1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4
6 pki_default.cfg - PKI server default deployment configuration file.
7
8
10 /usr/share/pki/server/etc/default.cfg
11
12
14 This file contains the default settings for a Certificate Server
15 instance created using pkispawn. This file should not be edited, as it
16 can be modified when the Certificate Server packages are updated.
17 Instead, when setting up a Certificate Server instance, a user should
18 provide pkispawn with a configuration file containing overrides to the
19 defaults in /usr/share/pki/server/etc/default.cfg. See pkispawn(8) for
20 details.
21
22
24 default.cfg contains parameters that are grouped into sections. These
25 sections are stacked, so that parameters defined in earlier sections
26 can be overwritten by parameters defined in later sections. The sec‐
27 tions are read in the following order: [DEFAULT], [Tomcat], and the
28 subsystem section ([CA], [KRA], [OCSP], [TKS], or [TPS]). This allows
29 the ability to specify parameters to be shared by all subsystems in
30 [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33 There are a small number of bootstrap parameters which are passed in
34 the configuration file by pkispawn. Other parameter's values can be
35 interpolated tokens rather than explicit values. For example:
36
37
38 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42 This substitutes the value of pki_instance_name into the parameter
43 value. It is possible to interpolate any non-password parameter within
44 a section or in [DEFAULT]. Any parameter used in interpolation can
45 ONLY be overridden within the same section. So, for example,
46 pki_instance_name should only be overridden in [DEFAULT]; otherwise,
47 interpolations can fail.
48
49
50 Note: Any non-password related parameter values in the configuration
51 file that needs to contain a % character must be properly escaped. For
52 example, a value of foo%bar would be specified as foo%%bar in the con‐
53 figuration file.
54
55
57 Once the configuration parameters have been constructed from the above
58 sections and overrides, pkispawn will perform a series of basic tests
59 to determine if the parameters being passed in are valid and consis‐
60 tent, before starting any installation. In pre-check mode, these tests
61 are executed and then pkispawn exits.
62
63
64 It is possible to disable specific tests by setting the directives
65 below. While all these tests should pass to ensure a successful
66 installation, it may be reasonable to skip tests in pre-check mode.
67
68
69 pki_skip_ds_verify
70 Skip verification of the Directory Server credentials. In this test,
71 pkispawn attempts to bind to the directory server instance for the
72 internal database using the provided credentials. This could be
73 skipped if the directory server instance does not yet exist or is inac‐
74 cessible. Defaults to False.
75
76
77 pki_skip_sd_verify
78 Skip verification of the security domain user/password. In this test,
79 pkispawn attempts to log onto the security domain using the provided
80 credentials. This can be skipped if the security domain is unavail‐
81 able. Defaults to False.
82
83
85 The parameters described below, as well as the parameters located in
86 the following sections, can be customized as part of a deployment.
87 This list is not exhaustive.
88
89
90 pki_instance_name
91 Name of the instance. The instance is located at
92 /var/lib/pki/instance_name. For Java subsystems, the default is speci‐
93 fied as pki-tomcat.
94
95
96 pki_https_port, pki_http_port
97 Secure and unsecure ports. Defaults to standard Tomcat ports 8443 and
98 8080, respectively.
99
100
101 pki_ajp_port, pki_tomcat_server_port
102 Ports for Tomcat subsystems. Defaults to standard Tomcat ports of 8009
103 and 8005, respectively.
104
105
106 pki_ajp_host
107 Host on which to listen for AJP requests. Defaults to localhost to
108 listen to local traffic only.
109
110
111 pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
112 Ports for an Apache proxy server. Certificate Server instances can be
113 run behind an Apache proxy server, which will communicate with the Tom‐
114 cat instance through the AJP port. See the Red Hat Certificate System
115 documentation ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
116 tificate_System⟩ for details.
117
118
119 pki_user, pki_group, pki_audit_group
120 Specifies the default administrative user, group, and auditor group
121 identities for PKI instances. The default user and group are both
122 specified as pkiuser, and the default audit group is specified as pki‐
123 audit.
124
125
126 pki_token_name, pki_token_password
127 The token and password where this instance's system certificate and
128 keys are stored. Defaults to the NSS internal software token.
129
130
131 pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
132 If an optional hardware security module (HSM) is being utilized (rather
133 than the default software security module included in NSS), then the
134 pki_hsm_enable parameter must be set to True (by default this parameter
135 is False), and values must be supplied for both the pki_hsm_libfile
136 (e.g. /opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modulename
137 parameters (e.g. nethsm).
138
139
140 SYSTEM CERTIFICATE PARAMETERS
141 pkispawn sets up a number of system certificates for each subsystem.
142 The system certificates which are required differ between subsystems.
143 Each system certificate is denoted by a tag, as noted below. The dif‐
144 ferent system certificates are:
145
146
147 · signing certificate ("ca_signing"). Used to sign other cer‐
148 tificates. Required for CA.
149
150 · OCSP signing certificate ("ocsp_signing" in CA, "signing" in
151 OCSP). Used to sign CRLs. Required for OCSP and CA.
152
153 · storage certificate ("storage"). Used to encrypt keys for
154 storage in KRA. Required for KRA only.
155
156 · transport certificate ("transport"). Used to encrypt keys in
157 transport to the KRA. Required for KRA only.
158
159 · subsystem certificate ("subsystem"). Used to communicate
160 between subsystems within the security domain. Issued by the
161 security domain CA. Required for all subsystems.
162
163 · server certificate ("sslserver"). Used for communication with
164 the server. One server certificate is required for each Cer‐
165 tificate Server instance.
166
167 · audit signing certificate ("audit_signing"). Used to sign
168 audit logs. Required for all subsystems except the RA.
169
170
171
172 Each system certificate can be customized using the parameters below:
173
174
175 pki_<tag>_key_type, pki_<type>_key_size, pki_<tag>_key_algorithm
176 Characteristics of the private key. See the Red Hat Certificate System
177 documentation ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
178 tificate_System⟩ for possible options. The defaults are RSA for the
179 type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
180
181
182 pki_<tag>_signing_algorithm
183 For signing certificates, the algorithm used for signing. Defaults to
184 SHA256withRSA.
185
186
187 pki_<tag>_token
188 Location where the certificate and private key are stored. Defaults to
189 the internal software NSS token database.
190
191
192 pki_<tag>_nickname
193 Nickname for the certificate in the token database.
194
195
196 pki_<tag>_subject_dn
197 Subject DN for the certificate. The subject DN for the SSL Server cer‐
198 tificate must include CN=hostname.
199
200
201 ADMIN USER PARAMETERS
202 pkispawn creates a bootstrap administrative user that is a member of
203 all the necessary groups to administer the installed subsystem. On a
204 security domain CA, the CA administrative user is also a member of the
205 groups required to register a new subsystem on the security domain.
206 The certificate and keys for this administrative user are stored in a
207 PKCS #12 file in pki_client_dir, and can be imported into a browser to
208 administer the system.
209
210
211 pki_admin_name, pki_admin_uid
212 Name and UID of this administrative user. Defaults to caadmin for CA,
213 kraadmin for KRA, etc.
214
215
216 pki_admin_password
217 Password for the admin user. This password is used to log into the
218 pki-console (unless client authentication is enabled), as well as log
219 into the security domain CA.
220
221
222 pki_admin_email
223 Email address for the admin user.
224
225
226 pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type,
227 pki_admin_key_algorithm
228 Settings for the administrator certificate and keys.
229
230
231 pki_admin_subject_dn
232 Subject DN for the administrator certificate. Defaults to cn=PKI
233 Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
234
235
236 pki_admin_nickname
237 Nickname for the administrator certificate.
238
239
240 pki_import_admin_cert
241 Set to True to import an existing admin certificate for the admin user,
242 rather than generating a new one. A subsystem-specific administrator
243 will still be created within the subsystem's LDAP tree. This is useful
244 to allow multiple subsystems within the same instance to be more easily
245 administered from the same browser by using a single certificate.
246
247
248 By default, this is set to False for CA subsystems and true for KRA,
249 OCSP, TKS, and TPS subsystems. In this case, the admin certificate is
250 read from the file ca_admin.cert in pki_client_dir.
251
252
253 Note that cloned subsystems do not create a new administrative user.
254 The administrative user of the master subsystem is used instead, and
255 the details of this master user are replicated during the install.
256
257
258 pki_client_admin_cert_p12
259 Location for the PKCS #12 file containing the administrative user's
260 certificate and keys. For a CA, this defaults to ca_admin_cert.p12 in
261 the pki_client_dir directory.
262
263
264 BACKUP PARAMETERS
265 pki_backup_keys, pki_backup_password
266 Set to True to back up the subsystem certificates and keys to a PKCS
267 #12 file. This file will be located in
268 /var/lib/pki/instance_name/alias. pki_backup_password is the password
269 of the PKCS#12 file.
270
271
272 Important: Keys in HSM may not be extractable, so they may not be able
273 to be exported into a PKCS #12 file. Therefore, if pki_hsm_enable is
274 set to True, pki_backup_keys should be set to False and
275 pki_backup_password should be left unset (the default values in
276 /usr/share/pki/server/etc/default.cfg). Failure to do so will result
277 in pkispawn reporting this error and exiting.
278
279
280 CLIENT DIRECTORY PARAMETERS
281 pki_client_dir
282 This is the location where all client data used during the installation
283 is stored. At the end of the invocation of pkispawn, the administra‐
284 tive user's certificate and keys are stored in a PKCS #12 file in this
285 location.
286
287
288 Note: When using an HSM, it is currently recommended to NOT specify a
289 value for pki_client_dir that is different from the default value.
290
291
292 pki_client_database_dir, pki_client_database_password
293 Location where an NSS token database is created in order to generate a
294 key for the administrative user. Usually, the data in this location is
295 removed at the end of the installation, as the keys and certificates
296 are stored in a PKCS #12 file in pki_client_dir.
297
298
299 pki_client_database_purge
300 Set to True to remove pki_client_database_dir at the end of the instal‐
301 lation. Defaults to True.
302
303
304 INTERNAL DATABASE PARAMETERS
305 pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
306 Hostname and ports for the internal database. Defaults to localhost,
307 389, and 636, respectively.
308
309
310 pki_ds_bind_dn, pki_ds_password
311 Credentials to connect to the database during installation. Directory
312 Manager-level access is required during installation to set up the rel‐
313 evant schema and database. During the installation, a more restricted
314 PKI user is set up to client authentication connections to the data‐
315 base. Some additional configuration is required, including setting up
316 the directory server to use SSL. See the documentation for details.
317
318
319 pki_ds_secure_connection
320 Sets whether to require connections to the Directory Server using
321 LDAPS. This requires SSL to be set up on the Directory Server first.
322 Defaults to false.
323
324
325 pki_ds_secure_connection_ca_nickname
326 Once a Directory Server CA certificate has been imported into the PKI
327 security databases (see pki_ds_secure_connection_ca_pem_file),
328 pki_ds_secure_connection_ca_nickname will contain the nickname under
329 which it is stored. The default.cfg file contains a default value for
330 this nickname. This parameter is only utilized when pki_ds_secure_con‐
331 nection has been set to true.
332
333
334 pki_ds_secure_connection_ca_pem_file
335 The pki_ds_secure_connection_ca_pem_file parameter will consist of the
336 fully-qualified path including the filename of a file which contains an
337 exported copy of a Directory Server's CA certificate. While this
338 parameter is only utilized when pki_ds_secure_connection has been set
339 to true, a valid value is required for this parameter whenever this
340 condition exists.
341
342
343 pki_ds_remove_data
344 Sets whether to remove any data from the base DN before starting the
345 installation. Defaults to True.
346
347
348 pki_ds_base_dn
349 The base DN for the internal database. It is advised that the Certifi‐
350 cate Server have its own base DN for its internal database. If the
351 base DN does not exist, it will be created during the running of
352 pkispawn. For a cloned subsystem, the base DN for the clone subsystem
353 MUST be the same as for the master subsystem.
354
355
356 pki_ds_database
357 Name of the back-end database. It is advised that the Certificate
358 Server have its own base DN for its internal database. If the back-end
359 does not exist, it will be created during the running of pkispawn.
360
361
362 ISSUING CA PARAMETERS
363 pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
364 Hostname and port, or URI of the issuing CA. Required for installa‐
365 tions of subordinate CA and non-CA subsystems. This should point to
366 the CA that will issue the relevant system certificates for the subsys‐
367 tem. In a default install, this defaults to the CA subsystem within
368 the same instance. The URI has the format https://ca_host‐
369 name:ca_https_port.
370
371
372 MISCELLANEOUS PARAMETERS
373 pki_restart_configured_instance
374 Sets whether to restart the instance after configuration is complete.
375 Defaults to True.
376
377
378 pki_enable_access_log
379 Located in the [Tomcat] section, this variable determines whether the
380 instance will enable (True) or disable (False) Tomcat access logging.
381 Defaults to True.
382
383
384 pki_enable_java_debugger
385 Sets whether to attach a Java debugger such as Eclipse to the instance
386 for troubleshooting. Defaults to False.
387
388
389 pki_enable_on_system_boot
390 Sets whether or not PKI instances should be started upon system boot.
391
392
393 Currently, if this PKI subsystem exists within a shared instance, and
394 it has been configured to start upon system boot, then ALL other previ‐
395 ously configured PKI subsystems within this shared instance will start
396 upon system boot.
397
398
399 Similarly, if this PKI subsystem exists within a shared instance, and
400 it has been configured to NOT start upon system boot, then ALL other
401 previously configured PKI subsystems within this shared instance will
402 NOT start upon system boot.
403
404
405 Additionally, if more than one PKI instance exists, no granularity
406 exists which allows one PKI instance to be enabled while another PKI
407 instance is disabled (i.e. PKI instances are either all enabled or all
408 disabled). To provide this capability, the PKI instances must reside
409 on separate machines.
410
411
412 Defaults to True (see the following note on why this was previously
413 'False').
414
415
416 Note: Since this parameter did not exist prior to Dogtag 10.2.3, the
417 default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
418 To manually enable this behavior, obtain superuser privileges, and exe‐
419 cute 'systemctl enable pki-tomcatd.target'; to manually disable this
420 behavior, execute 'systemctl disable pki-tomcatd.target'.
421
422
423 pki_security_manager
424 Enables the Java security manager policies provided by the JDK to be
425 used with the instance. Defaults to True.
426
427
428 SECURITY DOMAIN PARAMETERS
429 The security domain is a component that facilitates communication
430 between subsystems. The first CA installed hosts this component and is
431 used to register subsequent subsystems with the security domain. These
432 subsystems can communicate with each other using their subsystem cer‐
433 tificate, which is issued by the security domain CA. For more informa‐
434 tion about the security domain component, see the Red Hat Certificate
435 System documentation ⟨https://access.redhat.com/knowl‐
436 edge/docs/Red_Hat_Certificate_System⟩.
437
438
439 pki_security_domain_hostname, pki_security_domain_https_port
440 Location of the security domain. Required for KRA, OCSP, TKS, and TPS
441 subsystems and for CA subsystems joining a security domain. Defaults
442 to the location of the CA subsystem within the same instance.
443
444
445 pki_security_domain_user, pki_security_domain_password
446 Administrative user of the security domain. Required for KRA, OCSP,
447 TKS, and TPS subsystems, and for CA subsystems joining a security
448 domain. Defaults to the administrative user for the CA subsystem
449 within the same instance (caadmin).
450
451
452 pki_security_domain_name
453 The name of the security domain. This is required for the security
454 domain CA.
455
456
457 CLONE PARAMETERS
458 pki_clone
459 Installs a clone, rather than original, subsystem.
460
461
462 pki_clone_pkcs12_password, pki_clone_pkcs12_path
463 Location and password of the PKCS #12 file containing the system cer‐
464 tificates for the master subsystem being cloned. This file should be
465 readable by the user that the Certificate Server is running as (default
466 of pkiuser), and have the correct selinux context (pki_tomcat_cert_t).
467 This can be achieved by placing the file in
468 /var/lib/pki/instance_name/alias.
469
470
471 Important: Keys in HSM may not be extractable, so they may not be able
472 to be exported into a PKCS #12 file. For the case of clones using an
473 HSM, this means that the HSM keys must be shared between the master and
474 its clones. Therefore, if pki_hsm_enable is set to True, both
475 pki_clone_pkcs12_path and pki_clone_pkcs12_password should be left
476 unset (the default values in /usr/share/pki/server/etc/default.cfg).
477 Failure to do so will result in pkispawn reporting this error and exit‐
478 ing.
479
480
481 pki_clone_setup_replication
482 Defaults to True. If set to False, the installer does not set up
483 replication agreements from the master to the clone as part of the sub‐
484 system configuration. In this case, it is expected that the top level
485 suffix already exists, and that the data has already been replicated.
486 This option is useful if you want to use other tools to create and man‐
487 age your replication topology, or if the baseDN is already replicated
488 as part of a top-level suffix.
489
490
491 pki_clone_reindex_data
492 Defaults to False. This parameter is only relevant when pki_clone_set‐
493 up_replication is set to False. In this case, it is expected that the
494 database has been prepared and replicated as noted above. Part of that
495 preparation could involve adding indexes and indexing the data. If you
496 would like the Dogtag installer to add the indexes and reindex the data
497 instead, set pki_clone_reindex_data to True.
498
499
500 pki_clone_replication_master_port, pki_clone_replication_clone_port
501 Ports on which replication occurs. These are the ports on the master
502 and clone databases respectively. Defaults to the internal database
503 port.
504
505
506 pki_clone_replicate_schema
507 Replicate schema when the replication agreement is set up and the new
508 instance (consumer) is initialized. Otherwise, the schema must be
509 installed in the clone as a separate step beforehand. This does not
510 usually have to be changed. Defaults to True.
511
512
513 pki_clone_replication_security
514 The type of security used for the replication data. This can be set to
515 SSL (using LDAPS), TLS, or None. Defaults to None. For SSL and TLS,
516 SSL must be set up for the database instances beforehand.
517
518
519 pki_master_hostname, pki_master_https_port, pki_clone_uri
520 Hostname and port, or URI of the subsystem being cloned. The URI for‐
521 mat is https://master_hostname:master_https_port where the default mas‐
522 ter hostname and https port are set to be the security domain's host‐
523 name and https port.
524
525
526 CA SERIAL NUMBER PARAMETERS
527 pki_serial_number_range_start, pki_serial_number_range_end
528 Sets the range of serial numbers to be used when issuing certificates.
529 Values here are hexadecimal (without the 0x prefix). It is useful to
530 override these values when migrating data from another CA, so that
531 serial number conflicts do not occur. Defaults to 1 and 10000000
532 respectively.
533
534
535 pki_request_number_range_start, pki_request_number_range_end
536 Sets the range of request numbers to be used by the CA. Values here
537 are decimal. It is useful to override these values when migrating data
538 from another CA, so that request number conflicts do not occur.
539 Defaults to 1 and 10000000 respectively.
540
541
542 pki_replica_number_range_start, pki_replica_number_range_end
543 Sets the range of replica numbers to be used by the CA. These numbers
544 are used to identify database replicas in a replication topology. Val‐
545 ues here are decimal. Defaults to 1 and 100 respectively.
546
547
548 EXTERNAL CA CERTIFICATE PARAMETERS
549 pki_external
550 Sets whether the new CA will have a signing certificate that will be
551 issued by an external CA. This is a two step process. In the first
552 step, a CSR to be presented to the external CA is generated. In the
553 second step, the issued signing certificate and certificate chain are
554 provided to the pkispawn utility to complete the installation.
555 Defaults to False.
556
557
558 pki_ca_signing_csr_path
559 Required in the first step of the external CA signing process. The CSR
560 will be printed to the screen and stored in this location.
561
562
563 pki_req_ski
564 Include a Subject Key Identifier extension in the CSR. The value is
565 either a hex-encoded byte string (without leading "0x"), or the string
566 "DEFAULT" which will derive a value from the public key.
567
568
569 pki_external_step_two
570 Specifies that this is the second step of the external CA process.
571 Defaults to False.
572
573
574 pki_ca_signing_cert_path, pki_cert_chain_path
575 Required for the second step of the external CA signing process. This
576 is the location of the CA signing cert (as issued by the external CA)
577 and the external CA's certificate chain.
578
579
580 SUBORDINATE CA CERTIFICATE PARAMETERS
581 pki_subordinate
582 Specifies whether the new CA which will be a subordinate of another CA.
583 The master CA is specified by pki_issuing_ca. Defaults to False.
584
585
586 pki_subordinate_create_new_security_domain
587 Set to True if the subordinate CA will host its own security domain.
588 Defaults to False.
589
590
591 pki_subordinate_security_domain_name
592 Used when pki_subordinate_create_security_domain is set to True. Spec‐
593 ifies the name of the security domain to be hosted on the subordinate
594 CA.
595
596
597 STANDALONE PKI PARAMETERS
598 A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that
599 does not contain a CA as a part of its deployment, and functions as its
600 own security domain. Currently, only stand-alone KRAs are supported.
601
602
603 pki_standalone
604 Sets whether or not the new PKI subsystem will be stand-alone. This is
605 a two step process. In the first step, CSRs for each of this
606 stand-alone PKI subsystem's certificates will be generated so that they
607 may be presented to the external CA. In the second step, the issued
608 certificates, external CA certificate, and external CA certificate
609 chain are provided to the pkispawn utility to complete the installa‐
610 tion. Defaults to False.
611
612
613 pki_external_admin_csr_path
614 Will be generated by the first step of a stand-alone PKI process. This
615 is the location of the file containing the administrator's CSR (which
616 will be presented to the external CA). Defaults to
617 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
618
619
620 pki_external_audit_signing_csr_path
621 Will be generated by the first step of a stand-alone PKI process. This
622 is the location of the file containing the audit signing CSR (which
623 will be presented to the external CA). Defaults to
624 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_sign‐
625 ing.csr'.
626
627
628 pki_external_sslserver_csr_path
629 Will be generated by the first step of a stand-alone PKI process. This
630 is the location of the file containing the SSL server CSR (which will
631 be presented to the external CA). Defaults to '%(pki_instance_configu‐
632 ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
633
634
635 pki_external_storage_csr_path
636 [KRA ONLY] Will be generated by the first step of a stand-alone KRA
637 process. This is the location of the file containing the storage CSR
638 (which will be presented to the external CA). Defaults to
639 '%(pki_instance_configuration_path)s/kra_storage.csr'.
640
641
642 pki_external_subsystem_csr_path
643 Will be generated by the first step of a stand-alone PKI process. This
644 is the location of the file containing the subsystem CSR (which will be
645 presented to the external CA). Defaults to '%(pki_instance_configura‐
646 tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
647
648
649 pki_external_transport_csr_path
650 [KRA ONLY] Will be generated by the first step of a stand-alone KRA
651 process. This is the location of the file containing the transport CSR
652 (which will be presented to the external CA). Defaults to
653 '%(pki_instance_configuration_path)s/kra_transport.csr'.
654
655
656 pki_external_step_two
657 Specifies that this is the second step of a standalone PKI process.
658 Defaults to False.
659
660
661 pki_cert_chain_path
662 Required for the second step of a stand-alone PKI process. This is the
663 location of the file containing the external CA signing certificate (as
664 issued by the external CA). Defaults to '%(pki_instance_configura‐
665 tion_path)s/external_ca.cert'.
666
667
668 pki_ca_signing_cert_path
669 Required for the second step of a stand-alone PKI process. This is the
670 location of the file containing the external CA's certificate chain (as
671 issued by the external CA). Defaults to empty.
672
673
674 pki_external_admin_cert_path
675 Required for the second step of a stand-alone PKI process. This is the
676 location of the file containing the administrator's certificate (as
677 issued by the external CA). Defaults to '%(pki_instance_configura‐
678 tion_path)s/%(pki_subsystem_type)s_admin.cert'.
679
680
681 pki_external_audit_signing_cert_path
682 Required for the second step of a stand-alone PKI process. This is the
683 location of the file containing the audit signing certificate (as
684 issued by the external CA). Defaults to '%(pki_instance_configura‐
685 tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
686
687
688 pki_external_sslserver_cert_path
689 Required for the second step of a stand-alone PKI process. This is the
690 location of the file containing the sslserver certificate (as issued by
691 the external CA). Defaults to '%(pki_instance_configura‐
692 tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
693
694
695 pki_external_storage_cert_path
696 [KRA ONLY] Required for the second step of a stand-alone KRA process.
697 This is the location of the file containing the storage certificate (as
698 issued by the external CA). Defaults to '%(pki_instance_configura‐
699 tion_path)s/kra_storage.cert'.
700
701
702 pki_external_subsystem_cert_path
703 Required for the second step of a stand-alone PKI process. This is the
704 location of the file containing the subsystem certificate (as issued by
705 the external CA). Defaults to '%(pki_instance_configura‐
706 tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
707
708
709 pki_external_transport_cert_path
710 [KRA ONLY] Required for the second step of a stand-alone KRA process.
711 This is the location of the file containing the transport certificate
712 (as issued by the external CA). Defaults to '%(pki_instance_configura‐
713 tion_path)s/kra_transport.cert'.
714
715
716 KRA PARAMETERS
717 pki_kra_ephemeral_requests
718 Specifies to use ephemeral requests for archivals and retrievals.
719 Defaults to False.
720
721
722 TPS PARAMETERS
723 pki_authdb_basedn
724 Specifies the base DN of TPS authentication database.
725
726
727 pki_authdb_hostname
728 Specifies the hostname of TPS authentication database. Defaults to
729 localhost.
730
731
732 pki_authdb_port
733 Specifies the port number of TPS authentication database. Defaults to
734 389.
735
736
737 pki_authdb_secure_conn
738 Specifies whether to use a secure connection to TPS authentication
739 database. Defaults to False.
740
741
742 pki_enable_server_side_keygen
743 Specifies whether to enable server-side key generation. Defaults to
744 False. The location of the KRA instance should be specified in the
745 pki_kra_uri parameter.
746
747
748 pki_ca_uri
749 Specifies the URI of the CA instance used by TPS to create and revoke
750 user certificates. Defaults to the instance in which the TPS is run‐
751 ning.
752
753
754 pki_kra_uri
755 Specifies the URI of the KRA instance used by TPS to archive and
756 recover keys. Required if server-side key generation is enabled using
757 the pki_enable_server_side_keygen parameter. Defaults to the instance
758 in which the TPS is running.
759
760
761 pki_tks_uri
762 Specifies the URI of the TKS instance used by TPS to generate symmetric
763 keys. Defaults to the instance in which the TPS is running.
764
765
767 pkispawn(8)
768
769
771 Ade Lee <alee@redhat.com>.
772
773
775 Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU Gen‐
776 eral Public License, version 2 (GPLv2). A copy of this license is
777 available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
778
779
780
781PKI December 13, 2012 pki_default.cfg(5)