1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4

NAME

6       pki_default.cfg - PKI server default deployment configuration file.
7
8

LOCATION

10       /usr/share/pki/server/etc/default.cfg
11
12

DESCRIPTION

14       This  file  contains  the  default  settings  for  a Certificate Server
15       instance created using pkispawn.  This file should not be edited, as it
16       can  be  modified  when  the  Certificate  Server packages are updated.
17       Instead, when setting up a Certificate Server instance, a  user  should
18       provide  pkispawn with a configuration file containing overrides to the
19       defaults in /usr/share/pki/server/etc/default.cfg.  See pkispawn(8) for
20       details.
21
22

SECTIONS

24       default.cfg  contains parameters that are grouped into sections.  These
25       sections are stacked, so that parameters defined  in  earlier  sections
26       can  be  overwritten by parameters defined in later sections.  The sec‐
27       tions are read in the following order:  [DEFAULT],  [Tomcat],  and  the
28       subsystem  section ([CA], [KRA], [OCSP], [TKS], or [TPS]).  This allows
29       the ability to specify parameters to be shared  by  all  subsystems  in
30       [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33       There  are  a  small number of bootstrap parameters which are passed in
34       the configuration file by pkispawn.  Other parameter's  values  can  be
35       interpolated tokens rather than explicit values.  For example:
36
37
38              pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42       This  substitutes  the  value  of  pki_instance_name into the parameter
43       value.  It is possible to interpolate any non-password parameter within
44       a  section  or  in  [DEFAULT].  Any parameter used in interpolation can
45       ONLY  be  overridden  within  the  same  section.   So,  for   example,
46       pki_instance_name  should  only  be overridden in [DEFAULT]; otherwise,
47       interpolations can fail.
48
49
50       Note: Any non-password related parameter values  in  the  configuration
51       file that needs to contain a % character must be properly escaped.  For
52       example, a value of foo%bar would be specified as foo%%bar in the  con‐
53       figuration file.
54
55

PRE-CHECK PARAMETERS

57       Once  the configuration parameters have been constructed from the above
58       sections and overrides, pkispawn will perform a series of  basic  tests
59       to  determine  if  the parameters being passed in are valid and consis‐
60       tent, before starting any installation.  In pre-check mode, these tests
61       are executed and then pkispawn exits.
62
63
64       It  is  possible  to  disable  specific tests by setting the directives
65       below.  While all these  tests  should  pass  to  ensure  a  successful
66       installation, it may be reasonable to skip tests in pre-check mode.
67
68
69       pki_skip_ds_verify
70       Skip  verification  of the Directory Server credentials.  In this test,
71       pkispawn attempts to bind to the  directory  server  instance  for  the
72       internal  database  using  the  provided  credentials.   This  could be
73       skipped if the directory server instance does not yet exist or is inac‐
74       cessible.  Defaults to False.
75
76
77       pki_skip_sd_verify
78       Skip  verification of the security domain user/password.  In this test,
79       pkispawn attempts to log onto the security domain  using  the  provided
80       credentials.   This  can  be skipped if the security domain is unavail‐
81       able.  Defaults to False.
82
83

GENERAL INSTANCE PARAMETERS

85       The parameters described below, as well as the  parameters  located  in
86       the  following  sections,  can  be  customized as part of a deployment.
87       This list is not exhaustive.
88
89
90       pki_instance_name
91       Name   of    the    instance.    The    instance    is    located    at
92       /var/lib/pki/instance_name.  For Java subsystems, the default is speci‐
93       fied as pki-tomcat.
94
95
96       pki_https_port, pki_http_port
97       Secure and unsecure ports.  Defaults to standard Tomcat ports 8443  and
98       8080, respectively.
99
100
101       pki_ajp_port, pki_tomcat_server_port
102       Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009
103       and 8005, respectively.
104
105
106       pki_ajp_host
107       Host on which to listen for AJP requests.  Defaults  to  localhost4  to
108       listen to local traffic only on IPv4 stack. NOTE Deprecated in favor of
109       pki_ajp_host_ipv4.
110
111
112       pki_ajp_host_ipv4 Host on which to listen for AJP  requests.   Defaults
113       to localhost4 to listen to local traffic only on IPv4 stack.
114
115
116       pki_ajp_host_ipv6  Host  on which to listen for AJP requests.  Defaults
117       to localhost6 to listen to local traffic only on IPv6 stack.
118
119
120       pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
121       Ports for an Apache proxy server.  Certificate Server instances can  be
122       run behind an Apache proxy server, which will communicate with the Tom‐
123       cat instance through the AJP port.  See the Red Hat Certificate  System
124       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
125       tificate_System⟩ for details.
126
127
128       pki_user, pki_group, pki_audit_group
129       Specifies the default administrative user,  group,  and  auditor  group
130       identities  for  PKI  instances.   The  default user and group are both
131       specified as pkiuser, and the default audit group is specified as  pki‐
132       audit.
133
134
135       pki_token_name, pki_token_password
136       The  token  and  password  where this instance's system certificate and
137       keys are stored.  Defaults to the NSS internal software token.
138
139
140       pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
141       If an optional hardware security module (HSM) is being utilized (rather
142       than  the  default  software security module included in NSS), then the
143       pki_hsm_enable parameter must be set to True (by default this parameter
144       is  False),  and  values  must be supplied for both the pki_hsm_libfile
145       (e.g. /opt/nfast/toolkits/pkcs11/libcknfast.so) and  pki_hsm_modulename
146       parameters (e.g. nethsm).
147
148
149   SYSTEM CERTIFICATE PARAMETERS
150       pkispawn  sets  up  a number of system certificates for each subsystem.
151       The system certificates which are required differ  between  subsystems.
152       Each  system certificate is denoted by a tag, as noted below.  The dif‐
153       ferent system certificates are:
154
155
156              · signing certificate ("ca_signing").  Used to sign  other  cer‐
157                tificates.  Required for CA.
158
159              · OCSP  signing  certificate ("ocsp_signing" in CA, "signing" in
160                OCSP).  Used to sign CRLs.  Required for OCSP and CA.
161
162              · storage certificate ("storage").  Used  to  encrypt  keys  for
163                storage in KRA.  Required for KRA only.
164
165              · transport  certificate ("transport").  Used to encrypt keys in
166                transport to the KRA.  Required for KRA only.
167
168              · subsystem  certificate  ("subsystem").   Used  to  communicate
169                between  subsystems within the security domain.  Issued by the
170                security domain CA.  Required for all subsystems.
171
172              · server certificate ("sslserver").  Used for communication with
173                the  server.  One server certificate is required for each Cer‐
174                tificate Server instance.
175
176              · audit signing certificate  ("audit_signing").   Used  to  sign
177                audit logs.  Required for all subsystems except the RA.
178
179
180
181       Each system certificate can be customized using the parameters below:
182
183
184       pki_lt;taggt;_key_type,                        pki_lt;typegt;_key_size,
185       pki_lt;taggt;_key_algorithm
186       Characteristics of the private key.  See the Red Hat Certificate System
187       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer
188       tificate_System⟩ for possible options.  The defaults are  RSA  for  the
189       type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
190
191
192       pki_lt;taggt;_signing_algorithm
193       For  signing certificates, the algorithm used for signing.  Defaults to
194       SHA256withRSA.
195
196
197       pki_lt;taggt;_token
198       Location where the certificate and private key are stored.  Defaults to
199       the internal software NSS token database.
200
201
202       pki_lt;taggt;_nickname
203       Nickname for the certificate in the token database.
204
205
206       pki_lt;taggt;_subject_dn
207       Subject DN for the certificate.  The subject DN for the SSL Server cer‐
208       tificate must include CN=hostname.
209
210
211       All system certs can be configured to request the PSS  variant  of  rsa
212       signing algorithms (when applicable).
213
214
215       pki_use_pss_rsa_signing_algorithm
216
217
218       Set  this  to True if algs such as SHA256withRSA/PSS for each subsystem
219       signing algorithm is desired. The default is false.  If set only,  this
220       setting will cause all other signing algorithm values to be promoted to
221       /PSS.
222
223
224       Ex: (SHA256withRSA/PSS)
225
226
227       If this setting is not set, the standard default algorithms  will  con‐
228       tinue  to be used, without PSS support..  If higher than 256 support is
229       desired, each algorithm must be set explicitly, example:
230
231
232       pki_ca_signing_key_algorithm=SHA512withRSA/PSS
233
234
235   ADMIN USER PARAMETERS
236       pkispawn creates a bootstrap administrative user that is  a  member  of
237       all  the  necessary groups to administer the installed subsystem.  On a
238       security domain CA, the CA administrative user is also a member of  the
239       groups  required  to  register  a new subsystem on the security domain.
240       The certificate and keys for this administrative user are stored  in  a
241       PKCS  #12 file in pki_client_dir, and can be imported into a browser to
242       administer the system.
243
244
245       pki_admin_name, pki_admin_uid
246       Name and UID of this administrative user.  Defaults to caadmin for  CA,
247       kraadmin for KRA, etc.
248
249
250       pki_admin_password
251       Password  for  the  admin  user.  This password is used to log into the
252       pki-console (unless client authentication is enabled), as well  as  log
253       into the security domain CA.
254
255
256       pki_admin_email
257       Email address for the admin user.
258
259
260       pki_admin_dualkey,        pki_admin_key_size,       pki_admin_key_type,
261       pki_admin_key_algorithm
262       Settings for the administrator certificate and keys.
263
264
265       pki_admin_subject_dn
266       Subject DN for  the  administrator  certificate.   Defaults  to  cn=PKI
267       Administrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
268
269
270       pki_admin_nickname
271       Nickname for the administrator certificate.
272
273
274       pki_import_admin_cert
275       Set to True to import an existing admin certificate for the admin user,
276       rather than generating a new one.  A  subsystem-specific  administrator
277       will still be created within the subsystem's LDAP tree.  This is useful
278       to allow multiple subsystems within the same instance to be more easily
279       administered from the same browser by using a single certificate.
280
281
282       By  default,  this  is set to False for CA subsystems and true for KRA,
283       OCSP, TKS, and TPS subsystems.  In this case, the admin certificate  is
284       read from the file ca_admin.cert in pki_client_dir.
285
286
287       Note  that  cloned  subsystems do not create a new administrative user.
288       The administrative user of the master subsystem is  used  instead,  and
289       the details of this master user are replicated during the install.
290
291
292       pki_client_admin_cert_p12
293       Location  for  the  PKCS  #12 file containing the administrative user's
294       certificate and keys.  For a CA, this defaults to ca_admin_cert.p12  in
295       the pki_client_dir directory.
296
297
298   BACKUP PARAMETERS
299       pki_backup_keys, pki_backup_file, pki_backup_password
300       Set  pki_backup_keys  to True to back up the subsystem certificates and
301       keys to a PKCS  #12  file  specified  in  pki_backup_file  (default  is
302       /etc/pki/instance_name/alias/subsystem_backup_keys.p12).
303       pki_backup_password is the password of the PKCS#12 file.
304
305
306       Important: Keys in HSM may not be extractable, so they may not be  able
307       to  be  exported into a PKCS #12 file.  Therefore, if pki_hsm_enable is
308       set  to  True,   pki_backup_keys   should   be   set   to   False   and
309       pki_backup_password  should  be  left  unset  (the  default  values  in
310       /usr/share/pki/server/etc/default.cfg).  Failure to do so  will  result
311       in pkispawn reporting this error and exiting.
312
313
314   CLIENT DIRECTORY PARAMETERS
315       pki_client_dir
316       This is the location where all client data used during the installation
317       is stored.  At the end of the invocation of pkispawn,  the  administra‐
318       tive  user's certificate and keys are stored in a PKCS #12 file in this
319       location.
320
321
322       Note: When using an HSM, it is currently recommended to NOT  specify  a
323       value for pki_client_dir that is different from the default value.
324
325
326       pki_client_database_dir, pki_client_database_password
327       Location  where an NSS token database is created in order to generate a
328       key for the administrative user.  Usually, the data in this location is
329       removed  at  the  end of the installation, as the keys and certificates
330       are stored in a PKCS #12 file in pki_client_dir.
331
332
333       pki_client_database_purge
334       Set to True to remove pki_client_database_dir at the end of the instal‐
335       lation.  Defaults to True.
336
337
338   INTERNAL DATABASE PARAMETERS
339       pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
340       Hostname  and  ports for the internal database.  Defaults to localhost,
341       389, and 636, respectively.
342
343
344       pki_ds_bind_dn, pki_ds_password
345       Credentials to connect to the database during installation.   Directory
346       Manager-level access is required during installation to set up the rel‐
347       evant schema and database.  During the installation, a more  restricted
348       PKI  user  is  set up to client authentication connections to the data‐
349       base.  Some additional configuration is required, including setting  up
350       the directory server to use SSL.  See the documentation for details.
351
352
353       pki_ds_secure_connection
354       Sets  whether  to  require  connections  to  the Directory Server using
355       LDAPS.  This requires SSL to be set up on the Directory  Server  first.
356       Defaults to false.
357
358
359       pki_ds_secure_connection_ca_nickname
360       Once  a  Directory Server CA certificate has been imported into the PKI
361       security    databases    (see    pki_ds_secure_connection_ca_pem_file),
362       pki_ds_secure_connection_ca_nickname  will  contain  the nickname under
363       which it is stored.  The default.cfg file contains a default value  for
364       this nickname.  This parameter is only utilized when pki_ds_secure_con‐
365       nection has been set to true.
366
367
368       pki_ds_secure_connection_ca_pem_file
369       The pki_ds_secure_connection_ca_pem_file parameter will consist of  the
370       fully-qualified path including the filename of a file which contains an
371       exported copy of a  Directory  Server's  CA  certificate.   While  this
372       parameter  is  only utilized when pki_ds_secure_connection has been set
373       to true, a valid value is required for  this  parameter  whenever  this
374       condition exists.
375
376
377       pki_ds_remove_data
378       Sets  whether  to  remove any data from the base DN before starting the
379       installation.  Defaults to True.
380
381
382       pki_ds_base_dn
383       The base DN for the internal database.  It is advised that the Certifi‐
384       cate  Server  have  its  own base DN for its internal database.  If the
385       base DN does not exist, it  will  be  created  during  the  running  of
386       pkispawn.   For a cloned subsystem, the base DN for the clone subsystem
387       MUST be the same as for the master subsystem.
388
389
390       pki_ds_database
391       Name of the back-end database.  It  is  advised  that  the  Certificate
392       Server have its own base DN for its internal database.  If the back-end
393       does not exist, it will be created during the running of pkispawn.
394
395
396   ISSUING CA PARAMETERS
397       pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
398       Hostname and port, or URI of the issuing CA.   Required  for  installa‐
399       tions  of  subordinate  CA and non-CA subsystems.  This should point to
400       the CA that will issue the relevant system certificates for the subsys‐
401       tem.   In  a  default install, this defaults to the CA subsystem within
402       the  same  instance.   The  URI   has   the   format   https://ca_host‐
403       name:ca_https_port.
404
405
406   MISCELLANEOUS PARAMETERS
407       pki_restart_configured_instance
408       Sets  whether  to restart the instance after configuration is complete.
409       Defaults to True.
410
411
412       pki_enable_access_log
413       Located in the [Tomcat] section, this variable determines  whether  the
414       instance  will  enable (True) or disable (False) Tomcat access logging.
415       Defaults to True.
416
417
418       pki_enable_java_debugger
419       Sets whether to attach a Java debugger such as Eclipse to the  instance
420       for troubleshooting.  Defaults to False.
421
422
423       pki_enable_on_system_boot
424       Sets whether or not PKI instances should be started upon system boot.
425
426
427       Currently,  if  this PKI subsystem exists within a shared instance, and
428       it has been configured to start upon system boot, then ALL other previ‐
429       ously  configured PKI subsystems within this shared instance will start
430       upon system boot.
431
432
433       Similarly, if this PKI subsystem exists within a shared  instance,  and
434       it  has  been  configured to NOT start upon system boot, then ALL other
435       previously configured PKI subsystems within this shared  instance  will
436       NOT start upon system boot.
437
438
439       Additionally,  if  more  than  one  PKI instance exists, no granularity
440       exists which allows one PKI instance to be enabled  while  another  PKI
441       instance  is disabled (i.e. PKI instances are either all enabled or all
442       disabled).  To provide this capability, the PKI instances  must  reside
443       on separate machines.
444
445
446       Defaults  to  True  (see  the following note on why this was previously
447       'False').
448
449
450       Note: Since this parameter did not exist prior to  Dogtag  10.2.3,  the
451       default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
452       To manually enable this behavior, obtain superuser privileges, and exe‐
453       cute  'systemctl  enable  pki-tomcatd.target'; to manually disable this
454       behavior, execute 'systemctl disable pki-tomcatd.target'.
455
456
457       pki_security_manager
458       Enables the Java security manager policies provided by the  JDK  to  be
459       used with the instance.  Defaults to True.
460
461
462   SECURITY DOMAIN PARAMETERS
463       The  security  domain  is  a  component  that facilitates communication
464       between subsystems.  The first CA installed hosts this component and is
465       used to register subsequent subsystems with the security domain.  These
466       subsystems can communicate with each other using their  subsystem  cer‐
467       tificate, which is issued by the security domain CA.  For more informa‐
468       tion about the security domain component, see the Red  Hat  Certificate
469       System          documentation         ⟨https://access.redhat.com/knowl
470       edge/docs/Red_Hat_Certificate_System⟩.
471
472
473       pki_security_domain_hostname, pki_security_domain_https_port
474       Location of the security domain.  Required for KRA, OCSP, TKS, and  TPS
475       subsystems  and  for CA subsystems joining a security domain.  Defaults
476       to the location of the CA subsystem within the same instance.
477
478
479       pki_security_domain_user, pki_security_domain_password
480       Administrative user of the security domain.  Required  for  KRA,  OCSP,
481       TKS,  and  TPS  subsystems,  and  for  CA subsystems joining a security
482       domain.  Defaults to the  administrative  user  for  the  CA  subsystem
483       within the same instance (caadmin).
484
485
486       pki_security_domain_name
487       The  name  of  the  security  domain. This is required for the security
488       domain CA.
489
490
491   CLONE PARAMETERS
492       pki_clone
493       Installs a clone, rather than original, subsystem.
494
495
496       pki_clone_pkcs12_password, pki_clone_pkcs12_path
497       Location and password of the PKCS #12 file containing the  system  cer‐
498       tificates  for  the master subsystem being cloned.  This file should be
499       readable by the user that the Certificate Server is running as (default
500       of  pkiuser), and have the correct selinux context (pki_tomcat_cert_t).
501       This    can    be    achieved    by     placing     the     file     in
502       /var/lib/pki/instance_name/alias.
503
504
505       Important:  Keys in HSM may not be extractable, so they may not be able
506       to be exported into a PKCS #12 file.  For the case of clones  using  an
507       HSM, this means that the HSM keys must be shared between the master and
508       its  clones.   Therefore,  if  pki_hsm_enable  is  set  to  True,  both
509       pki_clone_pkcs12_path  and  pki_clone_pkcs12_password  should  be  left
510       unset (the default  values  in  /usr/share/pki/server/etc/default.cfg).
511       Failure to do so will result in pkispawn reporting this error and exit‐
512       ing.
513
514
515       pki_clone_setup_replication
516       Defaults to True.  If set to False,  the  installer  does  not  set  up
517       replication agreements from the master to the clone as part of the sub‐
518       system configuration.  In this case, it is expected that the top  level
519       suffix  already  exists, and that the data has already been replicated.
520       This option is useful if you want to use other tools to create and man‐
521       age  your  replication topology, or if the baseDN is already replicated
522       as part of a top-level suffix.
523
524
525       pki_clone_reindex_data
526       Defaults to False.  This parameter is only relevant when pki_clone_set‐
527       up_replication  is set to False.  In this case, it is expected that the
528       database has been prepared and replicated as noted above.  Part of that
529       preparation could involve adding indexes and indexing the data.  If you
530       would like the Dogtag installer to add the indexes and reindex the data
531       instead, set pki_clone_reindex_data to True.
532
533
534       pki_clone_replication_master_port, pki_clone_replication_clone_port
535       Ports  on  which replication occurs.  These are the ports on the master
536       and clone databases respectively.  Defaults to  the  internal  database
537       port.
538
539
540       pki_clone_replicate_schema
541       Replicate  schema  when the replication agreement is set up and the new
542       instance (consumer) is initialized.   Otherwise,  the  schema  must  be
543       installed  in  the  clone as a separate step beforehand.  This does not
544       usually have to be changed.  Defaults to True.
545
546
547       pki_clone_replication_security
548       The type of security used for the replication data.  This can be set to
549       SSL  (using  LDAPS), TLS, or None.  Defaults to None.  For SSL and TLS,
550       SSL must be set up for the database instances beforehand.
551
552
553       pki_master_hostname, pki_master_https_port, pki_clone_uri
554       Hostname and port, or URI of the subsystem being cloned.  The URI  for‐
555       mat is https://master_hostname:master_https_port where the default mas‐
556       ter hostname and https port are set to be the security  domain's  host‐
557       name and https port.
558
559
560   CA SERIAL NUMBER PARAMETERS
561       pki_serial_number_range_start, pki_serial_number_range_end
562       Sets  the range of serial numbers to be used when issuing certificates.
563       Values here are hexadecimal (without the 0x prefix).  It is  useful  to
564       override  these  values  when  migrating  data from another CA, so that
565       serial number conflicts do not  occur.   Defaults  to  1  and  10000000
566       respectively.
567
568
569       pki_request_number_range_start, pki_request_number_range_end
570       Sets  the  range  of request numbers to be used by the CA.  Values here
571       are decimal.  It is useful to override these values when migrating data
572       from  another  CA,  so  that  request  number  conflicts  do not occur.
573       Defaults to 1 and 10000000 respectively.
574
575
576       pki_replica_number_range_start, pki_replica_number_range_end
577       Sets the range of replica numbers to be used by the CA.  These  numbers
578       are used to identify database replicas in a replication topology.  Val‐
579       ues here are decimal.  Defaults to 1 and 100 respectively.
580
581
582   EXTERNAL CA CERTIFICATE PARAMETERS
583       pki_external
584       Sets whether the new CA will have a signing certificate  that  will  be
585       issued  by  an  external CA.  This is a two step process.  In the first
586       step, a CSR to be presented to the external CA is  generated.   In  the
587       second  step,  the issued signing certificate and certificate chain are
588       provided  to  the  pkispawn  utility  to  complete  the   installation.
589       Defaults to False.
590
591
592       pki_ca_signing_csr_path
593       Required in the first step of the external CA signing process.  The CSR
594       will be printed to the screen and stored in this location.
595
596
597       pki_req_ski
598       Include a Subject Key Identifier extension in the CSR.   The  value  is
599       either  a hex-encoded byte string (without leading "0x"), or the string
600       "DEFAULT" which will derive a value from the public key.
601
602
603       pki_external_step_two
604       Specifies that this is the second step  of  the  external  CA  process.
605       Defaults to False.
606
607
608       pki_ca_signing_cert_path, pki_cert_chain_path
609       Required  for the second step of the external CA signing process.  This
610       is the location of the CA signing cert (as issued by the  external  CA)
611       and the external CA's certificate chain.
612
613
614   SUBORDINATE CA CERTIFICATE PARAMETERS
615       pki_subordinate
616       Specifies whether the new CA which will be a subordinate of another CA.
617       The master CA is specified by pki_issuing_ca.  Defaults to False.
618
619
620       pki_subordinate_create_new_security_domain
621       Set to True if the subordinate CA will host its  own  security  domain.
622       Defaults to False.
623
624
625       pki_subordinate_security_domain_name
626       Used when pki_subordinate_create_security_domain is set to True.  Spec‐
627       ifies the name of the security domain to be hosted on  the  subordinate
628       CA.
629
630
631   STANDALONE PKI PARAMETERS
632       A  stand-alone  PKI subsystem is defined as a non-CA PKI subsystem that
633       does not contain a CA as a part of its deployment, and functions as its
634       own security domain.  Currently, only stand-alone KRAs are supported.
635
636
637       pki_standalone
638       Sets whether or not the new PKI subsystem will be stand-alone.  This is
639       a two step  process.   In  the  first  step,  CSRs  for  each  of  this
640       stand-alone PKI subsystem's certificates will be generated so that they
641       may be presented to the external CA.  In the second  step,  the  issued
642       certificates,  external  CA  certificate,  and  external CA certificate
643       chain are provided to the pkispawn utility to  complete  the  installa‐
644       tion.  Defaults to False.
645
646
647       pki_external_admin_csr_path
648       Will be generated by the first step of a stand-alone PKI process.  This
649       is the location of the file containing the administrator's  CSR  (which
650       will    be    presented    to    the   external   CA).    Defaults   to
651       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
652
653
654       pki_external_audit_signing_csr_path
655       Will be generated by the first step of a stand-alone PKI process.  This
656       is  the  location  of  the file containing the audit signing CSR (which
657       will   be   presented   to   the    external    CA).     Defaults    to
658       '%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_sign‐
659       ing.csr'.
660
661
662       pki_external_sslserver_csr_path
663       Will be generated by the first step of a stand-alone PKI process.  This
664       is  the  location of the file containing the SSL server CSR (which will
665       be presented to the external CA).  Defaults to '%(pki_instance_configu‐
666       ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
667
668
669       pki_external_storage_csr_path
670       [KRA  ONLY]  Will  be  generated by the first step of a stand-alone KRA
671       process.  This is the location of the file containing the  storage  CSR
672       (which   will   be   presented   to  the  external  CA).   Defaults  to
673       '%(pki_instance_configuration_path)s/kra_storage.csr'.
674
675
676       pki_external_subsystem_csr_path
677       Will be generated by the first step of a stand-alone PKI process.  This
678       is the location of the file containing the subsystem CSR (which will be
679       presented to the external CA).  Defaults to  '%(pki_instance_configura‐
680       tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
681
682
683       pki_external_transport_csr_path
684       [KRA  ONLY]  Will  be  generated by the first step of a stand-alone KRA
685       process.  This is the location of the file containing the transport CSR
686       (which   will   be   presented   to  the  external  CA).   Defaults  to
687       '%(pki_instance_configuration_path)s/kra_transport.csr'.
688
689
690       pki_external_step_two
691       Specifies that this is the second step of  a  standalone  PKI  process.
692       Defaults to False.
693
694
695       pki_cert_chain_path
696       Required for the second step of a stand-alone PKI process.  This is the
697       location of the file containing the external CA signing certificate (as
698       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
699       tion_path)s/external_ca.cert'.
700
701
702       pki_ca_signing_cert_path
703       Required for the second step of a stand-alone PKI process.  This is the
704       location of the file containing the external CA's certificate chain (as
705       issued by the external CA).  Defaults to empty.
706
707
708       pki_external_admin_cert_path
709       Required for the second step of a stand-alone PKI process.  This is the
710       location  of  the  file  containing the administrator's certificate (as
711       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
712       tion_path)s/%(pki_subsystem_type)s_admin.cert'.
713
714
715       pki_external_audit_signing_cert_path
716       Required for the second step of a stand-alone PKI process.  This is the
717       location of the file  containing  the  audit  signing  certificate  (as
718       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
719       tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
720
721
722       pki_external_sslserver_cert_path
723       Required for the second step of a stand-alone PKI process.  This is the
724       location of the file containing the sslserver certificate (as issued by
725       the   external    CA).     Defaults    to    '%(pki_instance_configura‐
726       tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
727
728
729       pki_external_storage_cert_path
730       [KRA  ONLY]  Required for the second step of a stand-alone KRA process.
731       This is the location of the file containing the storage certificate (as
732       issued  by  the  external  CA).  Defaults to '%(pki_instance_configura‐
733       tion_path)s/kra_storage.cert'.
734
735
736       pki_external_subsystem_cert_path
737       Required for the second step of a stand-alone PKI process.  This is the
738       location of the file containing the subsystem certificate (as issued by
739       the   external    CA).     Defaults    to    '%(pki_instance_configura‐
740       tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
741
742
743       pki_external_transport_cert_path
744       [KRA  ONLY]  Required for the second step of a stand-alone KRA process.
745       This is the location of the file containing the  transport  certificate
746       (as issued by the external CA).  Defaults to '%(pki_instance_configura‐
747       tion_path)s/kra_transport.cert'.
748
749
750   KRA PARAMETERS
751       pki_kra_ephemeral_requests
752       Specifies to use  ephemeral  requests  for  archivals  and  retrievals.
753       Defaults to False.
754
755
756   TPS PARAMETERS
757       pki_authdb_basedn
758       Specifies the base DN of TPS authentication database.
759
760
761       pki_authdb_hostname
762       Specifies  the  hostname  of  TPS  authentication database. Defaults to
763       localhost.
764
765
766       pki_authdb_port
767       Specifies the port number of TPS authentication database.  Defaults  to
768       389.
769
770
771       pki_authdb_secure_conn
772       Specifies  whether  to  use  a  secure connection to TPS authentication
773       database.  Defaults to False.
774
775
776       pki_enable_server_side_keygen
777       Specifies whether to enable server-side  key  generation.  Defaults  to
778       False.   The  location  of  the KRA instance should be specified in the
779       pki_kra_uri parameter.
780
781
782       pki_ca_uri
783       Specifies the URI of the CA instance used by TPS to create  and  revoke
784       user  certificates.  Defaults  to the instance in which the TPS is run‐
785       ning.
786
787
788       pki_kra_uri
789       Specifies the URI of the KRA  instance  used  by  TPS  to  archive  and
790       recover  keys.  Required if server-side key generation is enabled using
791       the pki_enable_server_side_keygen parameter.  Defaults to the  instance
792       in which the TPS is running.
793
794
795       pki_tks_uri
796       Specifies the URI of the TKS instance used by TPS to generate symmetric
797       keys.  Defaults to the instance in which the TPS is running.
798
799

SEE ALSO

801       pkispawn(8)
802
803

AUTHORS

805       Ade Lee lt;alee@redhat.comgt;.
806
807

809       Copyright (c) 2012 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
810       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
811       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
812
813
814
815PKI                            December 13, 2012            pki_default.cfg(5)
Impressum