pki_default.cfg(5)

1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4

NAME

6       pki_default.cfg - PKI server default deployment configuration file.
7
8

LOCATION

10       /usr/share/pki/server/etc/default.cfg
11
12

DESCRIPTION

14       This  file  contains  the default settings for a Certificate Server in‐
15       stance created using pkispawn.  This file should not be edited,  as  it
16       can  be modified when the Certificate Server packages are updated.  In‐
17       stead, when setting up a Certificate Server  instance,  a  user  should
18       provide  pkispawn with a configuration file containing overrides to the
19       defaults in /usr/share/pki/server/etc/default.cfg.  See pkispawn(8) for
20       details.
21
22

SECTIONS

24       default.cfg  contains parameters that are grouped into sections.  These
25       sections are stacked, so that parameters defined  in  earlier  sections
26       can  be  overwritten by parameters defined in later sections.  The sec‐
27       tions are read in the following order:  [DEFAULT],  [Tomcat],  and  the
28       subsystem  section ([CA], [KRA], [OCSP], [TKS], or [TPS]).  This allows
29       the ability to specify parameters to be shared  by  all  subsystems  in
30       [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33       There  are  a  small number of bootstrap parameters which are passed in
34       the configuration file by pkispawn.  Other parameter's  values  can  be
35       interpolated tokens rather than explicit values.  For example:
36
37
38              pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42       This  substitutes  the  value  of  pki_instance_name into the parameter
43       value.  It is possible to interpolate any non-password parameter within
44       a  section  or  in  [DEFAULT].  Any parameter used in interpolation can
45       ONLY be overridden within the same section.  So, for  example,  pki_in‐
46       stance_name should only be overridden in [DEFAULT]; otherwise, interpo‐
47       lations can fail.
48
49
50       Note: Any non-password related parameter values  in  the  configuration
51       file that needs to contain a % character must be properly escaped.  For
52       example, a value of foo%bar would be specified as foo%%bar in the  con‐
53       figuration file.
54
55

PRE-CHECK PARAMETERS

57       Once  the configuration parameters have been constructed from the above
58       sections and overrides, pkispawn will perform a series of  basic  tests
59       to  determine  if  the parameters being passed in are valid and consis‐
60       tent, before starting any installation.  In pre-check mode, these tests
61       are executed and then pkispawn exits.
62
63
64       It  is possible to disable specific tests by setting the directives be‐
65       low.  While all these tests should pass to ensure a successful  instal‐
66       lation, it may be reasonable to skip tests in pre-check mode.
67
68
69       pki_skip_ds_verify
70       Skip  verification  of the Directory Server credentials.  In this test,
71       pkispawn attempts to bind to the directory server instance for the  in‐
72       ternal  database using the provided credentials.  This could be skipped
73       if the directory server instance does not yet exist or is inaccessible.
74       Defaults to False.
75
76
77       pki_skip_sd_verify
78       Skip  verification of the security domain user/password.  In this test,
79       pkispawn attempts to log onto the security domain  using  the  provided
80       credentials.   This  can  be skipped if the security domain is unavail‐
81       able.  Defaults to False.
82
83

GENERAL INSTANCE PARAMETERS

85       The parameters described below, as well as the  parameters  located  in
86       the  following  sections,  can  be  customized as part of a deployment.
87       This list is not exhaustive.
88
89
90       pki_instance_name
91       Name of the instance.  The  instance  is  located  at  /var/lib/pki/in‐
92       stance_name.  For Java subsystems, the default is specified as pki-tom‐
93       cat.
94
95
96       pki_https_port, pki_http_port
97       Secure and unsecure ports.  Defaults to standard Tomcat ports 8443  and
98       8080, respectively.
99
100
101       pki_ajp_port, pki_tomcat_server_port
102       Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009
103       and 8005, respectively.
104
105
106       pki_ajp_host
107       Host on which to listen for AJP requests.  Defaults  to  localhost4  to
108       listen to local traffic only on IPv4 stack. NOTE Deprecated in favor of
109       pki_ajp_host_ipv4.
110
111
112       pki_ajp_host_ipv4 Host on which to listen for AJP  requests.   Defaults
113       to localhost4 to listen to local traffic only on IPv4 stack.
114
115
116       pki_ajp_host_ipv6  Host  on which to listen for AJP requests.  Defaults
117       to localhost6 to listen to local traffic only on IPv6 stack.
118
119
120       pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
121       Ports for an Apache proxy server.  Certificate Server instances can  be
122       run behind an Apache proxy server, which will communicate with the Tom‐
123       cat instance through the AJP port.  See the Red Hat Certificate  System
124       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
125       tificate_System⟩ for details.
126
127
128       pki_user, pki_group, pki_audit_group
129       Specifies the default administrative user,  group,  and  auditor  group
130       identities  for  PKI  instances.   The  default user and group are both
131       specified as pkiuser, and the default audit group is specified as  pki‐
132       audit.
133
134
135       pki_token_name, pki_token_password
136       The  token  and  password  where this instance's system certificate and
137       keys are stored.  Defaults to the NSS internal software token.
138
139
140       pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
141       If an optional hardware security module (HSM) is being utilized (rather
142       than  the  default  software security module included in NSS), then the
143       pki_hsm_enable parameter must be set to True (by default this parameter
144       is  False),  and  values  must be supplied for both the pki_hsm_libfile
145       (e.g. /opt/nfast/toolkits/pkcs11/libcknfast.so) and  pki_hsm_modulename
146       parameters (e.g. nethsm).
147
148
149   SYSTEM CERTIFICATE PARAMETERS
150       pkispawn  sets  up  a number of system certificates for each subsystem.
151       The system certificates which are required differ  between  subsystems.
152       Each  system certificate is denoted by a tag, as noted below.  The dif‐
153       ferent system certificates are:
154
155
156              • signing certificate ("ca_signing").  Used to sign  other  cer‐
157                tificates.  Required for CA.
158
159              • OCSP  signing  certificate ("ocsp_signing" in CA, "signing" in
160                OCSP).  Used to sign CRLs.  Required for OCSP and CA.
161
162              • storage certificate ("storage").  Used  to  encrypt  keys  for
163                storage in KRA.  Required for KRA only.
164
165              • transport  certificate ("transport").  Used to encrypt keys in
166                transport to the KRA.  Required for KRA only.
167
168              • subsystem certificate ("subsystem").  Used to communicate  be‐
169                tween  subsystems  within  the security domain.  Issued by the
170                security domain CA.  Required for all subsystems.
171
172              • server certificate ("sslserver").  Used for communication with
173                the  server.  One server certificate is required for each Cer‐
174                tificate Server instance.
175
176              • audit signing certificate ("audit_signing").  Used to sign au‐
177                dit logs.  Required for all subsystems except the RA.
178
179
180
181       Each system certificate can be customized using the parameters below:
182
183
184       pki_&lt;tag&gt;_key_type,                    pki_&lt;type&gt;_key_size,
185       pki_&lt;tag&gt;_key_algorithm
186       Characteristics of the private key.  See the Red Hat Certificate System
187       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
188       tificate_System⟩ for possible options.  The defaults are  RSA  for  the
189       type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
190
191
192       pki_&lt;tag&gt;_signing_algorithm
193       For  signing certificates, the algorithm used for signing.  Defaults to
194       SHA256withRSA.
195
196
197       pki_&lt;tag&gt;_token
198       Location where the certificate and private key are stored.  Defaults to
199       the internal software NSS token database.
200
201
202       pki_&lt;tag&gt;_nickname
203       Nickname for the certificate in the token database.
204
205
206       pki_&lt;tag&gt;_subject_dn
207       Subject DN for the certificate.  The subject DN for the SSL Server cer‐
208       tificate must include CN=hostname.
209
210
211       All system certs can be configured to request the PSS  variant  of  rsa
212       signing algorithms (when applicable).
213
214
215       pki_use_pss_rsa_signing_algorithm
216
217
218       Set  this  to True if algs such as SHA256withRSA/PSS for each subsystem
219       signing algorithm is desired. The default is false.  If set only,  this
220       setting will cause all other signing algorithm values to be promoted to
221       /PSS.
222
223
224       Ex: (SHA256withRSA/PSS)
225
226
227       If this setting is not set, the standard default algorithms  will  con‐
228       tinue  to be used, without PSS support..  If higher than 256 support is
229       desired, each algorithm must be set explicitly, example:
230
231
232       pki_ca_signing_key_algorithm=SHA512withRSA/PSS
233
234
235   ADMIN USER PARAMETERS
236       pkispawn creates a bootstrap administrative user that is  a  member  of
237       all  the  necessary groups to administer the installed subsystem.  On a
238       security domain CA, the CA administrative user is also a member of  the
239       groups  required  to  register  a new subsystem on the security domain.
240       The certificate and keys for this administrative user are stored  in  a
241       PKCS  #12 file in pki_client_dir, and can be imported into a browser to
242       administer the system.
243
244
245       pki_admin_name, pki_admin_uid
246       Name and UID of this administrative user.  Defaults to caadmin for  CA,
247       kraadmin for KRA, etc.
248
249
250       pki_admin_password
251       Password  for  the  admin  user.  This password is used to log into the
252       pki-console (unless client authentication is enabled), as well  as  log
253       into the security domain CA.
254
255
256       pki_admin_email
257       Email address for the admin user.
258
259
260       pki_admin_dualkey,   pki_admin_key_size,   pki_admin_key_type,  pki_ad‐
261       min_key_algorithm
262       Settings for the administrator certificate and keys.
263
264
265       pki_admin_subject_dn
266       Subject DN for the administrator certificate.  Defaults to  cn=PKI  Ad‐
267       ministrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
268
269
270       pki_admin_nickname
271       Nickname for the administrator certificate.
272
273
274       pki_import_admin_cert
275       Set to True to import an existing admin certificate for the admin user,
276       rather than generating a new one.  A  subsystem-specific  administrator
277       will still be created within the subsystem's LDAP tree.  This is useful
278       to allow multiple subsystems within the same instance to be more easily
279       administered from the same browser by using a single certificate.
280
281
282       By  default,  this  is set to False for CA subsystems and true for KRA,
283       OCSP, TKS, and TPS subsystems.  In this case, the admin certificate  is
284       read from the file ca_admin.cert in pki_client_dir.
285
286
287       Note  that  cloned  subsystems do not create a new administrative user.
288       The administrative user of the master subsystem is  used  instead,  and
289       the details of this master user are replicated during the install.
290
291
292       pki_client_admin_cert_p12
293       Location  for  the  PKCS  #12 file containing the administrative user's
294       certificate and keys.  For a CA, this defaults to ca_admin_cert.p12  in
295       the pki_client_dir directory.
296
297
298   BACKUP PARAMETERS
299       pki_backup_keys, pki_backup_file, pki_backup_password
300       Set  pki_backup_keys  to True to back up the subsystem certificates and
301       keys to a PKCS  #12  file  specified  in  pki_backup_file  (default  is
302       /etc/pki/instance_name/alias/subsystem_backup_keys.p12).
303       pki_backup_password is the password of the PKCS#12 file.
304
305
306       Important: Keys in HSM may not be extractable, so they may not be  able
307       to  be  exported into a PKCS #12 file.  Therefore, if pki_hsm_enable is
308       set  to  True,   pki_backup_keys   should   be   set   to   False   and
309       pki_backup_password  should  be  left  unset  (the  default  values  in
310       /usr/share/pki/server/etc/default.cfg).  Failure to do so  will  result
311       in pkispawn reporting this error and exiting.
312
313
314   CLIENT DIRECTORY PARAMETERS
315       pki_client_dir
316       This is the location where all client data used during the installation
317       is stored.  At the end of the invocation of pkispawn,  the  administra‐
318       tive  user's certificate and keys are stored in a PKCS #12 file in this
319       location.
320
321
322       Note: When using an HSM, it is currently recommended to NOT  specify  a
323       value for pki_client_dir that is different from the default value.
324
325
326       pki_client_database_dir, pki_client_database_password
327       Location  where an NSS token database is created in order to generate a
328       key for the administrative user.  Usually, the data in this location is
329       removed  at  the  end of the installation, as the keys and certificates
330       are stored in a PKCS #12 file in pki_client_dir.
331
332
333       pki_client_database_purge
334       Set to True to remove pki_client_database_dir at the end of the instal‐
335       lation.  Defaults to True.
336
337
338   INTERNAL DATABASE PARAMETERS
339       pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
340       Hostname  and  ports for the internal database.  Defaults to localhost,
341       389, and 636, respectively.
342
343
344       pki_ds_bind_dn, pki_ds_password
345       Credentials to connect to the database during installation.   Directory
346       Manager-level access is required during installation to set up the rel‐
347       evant schema and database.  During the installation, a more  restricted
348       PKI  user  is  set up to client authentication connections to the data‐
349       base.  Some additional configuration is required, including setting  up
350       the directory server to use SSL.  See the documentation for details.
351
352
353       pki_ds_secure_connection
354       Sets  whether  to  require  connections  to  the Directory Server using
355       LDAPS.  This requires SSL to be set up on the Directory  Server  first.
356       Defaults to false.
357
358
359       pki_ds_secure_connection_ca_nickname
360       Once  a  Directory Server CA certificate has been imported into the PKI
361       security    databases    (see    pki_ds_secure_connection_ca_pem_file),
362       pki_ds_secure_connection_ca_nickname  will  contain  the nickname under
363       which it is stored.  The default.cfg file contains a default value  for
364       this nickname.  This parameter is only utilized when pki_ds_secure_con‐
365       nection has been set to true.
366
367
368       pki_ds_secure_connection_ca_pem_file
369       The pki_ds_secure_connection_ca_pem_file parameter will consist of  the
370       fully-qualified path including the filename of a file which contains an
371       exported copy of a Directory Server's CA certificate.  While  this  pa‐
372       rameter  is only utilized when pki_ds_secure_connection has been set to
373       true, a valid value is required for this parameter whenever this condi‐
374       tion exists.
375
376
377       pki_ds_remove_data
378       Sets  whether  to  remove any data from the base DN before starting the
379       installation.  Defaults to True.
380
381
382       pki_ds_base_dn
383       The base DN for the internal database.  It is advised that the Certifi‐
384       cate  Server  have  its  own base DN for its internal database.  If the
385       base DN does not exist, it  will  be  created  during  the  running  of
386       pkispawn.   For a cloned subsystem, the base DN for the clone subsystem
387       MUST be the same as for the master subsystem.
388
389
390       pki_ds_database
391       Name of the back-end database.  It  is  advised  that  the  Certificate
392       Server have its own base DN for its internal database.  If the back-end
393       does not exist, it will be created during the running of pkispawn.
394
395
396   ISSUING CA PARAMETERS
397       pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
398       Hostname and port, or URI of the issuing CA.   Required  for  installa‐
399       tions  of  subordinate  CA and non-CA subsystems.  This should point to
400       the CA that will issue the relevant system certificates for the subsys‐
401       tem.   In  a  default install, this defaults to the CA subsystem within
402       the  same  instance.   The  URI   has   the   format   https://ca_host‐
403       name:ca_https_port.
404
405
406   MISCELLANEOUS PARAMETERS
407       pki_enable_access_log
408       Located  in  the [Tomcat] section, this variable determines whether the
409       instance will enable (True) or disable (False) Tomcat  access  logging.
410       Defaults to True.
411
412
413       pki_enable_java_debugger
414       Sets  whether to attach a Java debugger such as Eclipse to the instance
415       for troubleshooting.  Defaults to False.
416
417
418       pki_enable_on_system_boot
419       Sets whether or not PKI instances should be started upon system boot.
420
421
422       Currently, if this PKI subsystem exists within a shared  instance,  and
423       it has been configured to start upon system boot, then ALL other previ‐
424       ously configured PKI subsystems within this shared instance will  start
425       upon system boot.
426
427
428       Similarly,  if  this PKI subsystem exists within a shared instance, and
429       it has been configured to NOT start upon system boot,  then  ALL  other
430       previously  configured  PKI subsystems within this shared instance will
431       NOT start upon system boot.
432
433
434       Additionally, if more than one PKI instance exists, no granularity  ex‐
435       ists  which allows one PKI instance to be enabled while another PKI in‐
436       stance is disabled (i.e. PKI instances are either all  enabled  or  all
437       disabled).   To  provide this capability, the PKI instances must reside
438       on separate machines.
439
440
441       Defaults to True (see the following note on  why  this  was  previously
442       'False').
443
444
445       Note:  Since  this  parameter did not exist prior to Dogtag 10.2.3, the
446       default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
447       To manually enable this behavior, obtain superuser privileges, and exe‐
448       cute 'systemctl enable pki-tomcatd.target'; to  manually  disable  this
449       behavior, execute 'systemctl disable pki-tomcatd.target'.
450
451
452       pki_security_manager
453       Enables  the  Java  security manager policies provided by the JDK to be
454       used with the instance.  Defaults to True.
455
456
457   SECURITY DOMAIN PARAMETERS
458       The security domain is a component that facilitates  communication  be‐
459       tween  subsystems.   The first CA installed hosts this component and is
460       used to register subsequent subsystems with the security domain.  These
461       subsystems  can  communicate with each other using their subsystem cer‐
462       tificate, which is issued by the security domain CA.  For more informa‐
463       tion  about  the security domain component, see the Red Hat Certificate
464       System         documentation          ⟨https://access.redhat.com/knowl‐
465       edge/docs/Red_Hat_Certificate_System⟩.
466
467
468       pki_security_domain_hostname, pki_security_domain_https_port
469       Location  of the security domain.  Required for KRA, OCSP, TKS, and TPS
470       subsystems and for CA subsystems joining a security  domain.   Defaults
471       to the location of the CA subsystem within the same instance.
472
473
474       pki_security_domain_user, pki_security_domain_password
475       Administrative  user  of  the security domain.  Required for KRA, OCSP,
476       TKS, and TPS subsystems, and for CA subsystems joining a  security  do‐
477       main.   Defaults to the administrative user for the CA subsystem within
478       the same instance (caadmin).
479
480
481       pki_security_domain_name
482       The name of the security domain. This is required for the security  do‐
483       main CA.
484
485
486   CLONE PARAMETERS
487       pki_clone
488       Installs a clone, rather than original, subsystem.
489
490
491       pki_clone_pkcs12_password, pki_clone_pkcs12_path
492       Location  and  password of the PKCS #12 file containing the system cer‐
493       tificates for the master subsystem being cloned.  This file  should  be
494       readable by the user that the Certificate Server is running as (default
495       of pkiuser), and have the correct selinux context  (pki_tomcat_cert_t).
496       This   can   be  achieved  by  placing  the  file  in  /var/lib/pki/in‐
497       stance_name/alias.
498
499
500       Important: Keys in HSM may not be extractable, so they may not be  able
501       to  be  exported into a PKCS #12 file.  For the case of clones using an
502       HSM, this means that the HSM keys must be shared between the master and
503       its  clones.   Therefore,  if  pki_hsm_enable  is  set  to  True,  both
504       pki_clone_pkcs12_path and pki_clone_pkcs12_password should be left  un‐
505       set  (the  default  values  in  /usr/share/pki/server/etc/default.cfg).
506       Failure to do so will result in pkispawn reporting this error and exit‐
507       ing.
508
509
510       pki_clone_setup_replication
511       Defaults  to  True.   If  set  to  False, the installer does not set up
512       replication agreements from the master to the clone as part of the sub‐
513       system  configuration.  In this case, it is expected that the top level
514       suffix already exists, and that the data has already  been  replicated.
515       This option is useful if you want to use other tools to create and man‐
516       age your replication topology, or if the baseDN is  already  replicated
517       as part of a top-level suffix.
518
519
520       pki_clone_reindex_data
521       Defaults   to   False.    This   parameter   is   only   relevant  when
522       pki_clone_setup_replication is set to False.  In this case, it  is  ex‐
523       pected  that  the  database  has  been prepared and replicated as noted
524       above.  Part of that preparation could involve adding indexes  and  in‐
525       dexing the data.  If you would like the Dogtag installer to add the in‐
526       dexes and reindex the data instead, set pki_clone_reindex_data to True.
527
528
529       pki_clone_replication_master_port, pki_clone_replication_clone_port
530       Ports on which replication occurs.  These are the ports on  the  master
531       and  clone  databases  respectively.  Defaults to the internal database
532       port.
533
534
535       pki_clone_replicate_schema
536       Replicate schema when the replication agreement is set up and  the  new
537       instance  (consumer) is initialized.  Otherwise, the schema must be in‐
538       stalled in the clone as a separate step beforehand.  This does not usu‐
539       ally have to be changed.  Defaults to True.
540
541
542       pki_clone_replication_security
543       The type of security used for the replication data.  This can be set to
544       SSL (using LDAPS), TLS, or None.  Defaults to None.  For SSL  and  TLS,
545       SSL must be set up for the database instances beforehand.
546
547
548       pki_master_hostname, pki_master_https_port, pki_clone_uri
549       Hostname  and port, or URI of the subsystem being cloned.  The URI for‐
550       mat is https://master_hostname:master_https_port where the default mas‐
551       ter  hostname  and https port are set to be the security domain's host‐
552       name and https port.
553
554
555   CA SERIAL NUMBER PARAMETERS
556       pki_serial_number_range_start, pki_serial_number_range_end
557       Sets the range of serial numbers to be used when issuing  certificates.
558       Values  here  are hexadecimal (without the 0x prefix).  It is useful to
559       override these values when migrating data from another CA, so that  se‐
560       rial number conflicts do not occur.  Defaults to 1 and 10000000 respec‐
561       tively.
562
563
564       pki_request_number_range_start, pki_request_number_range_end
565       Sets the range of request numbers to be used by the  CA.   Values  here
566       are decimal.  It is useful to override these values when migrating data
567       from another CA, so that request number conflicts do  not  occur.   De‐
568       faults to 1 and 10000000 respectively.
569
570
571       pki_replica_number_range_start, pki_replica_number_range_end
572       Sets  the range of replica numbers to be used by the CA.  These numbers
573       are used to identify database replicas in a replication topology.  Val‐
574       ues here are decimal.  Defaults to 1 and 100 respectively.
575
576
577   EXTERNAL CA CERTIFICATE PARAMETERS
578       pki_external
579       Sets  whether  the  new CA will have a signing certificate that will be
580       issued by an external CA.  This is a two step process.   In  the  first
581       step,  a  CSR  to be presented to the external CA is generated.  In the
582       second step, the issued signing certificate and certificate  chain  are
583       provided  to  the  pkispawn  utility to complete the installation.  De‐
584       faults to False.
585
586
587       pki_ca_signing_csr_path
588       Required in the first step of the external CA signing process.  The CSR
589       will be printed to the screen and stored in this location.
590
591
592       pki_req_ski
593       Include  a  Subject  Key Identifier extension in the CSR.  The value is
594       either a hex-encoded byte string (without leading "0x"), or the  string
595       "DEFAULT" which will derive a value from the public key.
596
597
598       pki_external_step_two
599       Specifies that this is the second step of the external CA process.  De‐
600       faults to False.
601
602
603       pki_ca_signing_cert_path, pki_cert_chain_path
604       Required for the second step of the external CA signing process.   This
605       is  the  location of the CA signing cert (as issued by the external CA)
606       and the external CA's certificate chain.
607
608
609   SUBORDINATE CA CERTIFICATE PARAMETERS
610       pki_subordinate
611       Specifies whether the new CA which will be a subordinate of another CA.
612       The master CA is specified by pki_issuing_ca.  Defaults to False.
613
614
615       pki_subordinate_create_new_security_domain
616       Set  to  True  if the subordinate CA will host its own security domain.
617       Defaults to False.
618
619
620       pki_subordinate_security_domain_name
621       Used when pki_subordinate_create_security_domain is set to True.  Spec‐
622       ifies  the  name of the security domain to be hosted on the subordinate
623       CA.
624
625
626   STANDALONE PKI PARAMETERS
627       A stand-alone PKI subsystem is defined as a non-CA PKI  subsystem  that
628       does not contain a CA as a part of its deployment, and functions as its
629       own security domain.  Currently, only stand-alone KRAs are supported.
630
631
632       pki_standalone
633       Sets whether or not the new PKI subsystem will be stand-alone.  This is
634       a  two  step  process.  In the first step, CSRs for each of this stand-
635       alone PKI subsystem's certificates will be generated so that  they  may
636       be  presented  to the external CA.  In the second step, the issued cer‐
637       tificates, external CA certificate, and external CA  certificate  chain
638       are provided to the pkispawn utility to complete the installation.  De‐
639       faults to False.
640
641
642       pki_admin_csr_path
643       Will be generated by the first step of a stand-alone PKI process.  This
644       is  the  location of the file containing the administrator's CSR (which
645       will be presented to the external CA).  Defaults to empty.
646
647
648       pki_audit_signing_csr_path
649       Will be generated by the first step of a stand-alone PKI process.  This
650       is  the  location  of  the file containing the audit signing CSR (which
651       will be presented to the external CA).  Defaults to empty.
652
653
654       pki_sslserver_csr_path
655       Will be generated by the first step of a stand-alone PKI process.  This
656       is  the  location of the file containing the SSL server CSR (which will
657       be presented to the external CA).  Defaults to empty.
658
659
660       pki_storage_csr_path
661       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
662       process.   This  is the location of the file containing the storage CSR
663       (which will be presented to the external CA).  Defaults to empty.
664
665
666       pki_subsystem_csr_path
667       Will be generated by the first step of a stand-alone PKI process.  This
668       is the location of the file containing the subsystem CSR (which will be
669       presented to the external CA).  Defaults to empty.
670
671
672       pki_transport_csr_path
673       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
674       process.  This is the location of the file containing the transport CSR
675       (which will be presented to the external CA).  Defaults to empty.
676
677
678       pki_external_step_two
679       Specifies that this is the second step of  a  standalone  PKI  process.
680       Defaults to False.
681
682
683       pki_cert_chain_path
684       Required for the second step of a stand-alone PKI process.  This is the
685       location of the file containing the external CA signing certificate (as
686       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
687       tion_path)s/external_ca.cert'.
688
689
690       pki_ca_signing_cert_path
691       Required for the second step of a stand-alone PKI process.  This is the
692       location of the file containing the external CA's certificate chain (as
693       issued by the external CA).  Defaults to empty.
694
695
696       pki_admin_cert_path
697       Required for the second step of a stand-alone PKI process.  This is the
698       location of the file containing the administrator's certificate (as is‐
699       sued by the external CA).  Defaults to empty.
700
701
702       pki_audit_signing_cert_path
703       Required for the second step of a stand-alone PKI process.  This is the
704       location  of  the file containing the audit signing certificate (as is‐
705       sued by the external CA).  Defaults to empty.
706
707
708       pki_sslserver_cert_path
709       Required for the second step of a stand-alone PKI process.  This is the
710       location of the file containing the sslserver certificate (as issued by
711       the external CA).  Defaults to empty.
712
713
714       pki_storage_cert_path
715       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
716       This is the location of the file containing the storage certificate (as
717       issued by the external CA).  Defaults to empty.
718
719
720       pki_subsystem_cert_path
721       Required for the second step of a stand-alone PKI process.  This is the
722       location of the file containing the subsystem certificate (as issued by
723       the external CA).  Defaults to empty.
724
725
726       pki_transport_cert_path
727       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
728       This  is  the location of the file containing the transport certificate
729       (as issued by the external CA).  Defaults to empty.
730
731
732   KRA PARAMETERS
733       pki_kra_ephemeral_requests
734       Specifies to use ephemeral requests for archivals and retrievals.   De‐
735       faults to False.
736
737
738   TPS PARAMETERS
739       pki_authdb_basedn
740       Specifies the base DN of TPS authentication database.
741
742
743       pki_authdb_hostname
744       Specifies  the hostname of TPS authentication database. Defaults to lo‐
745       calhost.
746
747
748       pki_authdb_port
749       Specifies the port number of TPS authentication database.  Defaults  to
750       389.
751
752
753       pki_authdb_secure_conn
754       Specifies  whether  to  use  a  secure connection to TPS authentication
755       database.  Defaults to False.
756
757
758       pki_enable_server_side_keygen
759       Specifies whether to enable server-side  key  generation.  Defaults  to
760       False.   The  location  of  the KRA instance should be specified in the
761       pki_kra_uri parameter.
762
763
764       pki_ca_uri
765       Specifies the URI of the CA instance used by TPS to create  and  revoke
766       user  certificates.  Defaults  to the instance in which the TPS is run‐
767       ning.
768
769
770       pki_kra_uri
771       Specifies the URI of the KRA instance used by TPS to  archive  and  re‐
772       cover  keys.   Required  if server-side key generation is enabled using
773       the pki_enable_server_side_keygen parameter.  Defaults to the  instance
774       in which the TPS is running.
775
776
777       pki_tks_uri
778       Specifies the URI of the TKS instance used by TPS to generate symmetric
779       keys.  Defaults to the instance in which the TPS is running.
780
781

AUTHORS

787       Ade Lee &lt;alee@redhat.com&gt;.
788
789

COPYRIGHT

791       Copyright (c) 2012 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
792       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
793       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
794
795
796
797PKI                            December 13, 2012            pki_default.cfg(5)