############################################################################### ## Default Configuration: ## ## ## ## Values in this section are common to more than one PKI subsystem, and ## ## contain required information which MAY be overridden by users as ## ## necessary. ## ## ## ## There are also some meta-parameters that determine how the PKI ## ## configuratiion should work. ## ## ## ############################################################################### [DEFAULT] # The sensitive_parameters contains a list of parameters which may contain # sensitive information which must not be displayed to the console nor stored # in log files for security reasons. sensitive_parameters= pki_admin_password pki_backup_password pki_client_database_password pki_client_pin pki_client_pkcs12_password pki_clone_pkcs12_password pki_ds_password pki_external_pkcs12_password pki_pkcs12_password pki_one_time_pin pki_pin pki_replication_password pki_security_domain_password pki_server_pkcs12_password pki_token_password # The spawn_scriplets contains a list of scriplets to be executed by pkispawn. spawn_scriplets= initialization infrastructure_layout instance_layout subsystem_layout selinux_setup webapp_deployment slot_substitution security_databases client_database csr_generation configuration finalization # The destroy_scriplets contains a list of scriplets to be executed by pkidestroy. destroy_scriplets= initialization configuration webapp_deployment subsystem_layout security_databases instance_layout selinux_setup infrastructure_layout finalization # By default, the following parameters will be set for Tomcat instances. # There is no reason to uncomment these. They are provided for reference in # case someone wants to override them in their config file. # # Tomcat instances: # pki_instance_name=pki-tomcat # pki_https_port=8443 # pki_http_port=8080 pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert pki_admin_cert_request_type=pkcs10 pki_admin_dualkey=False pki_admin_keysize=2048 pki_admin_key_type=rsa pki_admin_password= pki_audit_group=pkiaudit pki_audit_signing_key_algorithm=SHA256withRSA pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_token=Internal Key Storage Token pki_backup_keys=False pki_backup_password= pki_ca_hostname=%(pki_security_domain_hostname)s pki_ca_port=%(pki_security_domain_https_port)s pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 pki_client_database_password= pki_client_database_purge=True pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s pki_client_pkcs12_password= pki_ds_bind_dn=cn=Directory Manager pki_ds_existing_database=False pki_ds_create_new_db=True pki_ds_ldap_port=389 pki_ds_ldaps_port=636 pki_ds_password= pki_ds_remove_data=True pki_ds_secure_connection=False pki_ds_secure_connection_ca_nickname=Directory Server CA certificate pki_ds_secure_connection_ca_pem_file= pki_group=pkiuser pki_hsm_enable=False pki_hsm_libfile= pki_hsm_modulename= pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s pki_issuing_ca=%(pki_issuing_ca_uri)s pki_replication_password= pki_restart_configured_instance=True pki_security_domain_hostname=%(pki_hostname)s pki_security_domain_https_port=8443 pki_security_domain_name=%(pki_dns_domainname)s Security Domain pki_security_domain_password= pki_security_domain_user=caadmin pki_self_signed_token=internal #for supporting server cert SAN injection pki_san_inject=False pki_san_for_server_cert= pki_skip_configuration=False pki_skip_ds_verify=False pki_skip_installation=False pki_skip_sd_verify=False pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s pki_ssl_server_token=Internal Key Storage Token pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s pki_subsystem_token=Internal Key Storage Token pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui pki_token_name=internal pki_token_password= pki_user=pkiuser pki_existing=False pki_cert_chain_path= pki_cert_chain_nickname=caSigningCert External CA pki_pkcs12_path= pki_pkcs12_password= # Paths: # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_client_database_dir=%(pki_client_subsystem_dir)s/alias pki_client_subsystem_dir=%(pki_client_dir)s/%(pki_subsystem_type)s pki_client_password_conf=%(pki_client_subsystem_dir)s/password.conf pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.conf pki_client_cert_database=%(pki_client_database_dir)s/cert8.db pki_client_key_database=%(pki_client_database_dir)s/key3.db pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf pki_source_setup_path=/usr/share/pki/setup pki_source_server_path=/usr/share/pki/server/conf pki_source_cs_cfg=/usr/share/pki/%(pki_subsystem_type)s/conf/CS.cfg pki_source_registry=/usr/share/pki/setup/pkidaemon_registry pki_source_subsystem_path=/usr/share/pki/%(pki_subsystem_type)s pki_path=%(pki_root_prefix)s/var/lib/pki pki_log_path=%(pki_root_prefix)s/var/log/pki pki_configuration_path=%(pki_root_prefix)s/etc/pki pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki pki_instance_path=%(pki_path)s/%(pki_instance_name)s pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s pki_database_path=%(pki_instance_configuration_path)s/alias pki_instance_database_link=%(pki_instance_path)s/alias pki_instance_conf_link=%(pki_instance_path)s/conf pki_instance_logs_link=%(pki_instance_path)s/logs pki_subsystem_path=%(pki_instance_path)s/%(pki_subsystem_type)s pki_subsystem_log_path=%(pki_instance_log_path)s/%(pki_subsystem_type)s pki_subsystem_archive_log_path=%(pki_subsystem_log_path)s/archive pki_subsystem_configuration_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s pki_subsystem_database_link=%(pki_subsystem_path)s/alias pki_subsystem_conf_link=%(pki_subsystem_path)s/conf pki_subsystem_logs_link=%(pki_subsystem_path)s/logs pki_subsystem_registry_link=%(pki_subsystem_path)s/registry ############################################################################### ## Tomcat Configuration: ## ## ## ## Values in this section are common to PKI subsystems that run ## ## as an instance of 'Tomcat' (CA, KRA, OCSP, TKS, and TPS subsystems ## ## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## ## required information which MAY be overridden by users as necessary. ## ## ## ## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## ## a 'TKS Clone', or a 'TPS Clone', change the value of ## ## 'pki_clone' from 'False' to 'True'. ## ## ## ## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## ## are MUTUALLY EXCLUSIVE entities!!! ## ############################################################################### [Tomcat] pki_ajp_port=8009 pki_server_pkcs12_path= pki_server_pkcs12_password= pki_server_external_certs_path= pki_clone=False pki_clone_pkcs12_password= pki_clone_pkcs12_path= pki_clone_replicate_schema=True pki_clone_replication_master_port= pki_clone_replication_clone_port= pki_clone_replication_security=None pki_clone_setup_replication=True pki_clone_reindex_data=False pki_master_hostname=%(pki_security_domain_hostname)s pki_master_https_port=%(pki_security_domain_https_port)s pki_clone_uri=https://%(pki_master_hostname)s:%(pki_master_https_port)s pki_enable_access_log=True pki_enable_java_debugger=False pki_enable_on_system_boot=True pki_enable_proxy=False pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=true pki_tomcat_server_port=8005 # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_systemd_service=/lib/systemd/system/pki-tomcatd@.service pki_systemd_target=/lib/systemd/system/pki-tomcatd.target pki_systemd_target_wants=/etc/systemd/system/pki-tomcatd.target.wants pki_systemd_service_link=%(pki_systemd_target_wants)s/pki-tomcatd@%(pki_instance_name)s.service pki_cgroup_systemd_service_path=/sys/fs/cgroup/systemd/system/%(pki_systemd_service)s pki_cgroup_systemd_service=%(pki_cgroup_systemd_service_path)s/%(pki_instance_name)s pki_cgroup_cpu_systemd_service_path=/sys/fs/cgroup/cpu\,cpuacct/system/%(pki_systemd_service)s pki_cgroup_cpu_systemd_service=%(pki_cgroup_cpu_systemd_service_path)s/%(pki_systemd_service)s pki_tomcat_bin_path=/usr/share/tomcat/bin pki_tomcat_lib_path=/usr/share/tomcat/lib pki_tomcat_systemd=/usr/sbin/tomcat pki_source_catalina_properties=%(pki_source_server_path)s/catalina.properties pki_source_servercertnick_conf=%(pki_source_server_path)s/serverCertNick.conf pki_source_server_xml=%(pki_source_server_path)s/server.xml pki_source_context_xml=%(pki_source_server_path)s/context.xml pki_source_tomcat_conf=%(pki_source_server_path)s/tomcat.conf pki_instance_type=Tomcat pki_tomcat_common_path=%(pki_instance_path)s/common pki_tomcat_common_lib_path=%(pki_tomcat_common_path)s/lib pki_tomcat_tmpdir_path=%(pki_instance_path)s/temp pki_tomcat_webapps_path=%(pki_instance_path)s/webapps pki_tomcat_common_webapps_path=%(pki_instance_path)s/common/webapps pki_tomcat_work_path=%(pki_instance_path)s/work pki_tomcat_work_catalina_path=%(pki_tomcat_work_path)s/Catalina pki_tomcat_work_catalina_host_path=%(pki_tomcat_work_catalina_path)s/localhost pki_tomcat_work_catalina_host_run_path=%(pki_tomcat_work_catalina_host_path)s/_ pki_tomcat_work_catalina_host_subsystem_path=%(pki_tomcat_work_catalina_host_path)s/%(pki_subsystem_type)s pki_instance_conf_log4j_properties=%(pki_instance_configuration_path)s/log4j.properties pki_instance_type_registry_path=%(pki_registry_path)s/tomcat pki_instance_registry_path=%(pki_instance_type_registry_path)s/%(pki_instance_name)s pki_subsystem_registry_path=%(pki_instance_registry_path)s/%(pki_subsystem_type)s pki_tomcat_bin_link=%(pki_instance_path)s/bin pki_instance_lib=%(pki_instance_path)s/lib pki_instance_lib_log4j_properties=%(pki_instance_lib)s/log4j.properties pki_instance_systemd_link=%(pki_instance_path)s/%(pki_instance_name)s pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit pki_tomcat_subsystem_webapps_path=%(pki_subsystem_path)s/webapps pki_tomcat_webapps_subsystem_path=%(pki_tomcat_subsystem_webapps_path)s/%(pki_subsystem_type)s pki_tomcat_webapps_subsystem_webinf_classes_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/classes pki_tomcat_webapps_subsystem_webinf_lib_path=%(pki_tomcat_webapps_subsystem_path)s/WEB-INF/lib pki_certsrv_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-certsrv.jar pki_cmsbundle_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsbundle.jar pki_cmscore_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmscore.jar pki_cms_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cms.jar pki_cmsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-cmsutil.jar pki_nsutil_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-nsutil.jar # JAR paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files pki_jss_jar=%(jni_jar_dir)s/jss4.jar pki_symkey_jar=%(jni_jar_dir)s/symkey.jar pki_apache_commons_collections_jar=/usr/share/java/apache-commons-collections.jar pki_apache_commons_io_jar=/usr/share/java/apache-commons-io.jar pki_apache_commons_lang_jar=/usr/share/java/apache-commons-lang.jar pki_apache_commons_logging_jar=/usr/share/java/apache-commons-logging.jar pki_commons_codec_jar=/usr/share/java/commons-codec.jar pki_httpclient_jar=/usr/share/java/httpcomponents/httpclient.jar pki_httpcore_jar=/usr/share/java/httpcomponents/httpcore.jar pki_javassist_jar=/usr/share/java/javassist.jar pki_ldapjdk_jar=/usr/share/java/ldapjdk.jar pki_certsrv_jar=/usr/share/java/pki/pki-certsrv.jar pki_cmsbundle=/usr/share/java/pki/pki-cmsbundle.jar pki_cmscore=/usr/share/java/pki/pki-cmscore.jar pki_cms=/usr/share/java/pki/pki-cms.jar pki_cmsutil=/usr/share/java/pki/pki-cmsutil.jar pki_nsutil=/usr/share/java/pki/pki-nsutil.jar pki_tomcat_jar=/usr/share/java/pki/pki-tomcat.jar pki_scannotation_jar=/usr/share/java/scannotation.jar pki_tomcatjss_jar=/usr/share/java/tomcatjss.jar pki_velocity_jar=/usr/share/java/velocity.jar pki_xerces_j2_jar=/usr/share/java/xerces-j2.jar pki_xml_commons_apis_jar=/usr/share/java/xml-commons-apis.jar pki_xml_commons_resolver_jar=/usr/share/java/xml-commons-resolver.jar pki_jss_jar_link=%(pki_tomcat_common_lib_path)s/jss4.jar pki_symkey_jar_link=%(pki_tomcat_common_lib_path)s/symkey.jar pki_apache_commons_collections_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-collections.jar pki_apache_commons_io_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-io.jar pki_apache_commons_lang_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-lang.jar pki_apache_commons_logging_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-logging.jar pki_commons_codec_jar_link=%(pki_tomcat_common_lib_path)s/apache-commons-codec.jar pki_httpclient_jar_link=%(pki_tomcat_common_lib_path)s/httpclient.jar pki_httpcore_jar_link=%(pki_tomcat_common_lib_path)s/httpcore.jar pki_javassist_jar_link=%(pki_tomcat_common_lib_path)s/javassist.jar pki_ldapjdk_jar_link=%(pki_tomcat_common_lib_path)s/ldapjdk.jar pki_tomcat_jar_link=%(pki_tomcat_common_lib_path)s/pki-tomcat.jar pki_scannotation_jar_link=%(pki_tomcat_common_lib_path)s/scannotation.jar pki_tomcatjss_jar_link=%(pki_tomcat_common_lib_path)s/tomcatjss.jar pki_velocity_jar_link=%(pki_tomcat_common_lib_path)s/velocity.jar pki_xerces_j2_jar_link=%(pki_tomcat_common_lib_path)s/xerces-j2.jar pki_xml_commons_apis_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-apis.jar pki_xml_commons_resolver_jar_link=%(pki_tomcat_common_lib_path)s/xml-commons-resolver.jar pki_ca_jar=/usr/share/java/pki/pki-ca.jar pki_ca_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ca.jar pki_kra_jar=/usr/share/java/pki/pki-kra.jar pki_kra_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-kra.jar pki_ocsp_jar=/usr/share/java/pki/pki-ocsp.jar pki_ocsp_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-ocsp.jar pki_tks_jar=/usr/share/java/pki/pki-tks.jar pki_tks_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tks.jar pki_tps_jar=/usr/share/java/pki/pki-tps.jar pki_tps_jar_link=%(pki_tomcat_webapps_subsystem_webinf_lib_path)s/pki-tps.jar # Jackson pki_jackson_core_asl_jar=/usr/share/java/jackson/jackson-core-asl.jar pki_jackson_jaxrs_jar=/usr/share/java/jackson/jackson-jaxrs.jar pki_jackson_mapper_asl_jar=/usr/share/java/jackson/jackson-mapper-asl.jar pki_jackson_mrbean_jar=/usr/share/java/jackson/jackson-mrbean.jar pki_jackson_smile_jar=/usr/share/java/jackson/jackson-smile.jar pki_jackson_xc_jar=/usr/share/java/jackson/jackson-xc.jar # RESTEasy pki_resteasy_atom_provider_jar=%(resteasy_lib)s/resteasy-atom-provider.jar pki_resteasy_client_jar=%(resteasy_lib)s/resteasy-client.jar pki_resteasy_jaxb_provider_jar=%(resteasy_lib)s/resteasy-jaxb-provider.jar pki_resteasy_jaxrs_api_jar=%(resteasy_lib)s/jaxrs-api.jar pki_resteasy_jaxrs_jar=%(resteasy_lib)s/resteasy-jaxrs.jar pki_resteasy_jackson_provider_jar=%(resteasy_lib)s/resteasy-jackson-provider.jar # nuxwdog pki_nuxwdog_client_jar=/usr/lib/java/nuxwdog.jar ############################################################################### ## CA Configuration: ## ## ## ## Values in this section are common to CA subsystems including 'PKI CAs', ## ## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## ## required information which MAY be overridden by users as necessary. ## ## ## ## EXTERNAL CAs: To specify an 'External CA', change the value ## ## of 'pki_external' from 'False' to 'True'. ## ## ## ## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## ## of 'pki_subordinate' from 'False' to 'True'. ## ## ## ## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## ## are MUTUALLY EXCLUSIVE entities!!! ## ############################################################################### [CA] pki_ca_signing_key_algorithm=SHA256withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ca_signing_signing_algorithm=SHA256withRSA pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s pki_ca_signing_token=Internal Key Storage Token pki_ca_signing_csr_path= pki_ca_signing_cert_path= pki_external=False pki_req_ext_add=False # MS subca request ext data pki_req_ext_oid=1.3.6.1.4.1.311.20.2 pki_req_ext_critical=False pki_req_ext_data=1E0A00530075006200430041 pki_external_step_two=False pki_external_csr_path=%(pki_ca_signing_csr_path)s pki_external_ca_cert_path=%(pki_ca_signing_cert_path)s pki_external_ca_cert_chain_path=%(pki_cert_chain_path)s pki_external_ca_cert_chain_nickname=%(pki_cert_chain_nickname)s pki_external_pkcs12_path=%(pki_pkcs12_path)s pki_external_pkcs12_password=%(pki_pkcs12_password)s pki_import_admin_cert=False pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s pki_ocsp_signing_token=Internal Key Storage Token pki_profiles_in_ldap=False pki_random_serial_numbers_enable=False pki_subordinate=False pki_subordinate_create_new_security_domain=False pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s pki_admin_uid=caadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-CA pki_ds_database=%(pki_instance_name)s-CA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=CA %(pki_hostname)s %(pki_https_port)s pki_share_db=False # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_source_emails=/usr/share/pki/ca/emails pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt pki_source_profiles=/usr/share/pki/ca/profiles pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile pki_subsystem_emails_path=%(pki_subsystem_path)s/emails pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles ############################################################################### ## KRA Configuration: ## ## ## ## Values in this section are common to KRA subsystems ## ## including 'PKI KRAs', 'Cloned KRAs', and 'Stand-alone KRAs' and contain ## ## required information which MAY be overridden by users as necessary. ## ## ## ## STAND-ALONE KRAs: To specify a 'Stand-alone KRA', change the value ## ## of 'pki_standalone' from 'False' to 'True', and ## ## specify the various 'pki_external' parameters ## ## as appropriate. ## ## ## ############################################################################### [KRA] pki_import_admin_cert=True pki_standalone=False pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr pki_external_step_two=False pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert pki_external_storage_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.cert pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert pki_external_transport_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.cert pki_storage_key_algorithm=SHA256withRSA pki_storage_key_size=2048 pki_storage_key_type=rsa pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_storage_signing_algorithm=SHA256withRSA pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s pki_storage_token=Internal Key Storage Token pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_transport_signing_algorithm=SHA256withRSA pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s pki_transport_token=Internal Key Storage Token pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s pki_admin_uid=kraadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-KRA pki_ds_database=%(pki_instance_name)s-KRA pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=KRA %(pki_hostname)s %(pki_https_port)s pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile pki_source_storagecert_profile=%(pki_source_conf_path)s/storageCert.profile pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile pki_source_transportcert_profile=%(pki_source_conf_path)s/transportCert.profile ############################################################################### ## OCSP Configuration: ## ## ## ## Values in this section are common to OCSP subsystems ## ## including 'PKI OCSPs', 'Cloned OCSPs', and 'Stand-alone OCSPs' and ## ## contain required information which MAY be overridden by users as ## ## necessary. ## ## ## ## STAND-ALONE OCSPs: To specify a 'Stand-alone OCSP', change the ## ## value of 'pki_standalone' from 'False' to ## ## 'True', and specify the various 'pki_external' ## ## parameters as appropriate. ## ## (NOTE: Stand-alone OCSP is not yet supported!) ## ## ## ############################################################################### [OCSP] pki_import_admin_cert=True pki_standalone=False pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr pki_external_step_two=False pki_external_ca_cert_chain_path=%(pki_instance_configuration_path)s/external_ca_chain.cert pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert pki_external_admin_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.cert pki_external_audit_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.cert pki_external_signing_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.cert pki_external_sslserver_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.cert pki_external_subsystem_cert_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.cert pki_ocsp_signing_key_algorithm=SHA256withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s pki_ocsp_signing_token=Internal Key Storage Token pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s pki_admin_uid=ocspadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-OCSP pki_ds_database=%(pki_instance_name)s-OCSP pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=OCSP %(pki_hostname)s %(pki_https_port)s pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA ############################################################################### ## RA Configuration: ## ## ## ## Values in this section are common to PKI RA subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## ############################################################################### [RA] ############################################################################### ## TKS Configuration: ## ## ## ## Values in this section are common to TKS subsystems ## ## including 'PKI TKSs' and 'Cloned TKSs', and contain ## ## required information which MAY be overridden by users as necessary. ## ############################################################################### [TKS] pki_import_admin_cert=True pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s pki_admin_uid=tksadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-TKS pki_ds_database=%(pki_instance_name)s-TKS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TKS %(pki_hostname)s %(pki_https_port)s pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA ############################################################################### ## TPS Configuration: ## ## ## ## Values in this section are common to PKI TPS subsystems, and contain ## ## required information which MAY be overridden by users as necessary. ## ############################################################################### [TPS] pki_import_admin_cert=True pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s pki_admin_uid=tpsadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-TPS pki_ds_database=%(pki_instance_name)s-TPS pki_ds_hostname=%(pki_hostname)s pki_subsystem_name=TPS %(pki_hostname)s %(pki_https_port)s pki_authdb_hostname=%(pki_hostname)s pki_authdb_port=389 pki_authdb_secure_conn=False pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_kra_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_tks_uri=https://%(pki_hostname)s:%(pki_https_port)s pki_enable_server_side_keygen=False pki_import_shared_secret=False pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=%(pki_instance_name)s-CA pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg # Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_subsystem_signed_audit_log_path=%(pki_subsystem_log_path)s/signedAudit