pki_default.cfg(5)

1pki_default.cfg(5)PKI Server Default Deployment Configurationpki_default.cfg(5)
2
3
4

NAME

6       pki_default.cfg - PKI server default deployment configuration file.
7
8

LOCATION

10       /usr/share/pki/server/etc/default.cfg
11
12

DESCRIPTION

14       This  file  contains  the default settings for a Certificate Server in‐
15       stance created using pkispawn.  This file should not be edited,  as  it
16       can  be modified when the Certificate Server packages are updated.  In‐
17       stead, when setting up a Certificate Server  instance,  a  user  should
18       provide  pkispawn with a configuration file containing overrides to the
19       defaults in /usr/share/pki/server/etc/default.cfg.  See pkispawn(8) for
20       details.
21
22

SECTIONS

24       default.cfg  contains parameters that are grouped into sections.  These
25       sections are stacked, so that parameters defined  in  earlier  sections
26       can  be  overwritten by parameters defined in later sections.  The sec‐
27       tions are read in the following order:  [DEFAULT],  [Tomcat],  and  the
28       subsystem  section ([CA], [KRA], [OCSP], [TKS], or [TPS]).  This allows
29       the ability to specify parameters to be shared  by  all  subsystems  in
30       [DEFAULT] or [Tomcat], and subsystem-specific customization.
31
32
33       There  are  a  small number of bootstrap parameters which are passed in
34       the configuration file by pkispawn.  Other parameter's  values  can  be
35       interpolated tokens rather than explicit values.  For example:
36
37
38              pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
39
40
41
42       This  substitutes  the  value  of  pki_instance_name into the parameter
43       value.  It is possible to interpolate any non-password parameter within
44       a  section  or  in  [DEFAULT].  Any parameter used in interpolation can
45       ONLY be overridden within the same section.  So, for  example,  pki_in‐
46       stance_name should only be overridden in [DEFAULT]; otherwise, interpo‐
47       lations can fail.
48
49
50       Note: Any non-password related parameter values  in  the  configuration
51       file that needs to contain a % character must be properly escaped.  For
52       example, a value of foo%bar would be specified as foo%%bar in the  con‐
53       figuration file.
54
55

PRE-CHECK PARAMETERS

57       Once  the configuration parameters have been constructed from the above
58       sections and overrides, pkispawn will perform a series of  basic  tests
59       to  determine  if  the parameters being passed in are valid and consis‐
60       tent, before starting any installation.  In pre-check mode, these tests
61       are executed and then pkispawn exits.
62
63
64       It  is possible to disable specific tests by setting the directives be‐
65       low.  While all these tests should pass to ensure a successful  instal‐
66       lation, it may be reasonable to skip tests in pre-check mode.
67
68
69       pki_skip_ds_verify
70       Skip  verification  of the Directory Server credentials.  In this test,
71       pkispawn attempts to bind to the directory server instance for the  in‐
72       ternal  database using the provided credentials.  This could be skipped
73       if the directory server instance does not yet exist or is inaccessible.
74       Defaults to False.
75
76
77       pki_skip_sd_verify
78       Skip  verification of the security domain user/password.  In this test,
79       pkispawn attempts to log onto the security domain  using  the  provided
80       credentials.   This  can  be skipped if the security domain is unavail‐
81       able.  Defaults to False.
82
83

GENERAL INSTANCE PARAMETERS

85       The parameters described below, as well as the  parameters  located  in
86       the  following  sections,  can  be  customized as part of a deployment.
87       This list is not exhaustive.
88
89
90       pki_instance_name
91       Name of the instance.  The  instance  is  located  at  /var/lib/pki/in‐
92       stance_name.  For Java subsystems, the default is specified as pki-tom‐
93       cat.
94
95
96       pki_https_port, pki_http_port
97       Secure and unsecure ports.  Defaults to standard Tomcat ports 8443  and
98       8080, respectively.
99
100
101       pki_ajp_port, pki_tomcat_server_port
102       Ports for Tomcat subsystems.  Defaults to standard Tomcat ports of 8009
103       and 8005, respectively.
104
105
106       pki_ajp_host
107       Host on which to listen for AJP requests.  Defaults  to  localhost4  to
108       listen to local traffic only on IPv4 stack. NOTE Deprecated in favor of
109       pki_ajp_host_ipv4.
110
111
112       pki_ajp_host_ipv4 Host on which to listen for AJP  requests.   Defaults
113       to localhost4 to listen to local traffic only on IPv4 stack.
114
115
116       pki_ajp_host_ipv6  Host  on which to listen for AJP requests.  Defaults
117       to localhost6 to listen to local traffic only on IPv6 stack.
118
119
120       pki_proxy_http_port, pki_proxy_https_port, pki_enable_proxy
121       Ports for an Apache proxy server.  Certificate Server instances can  be
122       run behind an Apache proxy server, which will communicate with the Tom‐
123       cat instance through the AJP port.  See the Red Hat Certificate  System
124       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
125       tificate_System⟩ for details.
126
127
128       pki_user, pki_group, pki_audit_group
129       Specifies the default administrative user,  group,  and  auditor  group
130       identities  for  PKI  instances.   The  default user and group are both
131       specified as pkiuser, and the default audit group is specified as  pki‐
132       audit.
133
134
135       pki_token_name, pki_token_password
136       The  token  and  password  where this instance's system certificate and
137       keys are stored.  Defaults to the NSS internal software token.
138
139
140       pki_hsm_enable, pki_hsm_libfile, pki_hsm_modulename
141       If an optional hardware security module (HSM) is being utilized (rather
142       than  the  default  software security module included in NSS), then the
143       pki_hsm_enable parameter must be set to True (by default this parameter
144       is  False),  and  values  must be supplied for both the pki_hsm_libfile
145       (e.g. /opt/nfast/toolkits/pkcs11/libcknfast.so) and  pki_hsm_modulename
146       parameters (e.g. nethsm).
147
148
149   SYSTEM CERTIFICATE PARAMETERS
150       pkispawn  sets  up  a number of system certificates for each subsystem.
151       The system certificates which are required differ  between  subsystems.
152       Each  system certificate is denoted by a tag, as noted below.  The dif‐
153       ferent system certificates are:
154
155
156              • signing certificate ("ca_signing").  Used to sign  other  cer‐
157                tificates.  Required for CA.
158
159              • OCSP  signing  certificate ("ocsp_signing" in CA, "signing" in
160                OCSP).  Used to sign CRLs.  Required for OCSP and CA.
161
162              • storage certificate ("storage").  Used  to  encrypt  keys  for
163                storage in KRA.  Required for KRA only.
164
165              • transport  certificate ("transport").  Used to encrypt keys in
166                transport to the KRA.  Required for KRA only.
167
168              • subsystem certificate ("subsystem").  Used to communicate  be‐
169                tween  subsystems  within  the security domain.  Issued by the
170                security domain CA.  Required for all subsystems.
171
172              • server certificate ("sslserver").  Used for communication with
173                the  server.  One server certificate is required for each Cer‐
174                tificate Server instance.
175
176              • audit signing certificate ("audit_signing").  Used to sign au‐
177                dit logs.  Required for all subsystems except the RA.
178
179
180
181       Each system certificate can be customized using the parameters below:
182
183
184       pki_&lt;tag&gt;_key_type,                    pki_&lt;type&gt;_key_size,
185       pki_&lt;tag&gt;_key_algorithm
186       Characteristics of the private key.  See the Red Hat Certificate System
187       documentation    ⟨https://access.redhat.com/knowledge/docs/Red_Hat_Cer‐
188       tificate_System⟩ for possible options.  The defaults are  RSA  for  the
189       type, 2048 bits for the key size, and SHA256withRSA for the algorithm.
190
191
192       pki_&lt;tag&gt;_signing_algorithm
193       For  signing certificates, the algorithm used for signing.  Defaults to
194       SHA256withRSA.
195
196
197       pki_&lt;tag&gt;_token
198       Location where the certificate and private key are stored.  Defaults to
199       the internal software NSS token database.
200
201
202       pki_&lt;tag&gt;_nickname
203       Nickname for the certificate in the token database.
204
205
206       pki_&lt;tag&gt;_subject_dn
207       Subject DN for the certificate.  The subject DN for the SSL Server cer‐
208       tificate must include CN=hostname.
209
210
211       All system certs can be configured to request the PSS  variant  of  rsa
212       signing algorithms (when applicable).
213
214
215       pki_use_pss_rsa_signing_algorithm
216
217
218       Set  this  to True if algs such as SHA256withRSA/PSS for each subsystem
219       signing algorithm is desired. The default is false.  If set only,  this
220       setting will cause all other signing algorithm values to be promoted to
221       /PSS.
222
223
224       Ex: (SHA256withRSA/PSS)
225
226
227       If this setting is not set, the standard default algorithms  will  con‐
228       tinue  to be used, without PSS support..  If higher than 256 support is
229       desired, each algorithm must be set explicitly, example:
230
231
232       pki_ca_signing_key_algorithm=SHA512withRSA/PSS
233
234
235   ADMIN USER PARAMETERS
236       pkispawn creates a bootstrap administrative user that is  a  member  of
237       all  the  necessary groups to administer the installed subsystem.  On a
238       security domain CA, the CA administrative user is also a member of  the
239       groups  required  to  register  a new subsystem on the security domain.
240       The certificate and keys for this administrative user are stored  in  a
241       PKCS  #12 file in pki_client_dir, and can be imported into a browser to
242       administer the system.
243
244
245       pki_admin_name, pki_admin_uid
246       Name and UID of this administrative user.  Defaults to caadmin for  CA,
247       kraadmin for KRA, etc.
248
249
250       pki_admin_password
251       Password  for  the  admin  user.  This password is used to log into the
252       pki-console (unless client authentication is enabled), as well  as  log
253       into the security domain CA.
254
255
256       pki_admin_email
257       Email address for the admin user.
258
259
260       pki_admin_dualkey,   pki_admin_key_size,   pki_admin_key_type,  pki_ad‐
261       min_key_algorithm
262       Settings for the administrator certificate and keys.
263
264
265       pki_admin_subject_dn
266       Subject DN for the administrator certificate.  Defaults to  cn=PKI  Ad‐
267       ministrator, e=%(pki_admin_email)s, o=%(pki_security_domain_name)s.
268
269
270       pki_admin_nickname
271       Nickname for the administrator certificate.
272
273
274       pki_import_admin_cert
275       Set to True to import an existing admin certificate for the admin user,
276       rather than generating a new one.  A  subsystem-specific  administrator
277       will still be created within the subsystem's LDAP tree.  This is useful
278       to allow multiple subsystems within the same instance to be more easily
279       administered from the same browser by using a single certificate.
280
281
282       By  default,  this  is set to False for CA subsystems and true for KRA,
283       OCSP, TKS, and TPS subsystems.  In this case, the admin certificate  is
284       read from the file ca_admin.cert in pki_client_dir.
285
286
287       Note  that  cloned  subsystems do not create a new administrative user.
288       The administrative user of the master subsystem is  used  instead,  and
289       the details of this master user are replicated during the install.
290
291
292       pki_client_admin_cert_p12
293       Location  for  the  PKCS  #12 file containing the administrative user's
294       certificate and keys.  For a CA, this defaults to ca_admin_cert.p12  in
295       the pki_client_dir directory.
296
297
298   BACKUP PARAMETERS
299       pki_backup_keys, pki_backup_file, pki_backup_password
300       Set  pki_backup_keys  to True to back up the subsystem certificates and
301       keys to a PKCS  #12  file  specified  in  pki_backup_file  (default  is
302       /etc/pki/instance_name/alias/subsystem_backup_keys.p12).
303       pki_backup_password is the password of the PKCS#12 file.
304
305
306       Important: Keys in HSM may not be extractable, so they may not be  able
307       to  be  exported into a PKCS #12 file.  Therefore, if pki_hsm_enable is
308       set  to  True,   pki_backup_keys   should   be   set   to   False   and
309       pki_backup_password  should  be  left  unset  (the  default  values  in
310       /usr/share/pki/server/etc/default.cfg).  Failure to do so  will  result
311       in pkispawn reporting this error and exiting.
312
313
314   CLIENT DIRECTORY PARAMETERS
315       pki_client_dir
316       This is the location where all client data used during the installation
317       is stored.  At the end of the invocation of pkispawn,  the  administra‐
318       tive  user's certificate and keys are stored in a PKCS #12 file in this
319       location.
320
321
322       Note: When using an HSM, it is currently recommended to NOT  specify  a
323       value for pki_client_dir that is different from the default value.
324
325
326       pki_client_database_dir, pki_client_database_password
327       Location  where an NSS token database is created in order to generate a
328       key for the administrative user.  Usually, the data in this location is
329       removed  at  the  end of the installation, as the keys and certificates
330       are stored in a PKCS #12 file in pki_client_dir.
331
332
333       pki_client_database_purge
334       Set to True to remove pki_client_database_dir at the end of the instal‐
335       lation.  Defaults to True.
336
337
338   INTERNAL DATABASE PARAMETERS
339       pki_ds_hostname, pki_ds_ldap_port, pki_ds_ldaps_port
340       Hostname  and  ports for the internal database.  Defaults to localhost,
341       389, and 636, respectively.
342
343
344       pki_ds_bind_dn, pki_ds_password
345       Credentials to connect to the database during installation.   Directory
346       Manager-level access is required during installation to set up the rel‐
347       evant schema and database.  During the installation, a more  restricted
348       PKI  user  is  set up to client authentication connections to the data‐
349       base.  Some additional configuration is required, including setting  up
350       the directory server to use SSL.  See the documentation for details.
351
352
353       pki_ds_secure_connection
354       Sets  whether  to  require  connections  to  the Directory Server using
355       LDAPS.  This requires SSL to be set up on the Directory  Server  first.
356       Defaults to false.
357
358
359       pki_ds_secure_connection_ca_nickname
360       Once  a  Directory Server CA certificate has been imported into the PKI
361       security    databases    (see    pki_ds_secure_connection_ca_pem_file),
362       pki_ds_secure_connection_ca_nickname  will  contain  the nickname under
363       which it is stored.  The default.cfg file contains a default value  for
364       this nickname.  This parameter is only utilized when pki_ds_secure_con‐
365       nection has been set to true.
366
367
368       pki_ds_secure_connection_ca_pem_file
369       The pki_ds_secure_connection_ca_pem_file parameter will consist of  the
370       fully-qualified path including the filename of a file which contains an
371       exported copy of a Directory Server's CA certificate.  While  this  pa‐
372       rameter  is only utilized when pki_ds_secure_connection has been set to
373       true, a valid value is required for this parameter whenever this condi‐
374       tion exists.
375
376
377       pki_ds_remove_data
378       Sets  whether  to  remove any data from the base DN before starting the
379       installation.  Defaults to True.
380
381
382       pki_ds_base_dn
383       The base DN for the internal database.  It is advised that the Certifi‐
384       cate  Server  have  its  own base DN for its internal database.  If the
385       base DN does not exist, it  will  be  created  during  the  running  of
386       pkispawn.   For a cloned subsystem, the base DN for the clone subsystem
387       MUST be the same as for the master subsystem.
388
389
390       pki_ds_database
391       Name of the back-end database.  It  is  advised  that  the  Certificate
392       Server have its own base DN for its internal database.  If the back-end
393       does not exist, it will be created during the running of pkispawn.
394
395
396   ISSUING CA PARAMETERS
397       pki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri
398       Hostname and port, or URI of the issuing CA.   Required  for  installa‐
399       tions  of  subordinate  CA and non-CA subsystems.  This should point to
400       the CA that will issue the relevant system certificates for the subsys‐
401       tem.   In  a  default install, this defaults to the CA subsystem within
402       the  same  instance.   The  URI   has   the   format   https://ca_host‐
403       name:ca_https_port.
404
405
406   MISCELLANEOUS PARAMETERS
407       pki_restart_configured_instance
408       Sets  whether  to restart the instance after configuration is complete.
409       Defaults to True.
410
411
412       pki_enable_access_log
413       Located in the [Tomcat] section, this variable determines  whether  the
414       instance  will  enable (True) or disable (False) Tomcat access logging.
415       Defaults to True.
416
417
418       pki_enable_java_debugger
419       Sets whether to attach a Java debugger such as Eclipse to the  instance
420       for troubleshooting.  Defaults to False.
421
422
423       pki_enable_on_system_boot
424       Sets whether or not PKI instances should be started upon system boot.
425
426
427       Currently,  if  this PKI subsystem exists within a shared instance, and
428       it has been configured to start upon system boot, then ALL other previ‐
429       ously  configured PKI subsystems within this shared instance will start
430       upon system boot.
431
432
433       Similarly, if this PKI subsystem exists within a shared  instance,  and
434       it  has  been  configured to NOT start upon system boot, then ALL other
435       previously configured PKI subsystems within this shared  instance  will
436       NOT start upon system boot.
437
438
439       Additionally,  if more than one PKI instance exists, no granularity ex‐
440       ists which allows one PKI instance to be enabled while another PKI  in‐
441       stance  is  disabled  (i.e. PKI instances are either all enabled or all
442       disabled).  To provide this capability, the PKI instances  must  reside
443       on separate machines.
444
445
446       Defaults  to  True  (see  the following note on why this was previously
447       'False').
448
449
450       Note: Since this parameter did not exist prior to  Dogtag  10.2.3,  the
451       default behavior of PKI instances in Dogtag 10.2.2 and prior was False.
452       To manually enable this behavior, obtain superuser privileges, and exe‐
453       cute  'systemctl  enable  pki-tomcatd.target'; to manually disable this
454       behavior, execute 'systemctl disable pki-tomcatd.target'.
455
456
457       pki_security_manager
458       Enables the Java security manager policies provided by the  JDK  to  be
459       used with the instance.  Defaults to True.
460
461
462   SECURITY DOMAIN PARAMETERS
463       The  security  domain is a component that facilitates communication be‐
464       tween subsystems.  The first CA installed hosts this component  and  is
465       used to register subsequent subsystems with the security domain.  These
466       subsystems can communicate with each other using their  subsystem  cer‐
467       tificate, which is issued by the security domain CA.  For more informa‐
468       tion about the security domain component, see the Red  Hat  Certificate
469       System          documentation         ⟨https://access.redhat.com/knowl‐
470       edge/docs/Red_Hat_Certificate_System⟩.
471
472
473       pki_security_domain_hostname, pki_security_domain_https_port
474       Location of the security domain.  Required for KRA, OCSP, TKS, and  TPS
475       subsystems  and  for CA subsystems joining a security domain.  Defaults
476       to the location of the CA subsystem within the same instance.
477
478
479       pki_security_domain_user, pki_security_domain_password
480       Administrative user of the security domain.  Required  for  KRA,  OCSP,
481       TKS,  and  TPS subsystems, and for CA subsystems joining a security do‐
482       main.  Defaults to the administrative user for the CA subsystem  within
483       the same instance (caadmin).
484
485
486       pki_security_domain_name
487       The  name of the security domain. This is required for the security do‐
488       main CA.
489
490
491   CLONE PARAMETERS
492       pki_clone
493       Installs a clone, rather than original, subsystem.
494
495
496       pki_clone_pkcs12_password, pki_clone_pkcs12_path
497       Location and password of the PKCS #12 file containing the  system  cer‐
498       tificates  for  the master subsystem being cloned.  This file should be
499       readable by the user that the Certificate Server is running as (default
500       of  pkiuser), and have the correct selinux context (pki_tomcat_cert_t).
501       This  can  be  achieved  by  placing  the  file   in   /var/lib/pki/in‐
502       stance_name/alias.
503
504
505       Important:  Keys in HSM may not be extractable, so they may not be able
506       to be exported into a PKCS #12 file.  For the case of clones  using  an
507       HSM, this means that the HSM keys must be shared between the master and
508       its  clones.   Therefore,  if  pki_hsm_enable  is  set  to  True,  both
509       pki_clone_pkcs12_path  and pki_clone_pkcs12_password should be left un‐
510       set  (the  default  values  in  /usr/share/pki/server/etc/default.cfg).
511       Failure to do so will result in pkispawn reporting this error and exit‐
512       ing.
513
514
515       pki_clone_setup_replication
516       Defaults to True.  If set to False,  the  installer  does  not  set  up
517       replication agreements from the master to the clone as part of the sub‐
518       system configuration.  In this case, it is expected that the top  level
519       suffix  already  exists, and that the data has already been replicated.
520       This option is useful if you want to use other tools to create and man‐
521       age  your  replication topology, or if the baseDN is already replicated
522       as part of a top-level suffix.
523
524
525       pki_clone_reindex_data
526       Defaults  to   False.    This   parameter   is   only   relevant   when
527       pki_clone_setup_replication  is  set to False.  In this case, it is ex‐
528       pected that the database has been  prepared  and  replicated  as  noted
529       above.   Part  of that preparation could involve adding indexes and in‐
530       dexing the data.  If you would like the Dogtag installer to add the in‐
531       dexes and reindex the data instead, set pki_clone_reindex_data to True.
532
533
534       pki_clone_replication_master_port, pki_clone_replication_clone_port
535       Ports  on  which replication occurs.  These are the ports on the master
536       and clone databases respectively.  Defaults to  the  internal  database
537       port.
538
539
540       pki_clone_replicate_schema
541       Replicate  schema  when the replication agreement is set up and the new
542       instance (consumer) is initialized.  Otherwise, the schema must be  in‐
543       stalled in the clone as a separate step beforehand.  This does not usu‐
544       ally have to be changed.  Defaults to True.
545
546
547       pki_clone_replication_security
548       The type of security used for the replication data.  This can be set to
549       SSL  (using  LDAPS), TLS, or None.  Defaults to None.  For SSL and TLS,
550       SSL must be set up for the database instances beforehand.
551
552
553       pki_master_hostname, pki_master_https_port, pki_clone_uri
554       Hostname and port, or URI of the subsystem being cloned.  The URI  for‐
555       mat is https://master_hostname:master_https_port where the default mas‐
556       ter hostname and https port are set to be the security  domain's  host‐
557       name and https port.
558
559
560   CA SERIAL NUMBER PARAMETERS
561       pki_serial_number_range_start, pki_serial_number_range_end
562       Sets  the range of serial numbers to be used when issuing certificates.
563       Values here are hexadecimal (without the 0x prefix).  It is  useful  to
564       override  these values when migrating data from another CA, so that se‐
565       rial number conflicts do not occur.  Defaults to 1 and 10000000 respec‐
566       tively.
567
568
569       pki_request_number_range_start, pki_request_number_range_end
570       Sets  the  range  of request numbers to be used by the CA.  Values here
571       are decimal.  It is useful to override these values when migrating data
572       from  another  CA,  so that request number conflicts do not occur.  De‐
573       faults to 1 and 10000000 respectively.
574
575
576       pki_replica_number_range_start, pki_replica_number_range_end
577       Sets the range of replica numbers to be used by the CA.  These  numbers
578       are used to identify database replicas in a replication topology.  Val‐
579       ues here are decimal.  Defaults to 1 and 100 respectively.
580
581
582   EXTERNAL CA CERTIFICATE PARAMETERS
583       pki_external
584       Sets whether the new CA will have a signing certificate  that  will  be
585       issued  by  an  external CA.  This is a two step process.  In the first
586       step, a CSR to be presented to the external CA is  generated.   In  the
587       second  step,  the issued signing certificate and certificate chain are
588       provided to the pkispawn utility to  complete  the  installation.   De‐
589       faults to False.
590
591
592       pki_ca_signing_csr_path
593       Required in the first step of the external CA signing process.  The CSR
594       will be printed to the screen and stored in this location.
595
596
597       pki_req_ski
598       Include a Subject Key Identifier extension in the CSR.   The  value  is
599       either  a hex-encoded byte string (without leading "0x"), or the string
600       "DEFAULT" which will derive a value from the public key.
601
602
603       pki_external_step_two
604       Specifies that this is the second step of the external CA process.  De‐
605       faults to False.
606
607
608       pki_ca_signing_cert_path, pki_cert_chain_path
609       Required  for the second step of the external CA signing process.  This
610       is the location of the CA signing cert (as issued by the  external  CA)
611       and the external CA's certificate chain.
612
613
614   SUBORDINATE CA CERTIFICATE PARAMETERS
615       pki_subordinate
616       Specifies whether the new CA which will be a subordinate of another CA.
617       The master CA is specified by pki_issuing_ca.  Defaults to False.
618
619
620       pki_subordinate_create_new_security_domain
621       Set to True if the subordinate CA will host its  own  security  domain.
622       Defaults to False.
623
624
625       pki_subordinate_security_domain_name
626       Used when pki_subordinate_create_security_domain is set to True.  Spec‐
627       ifies the name of the security domain to be hosted on  the  subordinate
628       CA.
629
630
631   STANDALONE PKI PARAMETERS
632       A  stand-alone  PKI subsystem is defined as a non-CA PKI subsystem that
633       does not contain a CA as a part of its deployment, and functions as its
634       own security domain.  Currently, only stand-alone KRAs are supported.
635
636
637       pki_standalone
638       Sets whether or not the new PKI subsystem will be stand-alone.  This is
639       a two step process.  In the first step, CSRs for each  of  this  stand-
640       alone  PKI  subsystem's certificates will be generated so that they may
641       be presented to the external CA.  In the second step, the  issued  cer‐
642       tificates,  external  CA certificate, and external CA certificate chain
643       are provided to the pkispawn utility to complete the installation.  De‐
644       faults to False.
645
646
647       pki_external_admin_csr_path
648       Will be generated by the first step of a stand-alone PKI process.  This
649       is the location of the file containing the administrator's  CSR  (which
650       will  be  presented  to  the  external  CA).   Defaults  to  '%(pki_in‐
651       stance_configuration_path)s/%(pki_subsystem_type)s_admin.csr'.
652
653
654       pki_external_audit_signing_csr_path
655       Will be generated by the first step of a stand-alone PKI process.  This
656       is  the  location  of  the file containing the audit signing CSR (which
657       will  be  presented  to  the  external  CA).   Defaults  to  '%(pki_in‐
658       stance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr'.
659
660
661       pki_external_sslserver_csr_path
662       Will be generated by the first step of a stand-alone PKI process.  This
663       is the location of the file containing the SSL server CSR  (which  will
664       be presented to the external CA).  Defaults to '%(pki_instance_configu‐
665       ration_path)s/%(pki_subsystem_type)s_sslserver.csr'.
666
667
668       pki_external_storage_csr_path
669       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
670       process.   This  is the location of the file containing the storage CSR
671       (which will be presented to the external CA).  Defaults  to  '%(pki_in‐
672       stance_configuration_path)s/kra_storage.csr'.
673
674
675       pki_external_subsystem_csr_path
676       Will be generated by the first step of a stand-alone PKI process.  This
677       is the location of the file containing the subsystem CSR (which will be
678       presented  to the external CA).  Defaults to '%(pki_instance_configura‐
679       tion_path)s/%(pki_subsystem_type)s_subsystem.csr'.
680
681
682       pki_external_transport_csr_path
683       [KRA ONLY] Will be generated by the first step  of  a  stand-alone  KRA
684       process.  This is the location of the file containing the transport CSR
685       (which will be presented to the external CA).  Defaults  to  '%(pki_in‐
686       stance_configuration_path)s/kra_transport.csr'.
687
688
689       pki_external_step_two
690       Specifies  that  this  is  the second step of a standalone PKI process.
691       Defaults to False.
692
693
694       pki_cert_chain_path
695       Required for the second step of a stand-alone PKI process.  This is the
696       location of the file containing the external CA signing certificate (as
697       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
698       tion_path)s/external_ca.cert'.
699
700
701       pki_ca_signing_cert_path
702       Required for the second step of a stand-alone PKI process.  This is the
703       location of the file containing the external CA's certificate chain (as
704       issued by the external CA).  Defaults to empty.
705
706
707       pki_external_admin_cert_path
708       Required for the second step of a stand-alone PKI process.  This is the
709       location of the file containing the administrator's certificate (as is‐
710       sued  by  the  external  CA).   Defaults  to '%(pki_instance_configura‐
711       tion_path)s/%(pki_subsystem_type)s_admin.cert'.
712
713
714       pki_external_audit_signing_cert_path
715       Required for the second step of a stand-alone PKI process.  This is the
716       location  of  the file containing the audit signing certificate (as is‐
717       sued by  the  external  CA).   Defaults  to  '%(pki_instance_configura‐
718       tion_path)s/%(pki_subsystem_type)s_audit_signing.cert'.
719
720
721       pki_external_sslserver_cert_path
722       Required for the second step of a stand-alone PKI process.  This is the
723       location of the file containing the sslserver certificate (as issued by
724       the    external    CA).     Defaults    to   '%(pki_instance_configura‐
725       tion_path)s/%(pki_subsystem_type)s_sslserver.cert'.
726
727
728       pki_external_storage_cert_path
729       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
730       This is the location of the file containing the storage certificate (as
731       issued by the external  CA).   Defaults  to  '%(pki_instance_configura‐
732       tion_path)s/kra_storage.cert'.
733
734
735       pki_external_subsystem_cert_path
736       Required for the second step of a stand-alone PKI process.  This is the
737       location of the file containing the subsystem certificate (as issued by
738       the    external    CA).     Defaults    to   '%(pki_instance_configura‐
739       tion_path)s/%(pki_subsystem_type)s_subsystem.cert'.
740
741
742       pki_external_transport_cert_path
743       [KRA ONLY] Required for the second step of a stand-alone  KRA  process.
744       This  is  the location of the file containing the transport certificate
745       (as issued by the external CA).  Defaults to '%(pki_instance_configura‐
746       tion_path)s/kra_transport.cert'.
747
748
749   KRA PARAMETERS
750       pki_kra_ephemeral_requests
751       Specifies  to use ephemeral requests for archivals and retrievals.  De‐
752       faults to False.
753
754
755   TPS PARAMETERS
756       pki_authdb_basedn
757       Specifies the base DN of TPS authentication database.
758
759
760       pki_authdb_hostname
761       Specifies the hostname of TPS authentication database. Defaults to  lo‐
762       calhost.
763
764
765       pki_authdb_port
766       Specifies  the  port number of TPS authentication database. Defaults to
767       389.
768
769
770       pki_authdb_secure_conn
771       Specifies whether to use a  secure  connection  to  TPS  authentication
772       database.  Defaults to False.
773
774
775       pki_enable_server_side_keygen
776       Specifies  whether  to  enable  server-side key generation. Defaults to
777       False.  The location of the KRA instance should  be  specified  in  the
778       pki_kra_uri parameter.
779
780
781       pki_ca_uri
782       Specifies  the  URI of the CA instance used by TPS to create and revoke
783       user certificates. Defaults to the instance in which the  TPS  is  run‐
784       ning.
785
786
787       pki_kra_uri
788       Specifies  the  URI  of the KRA instance used by TPS to archive and re‐
789       cover keys.  Required if server-side key generation  is  enabled  using
790       the  pki_enable_server_side_keygen parameter.  Defaults to the instance
791       in which the TPS is running.
792
793
794       pki_tks_uri
795       Specifies the URI of the TKS instance used by TPS to generate symmetric
796       keys.  Defaults to the instance in which the TPS is running.
797
798

AUTHORS

804       Ade Lee &lt;alee@redhat.com&gt;.
805
806

COPYRIGHT

808       Copyright  (c)  2012 Red Hat, Inc.  This is licensed under the GNU Gen‐
809       eral Public License, version 2 (GPLv2).  A  copy  of  this  license  is
810       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
811
812
813
814PKI                            December 13, 2012            pki_default.cfg(5)