone PKI subsystem is defined as a non-CA PKI  subsystem  that
600       does not contain a CA as a part of its deployment, and functions as its
601       own security domain.  Currently, only stand-alone KRAs are supported.
602
603
604       pki_standalone
605       Sets whether or not the new PKI subsystem will be stand-alone.  This is
606       a  two  step  process.   In  the  first  step,  CSRs  for  each of this
607       stand-alone PKI subsystem's certificates will be generated so that they
608       may  be  presented  to the external CA.  In the second step, the issued
609       certificates, external CA  certificate,  and  external  CA  certificate
610       chain  are  provided  to the pkispawn utility to complete the installa‐
611       tion.  Defaults to False.
612
613
614       pki_external_admin_csr_path
615       Will be generated by the first step of a stand-alone PKI process.  This
616       is  the  location of the file containing the administrator's CSR (which
617       will   be   presented   to   the    external    CA).     Defaults    to
618       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
619
620
621       pki_external_audit_signing_csr_path
622       Will be generated by the first step of a stand-alone PKI process.  This
623       is the location of the file containing the  audit  signing  CSR  (which
624       will    be    presented    to    the   external   CA).    Defaults   to
625       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_sign‐
626       ing.csr'.
627
628
629       pki_external_sslserver_csr_path
630       Will be generated by the first step of a stand-alone PKI process.  This
631       is the location of the file containing the SSL server CSR  (which  will
632       be presented to the external CA).  Defaults to '%(pki_instance_configu‐
633       ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
634
635
636       pki_external_storage_csr_path
637       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
638       process.   This  is the location of the file containing the storage CSR
639       (which  will  be  presented  to  the   external   CA).    Defaults   to
640       '%(pki_instance_configuration_path)s/kra_storage.csr'.
641
642
643       pki_external_subsystem_csr_path
644       Will be generated by the first step of a stand-alone PKI process.  This
645       is the location of the file containing the subsystem CSR (which will be
646       presented  to the external CA).  Defaults to '%(pki_instance_configura‐
647       tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
648
649
650       pki_external_transport_csr_path
651       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
652       process.  This is the location of the file containing the transport CSR
653       (which  will  be  presented  to  the   external   CA).    Defaults   to
654       '%(pki_instance_configuration_path)s/kra_transport.csr'.
655
656
657       pki_external_step_two
658       Specifies  that  this  is  the second step of a standalone PKI process.
659       Defaults to False.
660
661
662       pki_cert_chain_path
663       Required for the second step of a stand-alone PKI process.  This is the
664       location of the file containing the external CA signing certificate (as
665       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
666       tion_path)s/external_ca.cert'.
667
668
669       pki_ca_signing_cert_path
670       Required for the second step of a stand-alone PKI process.  This is the
671       location of the file containing the external CA's certificate chain (as
672       issued by the external CA).  Defaults to empty.
673
674
675       pki_external_admin_cert_path
676       Required for the second step of a stand-alone PKI process.  This is the
677       location of the file containing  the  administrator's  certificate  (as
678       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
679       tion_path)s/%(pki_subsystem_type)s_admin.cert'.
680
681
682       pki_external_audit_signing_cert_path
683       Required for the second step of a stand-alone PKI process.  This is the
684       location  of  the  file  containing  the  audit signing certificate (as
685       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
686       tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
687
688
689       pki_external_sslserver_cert_path
690       Required for the second step of a stand-alone PKI process.  This is the
691       location of the file containing the sslserver certificate (as issued by
692       the    external    CA).     Defaults    to   '%(pki_instance_configura‐
693       tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
694
695
696       pki_external_storage_cert_path
697       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
698       This is the location of the file containing the storage certificate (as
699       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
700       tion_path)s/kra_storage.cert'.
701
702
703       pki_external_subsystem_cert_path
704       Required for the second step of a stand-alone PKI process.  This is the
705       location of the file containing the subsystem certificate (as issued by
706       the    external    CA).     Defaults    to   '%(pki_instance_configura‐
707       tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
708
709
710       pki_external_transport_cert_path
711       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
712       This  is  the location of the file containing the transport certificate
713       (as issued by the external CA).  Defaults to '%(pki_instance_configura‐
714       tion_path)s/kra_transport.cert'.
715
716
717   KRA PARAMETERS
718       pki_kra_ephemeral_requests
719       Specifies  to  use  ephemeral  requests  for  archivals and retrievals.
720       Defaults to False.
721
722
723   TPS PARAMETERS
724       pki_authdb_basedn
725       Specifies the base DN of TPS authentication database.
726
727
728       pki_authdb_hostname
729       Specifies the hostname of  TPS  authentication  database.  Defaults  to
730       localhost.
731
732
733       pki_authdb_port
734       Specifies  the  port number of TPS authentication database. Defaults to
735       389.
736
737
738       pki_authdb_secure_conn
739       Specifies whether to use a  secure  connection  to  TPS  authentication
740       database.  Defaults to False.
741
742
743       pki_enable_server_side_keygen
744       Specifies  whether  to  enable  server-side key generation. Defaults to
745       False.  The location of the KRA instance should  be  specified  in  the
746       pki_kra_uri parameter.
747
748
749       pki_ca_uri
750       Specifies  the  URI of the CA instance used by TPS to create and revoke
751       user certificates. Defaults to the instance in which the  TPS  is  run‐
752       ning.
753
754
755       pki_kra_uri
756       Specifies  the  URI  of  the  KRA  instance  used by TPS to archive and
757       recover keys.  Required if server-side key generation is enabled  using
758       the  pki_enable_server_side_keygen parameter.  Defaults to the instance
759       in which the TPS is running.
760
761
762       pki_tks_uri
763       Specifies the URI of the TKS instance used by TPS to generate symmetric
764       keys.  Defaults to the instance in which the TPS is running.
765
766

SEE ALSO

768       pkispawn(8)
769
770

AUTHORS

772       Ade Lee lt;alee@redhat.comgt;.
773
774
776       Copyright  (c)  2012 Red Hat, Inc.  This is licensed under the GNU Gen‐
777       eral Public License, version 2 (GPLv2).  A  copy  of  this  license  is
778       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
779
780
781
782PKI                            December 13, 2012            pki_default.cfg(5)
Impressum