-
Notifications
You must be signed in to change notification settings - Fork 332
/
ipaca_default.ini
169 lines (131 loc) · 4.46 KB
/
ipaca_default.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
#
# Dogtag PKI configuration file
#
# The ipaca_default.ini contains hard-coded defaults that cannot be modified
# by a user without breaking IPA internals.
#
# Note: "%" must be quoted as "%%".
#
[DEFAULT]
ipa_ca_pem_file=/etc/ipa/ca.crt
## dynamic values
# ipa_ca_subject=
# ipa_ajp_secret=
# ipa_subject_base=
# ipa_fqdn=
# ipa_ocsp_uri=
# ipa_admin_cert_p12=
# ipa_admin_user=
# sensitive dynamic values
# pki_admin_password=
# pki_ds_password=
# Dogtag defaults
pki_instance_name=pki-tomcat
pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s
pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert
pki_admin_cert_request_type=pkcs10
pki_admin_dualkey=False
pki_admin_name=%(ipa_admin_user)s
pki_admin_nickname=ipa-ca-agent
pki_admin_subject_dn=cn=ipa-ca-agent,%(ipa_subject_base)s
pki_admin_uid=%(ipa_admin_user)s
pki_ca_hostname=%(pki_security_domain_hostname)s
pki_ca_port=%(pki_security_domain_https_port)s
# nickname and subject are hard-coded
pki_ca_signing_nickname=caSigningCert cert-pki-ca
pki_ca_signing_cert_path=
pki_client_admin_cert_p12=%(ipa_admin_cert_p12)s
pki_client_database_password=
pki_client_database_purge=True
pki_client_dir=%(home_dir)s/.dogtag/%(pki_instance_name)s
pki_client_pkcs12_password=%(pki_admin_password)s
pki_ds_bind_dn=cn=Directory Manager
pki_ds_ldap_port=389
pki_ds_ldaps_port=636
# CA: o=ipaca, KRA: o=kra,o=ipaca
pki_ds_base_dn=o=ipaca
pki_ds_database=ipaca
pki_ds_hostname=%(ipa_fqdn)s
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file=%(ipa_ca_pem_file)s
pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
pki_issuing_ca_uri=https://%(ipa_fqdn)s:443
pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_replication_password=
pki_enable_proxy=True
pki_ajp_secret=%(ipa_ajp_secret)s
pki_security_domain_hostname=%(ipa_fqdn)s
pki_security_domain_https_port=443
pki_security_domain_name=IPA
pki_security_domain_password=%(pki_admin_password)s
pki_security_domain_user=%(ipa_admin_user)s
pki_self_signed_token=internal
pki_skip_configuration=False
pki_skip_ds_verify=False
pki_skip_installation=False
pki_skip_sd_verify=False
pki_sslserver_token=internal
pki_sslserver_nickname=Server-Cert cert-pki-ca
pki_sslserver_subject_dn=cn=%(ipa_fqdn)s,%(ipa_subject_base)s
# nickname and subject are hard-coded
pki_subsystem_nickname=subsystemCert cert-pki-ca
pki_subsystem_subject_dn=cn=CA Subsystem,%(ipa_subject_base)s
pki_audit_group=pkiaudit
pki_group=pkiuser
pki_user=pkiuser
pki_existing=False
pki_cert_chain_path=
pki_cert_chain_nickname=caSigningCert External CA
pki_pkcs12_path=
pki_pkcs12_password=
[CA]
pki_ds_base_dn=o=ipaca
pki_ca_signing_record_create=True
pki_ca_signing_serial_number=1
pki_ca_signing_subject_dn=%(ipa_ca_subject)s
pki_ca_signing_csr_path=
pki_ca_starting_crl_number=0
pki_external=False
pki_external_step_two=False
pki_external_pkcs12_path=%(pki_pkcs12_path)s
pki_external_pkcs12_password=%(pki_pkcs12_password)s
pki_import_admin_cert=False
pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
pki_ocsp_signing_subject_dn=cn=OCSP Subsystem,%(ipa_subject_base)s
pki_profiles_in_ldap=True
pki_subordinate=False
pki_subordinate_create_new_security_domain=False
pki_audit_signing_nickname=auditSigningCert cert-pki-ca
pki_audit_signing_subject_dn=cn=CA Audit,%(ipa_subject_base)s
pki_share_db=False
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
pki_master_crl_enable=True
pki_default_ocsp_uri=%(ipa_ocsp_uri)s
pki_serial_number_range_start=1
pki_serial_number_range_end=10000000
pki_request_number_range_start=1
pki_request_number_range_end=10000000
pki_replica_number_range_start=1
pki_replica_number_range_end=100
[KRA]
pki_ds_base_dn=o=kra,o=ipaca
pki_ds_create_new_db=False
pki_ds_secure_connection=True
pki_import_admin_cert=True
pki_standalone=False
pki_external_step_two=False
pki_storage_nickname=storageCert cert-pki-kra
pki_storage_subject_dn=cn=KRA Storage Certificate,%(ipa_subject_base)s
pki_transport_nickname=transportCert cert-pki-kra
pki_transport_subject_dn=cn=KRA Transport Certificate,%(ipa_subject_base)s
pki_audit_signing_nickname=auditSigningCert cert-pki-kra
pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s
# Needed because CA and KRA share the same database
# We will use the dbuser created for the CA.
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca
# default KRA padding
pki_use_oaep_rsa_keywrap=True