1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4
6 pki_default.cfg - PKI server default deployment configuration file.
7
8
10 /usr/share/pki/server/etc/default.cfg
11
12
14 This file contains the default settings for a Certificate Server
15 instance created using pkispawn. This file should not be edited, as it
16 can be modified when the Certificate Server packages are updated.
17 Instead, when setting up a Certificate Server instance, a user should
18 provide pkispawn with a configuration file containing overrides to the
19 defaults in /usr/share/pki/server/etc/default.cfg. See pkispawn(8) for
20 details.
21
22
24 default.cfg contains parameters that are grouped into sections. These
25 sections are stacked, so that parameters defined in earlier sections
26 can be overwritten by parameters defined in later sections. The sec‐
27 tions are read in the following order: [DEFAULT], [Tomcat], and the
28 subsystem section ([CA], [KRA], [OCSP], [TKS], or [TPS]). This allows
29 the ability to specify parameters to be shared by all subsystems in
30 [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33 There are a small number of bootstrap parameters which are passed in
34 the configuration file by pkispawn. Other parameter's values can be
35 interpolated tokens rather than explicit values. For example:
36
37
38 pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42 This substitutes the value of pki_instance_name into the parameter
43 value. It is possible to interpolate any non-password parameter within
44 a section or in [DEFAULT]. Any parameter used in interpolation can
45 ONLY be overridden within the same section. So, for example,
46 pki_instance_name should only be overridden in [DEFAULT]; otherwise,
47 interpolations can fail.
48
49
50 Note: Any non-password related parameter values in the configuration
51 file that needs to contain a % character must be properly escaped. For
52 example, a value of foo%bar would be specified as foo%%bar in the con‐
53 figuration file.
54
55
57 Once the configuration parameters have been constructed from the above
58 sections and overrides, pkispawn will perform a series of basic tests
59 to determine if the parameters being passed in are valid and consis‐
60 tent, before starting any installation. In pre-check mode, these tests
61 are executed and then pkispawn exits.
62
63
64 It is possible to disable specific tests by setting the directives
65 below. While all these tests should pass to ensure a successful
66 installation, it may be reasonable to skip tests in pre-check mode.
67
68
69 pki_skip_ds_verify
70 Skip verification of the Directory Server credentials. In this test,
71 pkispawn attempts to bind to the directory server instance for the
72 internal database using the provided credentials. This could be
73 skipped if the directory server instance does not yet exist or is inac‐
74 cessible. Defaults to False.
75
76
77 pki_skip_sd_verify
78 Skip verification of the security domain user/password. In this test,
79 pkispawn attempts to log onto the security domain using the provided
80 credentials. This can be skipped if the security domain is unavail‐
81 able. Defaults to False.
82
83
85 The parameters described below, as well as the parameters located in
86 the following sections, can be customized as part of a deployment.
87 This list is not exhaustive.
88
89
90 pki_instance_name
91 Name of the instance. The instance is located at
92 /var/lib/pki/instance_name. For Java subsystems, the default is speci‐
93 fied as pki-tomcat.
94
95
96 pki_https_port, pki_http_port
97 Secure and unsecure ports. Defaults to standard Tomcat ports 8443 and
98 8080, respectively.
99
100
101 pki_ajp_port, pki_tomcat_server_port
102 Ports for Tomcat subsystems. Defaults to standard Tomcat ports of 8009
103 and 8005, respectively.
104
105
106 pki_ajp_host
107 Host on which to listen for AJP requests. Defaults to localhost to
108 listen to local traffic only.
109
110
111 pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
112 Ports for an Apache proxy server. Certificate Server instances can be
113 run behind an Apache proxy server, which will communicate with the Tom‐
114 cat instance through the AJP port. See the Red Hat Certificate System
115 documentation ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
116 tificate_System⟩ for details.
117
118
119 pki_user, pki_group, pki_audit_group
120 Specifies the default administrative user, group, and auditor group
121 identities for PKI instances. The default user and group are both
122 specified as pkiuser, and the default audit group is specified as pki‐
123 audit.
124
125
126 pki_token_name, pki_token_password
127 The token and password where this instance's system certificate and
128 keys are stored. Defaults to the NSS internal software token.
129
130
131 pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
132 If an optional hardware security module (HSM) is being utilized (rather
133 than the default software security module included in NSS), then the
134 pki_hsm_enable parameter must be set to True (by default this parameter
135 is False), and values must be supplied for both the pki_hsm_libfile
136 (e.g. /opt/nfast/toolkits/pkcs11/libcknfast.so) and pki_hsm_modulename
137 parameters (e.g. nethsm).
138
139
140 SYSTEM CERTIFICATE PARAMETERS
141 pkispawn sets up a number of system certificates for each subsystem.
142 The system certificates which are required differ between subsystems.
143 Each system certificate is denoted by a tag, as noted below. The dif‐
144 ferent system certificates are:
145
146
147 · signing certificate ("ca_signing"). Used to sign other cer‐
148 tificates. Required for CA.
149
150 · OCSP signing certificate ("ocsp_signing" in CA, "signing" in
151 OCSP). Used to sign CRLs. Required for OCSP and CA.
152
153 · storage certificate ("storage"). Used to encrypt keys for
154 storage in KRA. Required for KRA only.
155
156 · transport certificate ("transport"). Used to encrypt keys in
157 transport to the KRA. Required for KRA only.
158
159 · subsystem certificate ("subsystem"). Used to communicate
160 between subsystems within the security domain. Issued by the
161 security domain CA. Required for all subsystems.
162
163 · server certificate ("sslserver"). Used for communication with
164 the server. One server certificate is required for each Cer‐
165 tificate Server instance.
166
167 · audit signing certificate ("audit_signing"). Used to sign
168 audit logs. Required for all subsystems except the RA.
169
170
171
172 Each system certificate can be customized using the parameters below:
173
174
175 pki_lt;taggt;_key_type, pki_lt;typegt;_key_size,
176 pki_lt;taggt;_key_algorithm
177 Characteristics of the private key. See the Red Hat Certificate System
178 documentation ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
179 tificate_System⟩ for possible options. The defaults are RSA for the
180 type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
181
182
183 pki_lt;taggt;_signing_algorithm
184 For signing certificates, the algorithm used for signing. Defaults to
185 SHA256withRSA.
186
187
188 pki_lt;taggt;_token
189 Location where the certificate and private key are stored. Defaults to
190 the internal software NSS token database.
191
192
193 pki_lt;taggt;_nickname
194 Nickname for the certificate in the token database.
195
196
197 pki_lt;taggt;_subject_dn
198 Subject DN for the certificate. The subject DN for the SSL Server cer‐
199 tificate must include CN=hostname.
200
201
202 ADMIN USER PARAMETERS
203 pkispawn creates a bootstrap administrative user that is a member of
204 all the necessary groups to administer the installed subsystem. On a
205 security domain CA, the CA administrative user is also a member of the
206 groups required to register a new subsystem on the security domain.
207 The certificate and keys for this administrative user are stored in a
208 PKCS #12 file in pki_client_dir, and can be imported into a browser to
209 administer the system.
210
211
212 pki_admin_name, pki_admin_uid
213 Name and UID of this administrative user. Defaults to caadmin for CA,
214 kraadmin for KRA, etc.
215
216
217 pki_admin_password
218 Password for the admin user. This password is used to log into the
219 pki-console (unless client authentication is enabled), as well as log
220 into the security domain CA.
221
222
223 pki_admin_email
224 Email address for the admin user.
225
226
227 pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type,
228 pki_admin_key_algorithm
229 Settings for the administrator certificate and keys.
230
231
232 pki_admin_subject_dn
233 Subject DN for the administrator certificate. Defaults to cn=PKI
234 Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
235
236
237 pki_admin_nickname
238 Nickname for the administrator certificate.
239
240
241 pki_import_admin_cert
242 Set to True to import an existing admin certificate for the admin user,
243 rather than generating a new one. A subsystem-specific administrator
244 will still be created within the subsystem's LDAP tree. This is useful
245 to allow multiple subsystems within the same instance to be more easily
246 administered from the same browser by using a single certificate.
247
248
249 By default, this is set to False for CA subsystems and true for KRA,
250 OCSP, TKS, and TPS subsystems. In this case, the admin certificate is
251 read from the file ca_admin.cert in pki_client_dir.
252
253
254 Note that cloned subsystems do not create a new administrative user.
255 The administrative user of the master subsystem is used instead, and
256 the details of this master user are replicated during the install.
257
258
259 pki_client_admin_cert_p12
260 Location for the PKCS #12 file containing the administrative user's
261 certificate and keys. For a CA, this defaults to ca_admin_cert.p12 in
262 the pki_client_dir directory.
263
264
265 BACKUP PARAMETERS
266 pki_backup_keys, pki_backup_file, pki_backup_password
267 Set pki_backup_keys to True to back up the subsystem certificates and
268 keys to a PKCS #12 file specified in pki_backup_file (default is
269 /etc/pki/instance_name/alias/subsystem_backup_keys.p12).
270 pki_backup_password is the password of the PKCS#12 file.
271
272
273 Important: Keys in HSM may not be extractable, so they may not be able
274 to be exported into a PKCS #12 file. Therefore, if pki_hsm_enable is
275 set to True, pki_backup_keys should be set to False and
276 pki_backup_password should be left unset (the default values in
277 /usr/share/pki/server/etc/default.cfg). Failure to do so will result
278 in pkispawn reporting this error and exiting.
279
280
281 CLIENT DIRECTORY PARAMETERS
282 pki_client_dir
283 This is the location where all client data used during the installation
284 is stored. At the end of the invocation of pkispawn, the administra‐
285 tive user's certificate and keys are stored in a PKCS #12 file in this
286 location.
287
288
289 Note: When using an HSM, it is currently recommended to NOT specify a
290 value for pki_client_dir that is different from the default value.
291
292
293 pki_client_database_dir, pki_client_database_password
294 Location where an NSS token database is created in order to generate a
295 key for the administrative user. Usually, the data in this location is
296 removed at the end of the installation, as the keys and certificates
297 are stored in a PKCS #12 file in pki_client_dir.
298
299
300 pki_client_database_purge
301 Set to True to remove pki_client_database_dir at the end of the instal‐
302 lation. Defaults to True.
303
304
305 INTERNAL DATABASE PARAMETERS
306 pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
307 Hostname and ports for the internal database. Defaults to localhost,
308 389, and 636, respectively.
309
310
311 pki_ds_bind_dn, pki_ds_password
312 Credentials to connect to the database during installation. Directory
313 Manager-level access is required during installation to set up the rel‐
314 evant schema and database. During the installation, a more restricted
315 PKI user is set up to client authentication connections to the data‐
316 base. Some additional configuration is required, including setting up
317 the directory server to use SSL. See the documentation for details.
318
319
320 pki_ds_secure_connection
321 Sets whether to require connections to the Directory Server using
322 LDAPS. This requires SSL to be set up on the Directory Server first.
323 Defaults to false.
324
325
326 pki_ds_secure_connection_ca_nickname
327 Once a Directory Server CA certificate has been imported into the PKI
328 security databases (see pki_ds_secure_connection_ca_pem_file),
329 pki_ds_secure_connection_ca_nickname will contain the nickname under
330 which it is stored. The default.cfg file contains a default value for
331 this nickname. This parameter is only utilized when pki_ds_secure_con‐
332 nection has been set to true.
333
334
335 pki_ds_secure_connection_ca_pem_file
336 The pki_ds_secure_connection_ca_pem_file parameter will consist of the
337 fully-qualified path including the filename of a file which contains an
338 exported copy of a Directory Server's CA certificate. While this
339 parameter is only utilized when pki_ds_secure_connection has been set
340 to true, a valid value is required for this parameter whenever this
341 condition exists.
342
343
344 pki_ds_remove_data
345 Sets whether to remove any data from the base DN before starting the
346 installation. Defaults to True.
347
348
349 pki_ds_base_dn
350 The base DN for the internal database. It is advised that the Certifi‐
351 cate Server have its own base DN for its internal database. If the
352 base DN does not exist, it will be created during the running of
353 pkispawn. For a cloned subsystem, the base DN for the clone subsystem
354 MUST be the same as for the master subsystem.
355
356
357 pki_ds_database
358 Name of the back-end database. It is advised that the Certificate
359 Server have its own base DN for its internal database. If the back-end
360 does not exist, it will be created during the running of pkispawn.
361
362
363 ISSUING CA PARAMETERS
364 pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
365 Hostname and port, or URI of the issuing CA. Required for installa‐
366 tions of subordinate CA and non-CA subsystems. This should point to
367 the CA that will issue the relevant system certificates for the subsys‐
368 tem. In a default install, this defaults to the CA subsystem within
369 the same instance. The URI has the format https://ca_host‐
370 name:ca_https_port.
371
372
373 MISCELLANEOUS PARAMETERS
374 pki_restart_configured_instance
375 Sets whether to restart the instance after configuration is complete.
376 Defaults to True.
377
378
379 pki_enable_access_log
380 Located in the [Tomcat] section, this variable determines whether the
381 instance will enable (True) or disable (False) Tomcat access logging.
382 Defaults to True.
383
384
385 pki_enable_java_debugger
386 Sets whether to attach a Java debugger such as Eclipse to the instance
387 for troubleshooting. Defaults to False.
388
389
390 pki_enable_on_system_boot
391 Sets whether or not PKI instances should be started upon system boot.
392
393
394 Currently, if this PKI subsystem exists within a shared instance, and
395 it has been configured to start upon system boot, then ALL other previ‐
396 ously configured PKI subsystems within this shared instance will start
397 upon system boot.
398
399
400 Similarly, if this PKI subsystem exists within a shared instance, and
401 it has been configured to NOT start upon system boot, then ALL other
402 previously configured PKI subsystems within this shared instance will
403 NOT start upon system boot.
404
405
406 Additionally, if more than one PKI instance exists, no granularity
407 exists which allows one PKI instance to be enabled while another PKI
408 instance is disabled (i.e. PKI instances are either all enabled or all
409 disabled). To provide this capability, the PKI instances must reside
410 on separate machines.
411
412
413 Defaults to True (see the following note on why this was previously
414 'False').
415
416
417 Note: Since this parameter did not exist prior to Dogtag 10.2.3, the
418 default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
419 To manually enable this behavior, obtain superuser privileges, and exe‐
420 cute 'systemctl enable pki-tomcatd.target'; to manually disable this
421 behavior, execute 'systemctl disable pki-tomcatd.target'.
422
423
424 pki_security_manager
425 Enables the Java security manager policies provided by the JDK to be
426 used with the instance. Defaults to True.
427
428
429 SECURITY DOMAIN PARAMETERS
430 The security domain is a component that facilitates communication
431 between subsystems. The first CA installed hosts this component and is
432 used to register subsequent subsystems with the security domain. These
433 subsystems can communicate with each other using their subsystem cer‐
434 tificate, which is issued by the security domain CA. For more informa‐
435 tion about the security domain component, see the Red Hat Certificate
436 System documentation ⟨https://access.redhat.com/knowl‐
437 edge/docs/Red_Hat_Certificate_System⟩.
438
439
440 pki_security_domain_hostname, pki_security_domain_https_port
441 Location of the security domain. Required for KRA, OCSP, TKS, and TPS
442 subsystems and for CA subsystems joining a security domain. Defaults
443 to the location of the CA subsystem within the same instance.
444
445
446 pki_security_domain_user, pki_security_domain_password
447 Administrative user of the security domain. Required for KRA, OCSP,
448 TKS, and TPS subsystems, and for CA subsystems joining a security
449 domain. Defaults to the administrative user for the CA subsystem
450 within the same instance (caadmin).
451
452
453 pki_security_domain_name
454 The name of the security domain. This is required for the security
455 domain CA.
456
457
458 CLONE PARAMETERS
459 pki_clone
460 Installs a clone, rather than original, subsystem.
461
462
463 pki_clone_pkcs12_password, pki_clone_pkcs12_path
464 Location and password of the PKCS #12 file containing the system cer‐
465 tificates for the master subsystem being cloned. This file should be
466 readable by the user that the Certificate Server is running as (default
467 of pkiuser), and have the correct selinux context (pki_tomcat_cert_t).
468 This can be achieved by placing the file in
469 /var/lib/pki/instance_name/alias.
470
471
472 Important: Keys in HSM may not be extractable, so they may not be able
473 to be exported into a PKCS #12 file. For the case of clones using an
474 HSM, this means that the HSM keys must be shared between the master and
475 its clones. Therefore, if pki_hsm_enable is set to True, both
476 pki_clone_pkcs12_path and pki_clone_pkcs12_password should be left
477 unset (the default values in /usr/share/pki/server/etc/default.cfg).
478 Failure to do so will result in pkispawn reporting this error and exit‐
479 ing.
480
481
482 pki_clone_setup_replication
483 Defaults to True. If set to False, the installer does not set up
484 replication agreements from the master to the clone as part of the sub‐
485 system configuration. In this case, it is expected that the top level
486 suffix already exists, and that the data has already been replicated.
487 This option is useful if you want to use other tools to create and man‐
488 age your replication topology, or if the baseDN is already replicated
489 as part of a top-level suffix.
490
491
492 pki_clone_reindex_data
493 Defaults to False. This parameter is only relevant when pki_clone_set‐
494 up_replication is set to False. In this case, it is expected that the
495 database has been prepared and replicated as noted above. Part of that
496 preparation could involve adding indexes and indexing the data. If you
497 would like the Dogtag installer to add the indexes and reindex the data
498 instead, set pki_clone_reindex_data to True.
499
500
501 pki_clone_replication_master_port, pki_clone_replication_clone_port
502 Ports on which replication occurs. These are the ports on the master
503 and clone databases respectively. Defaults to the internal database
504 port.
505
506
507 pki_clone_replicate_schema
508 Replicate schema when the replication agreement is set up and the new
509 instance (consumer) is initialized. Otherwise, the schema must be
510 installed in the clone as a separate step beforehand. This does not
511 usually have to be changed. Defaults to True.
512
513
514 pki_clone_replication_security
515 The type of security used for the replication data. This can be set to
516 SSL (using LDAPS), TLS, or None. Defaults to None. For SSL and TLS,
517 SSL must be set up for the database instances beforehand.
518
519
520 pki_master_hostname, pki_master_https_port, pki_clone_uri
521 Hostname and port, or URI of the subsystem being cloned. The URI for‐
522 mat is https://master_hostname:master_https_port where the default mas‐
523 ter hostname and https port are set to be the security domain's host‐
524 name and https port.
525
526
527 CA SERIAL NUMBER PARAMETERS
528 pki_serial_number_range_start, pki_serial_number_range_end
529 Sets the range of serial numbers to be used when issuing certificates.
530 Values here are hexadecimal (without the 0x prefix). It is useful to
531 override these values when migrating data from another CA, so that
532 serial number conflicts do not occur. Defaults to 1 and 10000000
533 respectively.
534
535
536 pki_request_number_range_start, pki_request_number_range_end
537 Sets the range of request numbers to be used by the CA. Values here
538 are decimal. It is useful to override these values when migrating data
539 from another CA, so that request number conflicts do not occur.
540 Defaults to 1 and 10000000 respectively.
541
542
543 pki_replica_number_range_start, pki_replica_number_range_end
544 Sets the range of replica numbers to be used by the CA. These numbers
545 are used to identify database replicas in a replication topology. Val‐
546 ues here are decimal. Defaults to 1 and 100 respectively.
547
548
549 EXTERNAL CA CERTIFICATE PARAMETERS
550 pki_external
551 Sets whether the new CA will have a signing certificate that will be
552 issued by an external CA. This is a two step process. In the first
553 step, a CSR to be presented to the external CA is generated. In the
554 second step, the issued signing certificate and certificate chain are
555 provided to the pkispawn utility to complete the installation.
556 Defaults to False.
557
558
559 pki_ca_signing_csr_path
560 Required in the first step of the external CA signing process. The CSR
561 will be printed to the screen and stored in this location.
562
563
564 pki_req_ski
565 Include a Subject Key Identifier extension in the CSR. The value is
566 either a hex-encoded byte string (without leading "0x"), or the string
567 "DEFAULT" which will derive a value from the public key.
568
569
570 pki_external_step_two
571 Specifies that this is the second step of the external CA process.
572 Defaults to False.
573
574
575 pki_ca_signing_cert_path, pki_cert_chain_path
576 Required for the second step of the external CA signing process. This
577 is the location of the CA signing cert (as issued by the external CA)
578 and the external CA's certificate chain.
579
580
581 SUBORDINATE CA CERTIFICATE PARAMETERS
582 pki_subordinate
583 Specifies whether the new CA which will be a subordinate of another CA.
584 The master CA is specified by pki_issuing_ca. Defaults to False.
585
586
587 pki_subordinate_create_new_security_domain
588 Set to True if the subordinate CA will host its own security domain.
589 Defaults to False.
590
591
592 pki_subordinate_security_domain_name
593 Used when pki_subordinate_create_security_domain is set to True. Spec‐
594 ifies the name of the security domain to be hosted on the subordinate
595 CA.
596
597
598 STANDALONE PKI PARAMETERS
599 A stand-alone PKI subsystem is defined as a non-CA PKI subsystem that
600 does not contain a CA as a part of its deployment, and functions as its
601 own security domain. Currently, only stand-alone KRAs are supported.
602
603
604 pki_standalone
605 Sets whether or not the new PKI subsystem will be stand-alone. This is
606 a two step process. In the first step, CSRs for each of this
607 stand-alone PKI subsystem's certificates will be generated so that they
608 may be presented to the external CA. In the second step, the issued
609 certificates, external CA certificate, and external CA certificate
610 chain are provided to the pkispawn utility to complete the installa‐
611 tion. Defaults to False.
612
613
614 pki_external_admin_csr_path
615 Will be generated by the first step of a stand-alone PKI process. This
616 is the location of the file containing the administrator's CSR (which
617 will be presented to the external CA). Defaults to
618 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
619
620
621 pki_external_audit_signing_csr_path
622 Will be generated by the first step of a stand-alone PKI process. This
623 is the location of the file containing the audit signing CSR (which
624 will be presented to the external CA). Defaults to
625 '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_sign‐
626 ing.csr'.
627
628
629 pki_external_sslserver_csr_path
630 Will be generated by the first step of a stand-alone PKI process. This
631 is the location of the file containing the SSL server CSR (which will
632 be presented to the external CA). Defaults to '%(pki_instance_configu‐
633 ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
634
635
636 pki_external_storage_csr_path
637 [KRA ONLY] Will be generated by the first step of a stand-alone KRA
638 process. This is the location of the file containing the storage CSR
639 (which will be presented to the external CA). Defaults to
640 '%(pki_instance_configuration_path)s/kra_storage.csr'.
641
642
643 pki_external_subsystem_csr_path
644 Will be generated by the first step of a stand-alone PKI process. This
645 is the location of the file containing the subsystem CSR (which will be
646 presented to the external CA). Defaults to '%(pki_instance_configura‐
647 tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
648
649
650 pki_external_transport_csr_path
651 [KRA ONLY] Will be generated by the first step of a stand-alone KRA
652 process. This is the location of the file containing the transport CSR
653 (which will be presented to the external CA). Defaults to
654 '%(pki_instance_configuration_path)s/kra_transport.csr'.
655
656
657 pki_external_step_two
658 Specifies that this is the second step of a standalone PKI process.
659 Defaults to False.
660
661
662 pki_cert_chain_path
663 Required for the second step of a stand-alone PKI process. This is the
664 location of the file containing the external CA signing certificate (as
665 issued by the external CA). Defaults to '%(pki_instance_configura‐
666 tion_path)s/external_ca.cert'.
667
668
669 pki_ca_signing_cert_path
670 Required for the second step of a stand-alone PKI process. This is the
671 location of the file containing the external CA's certificate chain (as
672 issued by the external CA). Defaults to empty.
673
674
675 pki_external_admin_cert_path
676 Required for the second step of a stand-alone PKI process. This is the
677 location of the file containing the administrator's certificate (as
678 issued by the external CA). Defaults to '%(pki_instance_configura‐
679 tion_path)s/%(pki_subsystem_type)s_admin.cert'.
680
681
682 pki_external_audit_signing_cert_path
683 Required for the second step of a stand-alone PKI process. This is the
684 location of the file containing the audit signing certificate (as
685 issued by the external CA). Defaults to '%(pki_instance_configura‐
686 tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
687
688
689 pki_external_sslserver_cert_path
690 Required for the second step of a stand-alone PKI process. This is the
691 location of the file containing the sslserver certificate (as issued by
692 the external CA). Defaults to '%(pki_instance_configura‐
693 tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
694
695
696 pki_external_storage_cert_path
697 [KRA ONLY] Required for the second step of a stand-alone KRA process.
698 This is the location of the file containing the storage certificate (as
699 issued by the external CA). Defaults to '%(pki_instance_configura‐
700 tion_path)s/kra_storage.cert'.
701
702
703 pki_external_subsystem_cert_path
704 Required for the second step of a stand-alone PKI process. This is the
705 location of the file containing the subsystem certificate (as issued by
706 the external CA). Defaults to '%(pki_instance_configura‐
707 tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
708
709
710 pki_external_transport_cert_path
711 [KRA ONLY] Required for the second step of a stand-alone KRA process.
712 This is the location of the file containing the transport certificate
713 (as issued by the external CA). Defaults to '%(pki_instance_configura‐
714 tion_path)s/kra_transport.cert'.
715
716
717 KRA PARAMETERS
718 pki_kra_ephemeral_requests
719 Specifies to use ephemeral requests for archivals and retrievals.
720 Defaults to False.
721
722
723 TPS PARAMETERS
724 pki_authdb_basedn
725 Specifies the base DN of TPS authentication database.
726
727
728 pki_authdb_hostname
729 Specifies the hostname of TPS authentication database. Defaults to
730 localhost.
731
732
733 pki_authdb_port
734 Specifies the port number of TPS authentication database. Defaults to
735 389.
736
737
738 pki_authdb_secure_conn
739 Specifies whether to use a secure connection to TPS authentication
740 database. Defaults to False.
741
742
743 pki_enable_server_side_keygen
744 Specifies whether to enable server-side key generation. Defaults to
745 False. The location of the KRA instance should be specified in the
746 pki_kra_uri parameter.
747
748
749 pki_ca_uri
750 Specifies the URI of the CA instance used by TPS to create and revoke
751 user certificates. Defaults to the instance in which the TPS is run‐
752 ning.
753
754
755 pki_kra_uri
756 Specifies the URI of the KRA instance used by TPS to archive and
757 recover keys. Required if server-side key generation is enabled using
758 the pki_enable_server_side_keygen parameter. Defaults to the instance
759 in which the TPS is running.
760
761
762 pki_tks_uri
763 Specifies the URI of the TKS instance used by TPS to generate symmetric
764 keys. Defaults to the instance in which the TPS is running.
765
766
768 pkispawn(8)
769
770
772 Ade Lee lt;alee@redhat.comgt;.
773
774
776 Copyright (c) 2012 Red Hat, Inc. This is licensed under the GNU Gen‐
777 eral Public License, version 2 (GPLv2). A copy of this license is
778 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
779
780
781
782PKI December 13, 2012 pki_default.cfg(5)