Fichier de déploiement de la PKI: ca.cfg

De Adadov.net wiki
[DEFAULT]

pki_hostname = pki.exemple.com
pki_https_port = 8443
pki_http_port = 8080

pki_security_domain_name = %(secdomain_name)s
pki_security_domain_user = caadmin
pki_instance_name = pki-tomcat

conf_company_name = EXEMPLE

pki_ds_password = 
pki_admin_password = 
pki_security_domain_password = 

pki_client_database_password = 
pki_client_pkcs12_password = 
pki_token_password = 
pki_pkcs12_password =

ldap_host = ldap.exemple.com
ldap_port = 389
secdomain_name = secdomain
secdomain_user = secdomadmin
basedn = dc=pki,dc=exemple.com
pki_dns_domainname = exemple.com

[CA]
pki_existing = True
pki_import_system_certs = True
pki_import_admin_cert = False

pki_admin_uid = caadmin
pki_admin_name = %(pki_admin_uid)s
pki_admin_email = %(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_nickname = caadmin
pki_admin_subject_dn = cn = PKI Admin, o = %(pki_security_domain_name)s

pki_security_domain_name = %(secdomain_name)s
pki_security_domain_user = %(secdomain_user)s

pki_ds_hostname = %(ldap_host)s
pki_ds_ldap_port = %(ldap_port)s
pki_ds_secure_connection = False
pki_ds_base_dn = dc=ca,%(basedn)s
pki_ds_bind_dn = cn = dirman
pki_ds_database = userroot

pki_share_db = True
pki_share_dbuser_dn = uid=pkidbuser,ou=people, dc=ca, %(basedn)s

pki_ds_create_new_db = False
pki_ds_remove_data = True

pki_random_serial_numbers_enable = True

pki_pkcs12_path = /root/pki-ecc.p12

#================================================

pki_ca_signing_nickname = pki_root_ca
pki_ca_signing_key_size = nistp384
pki_ca_signing_key_type = ecc
pki_ca_signing_key_algorithm = SHA384withEC
pki_ca_signing_signing_algorithm = SHA384withEC

pki_sslserver_nickname = pki_ssl_server
pki_sslserver_key_size = nistp256
pki_sslserver_key_type = ecc
pki_sslserver_key_algorithm = SHA256withEC
pki_sslserver_signing_algorithm = SHA256withEC

pki_subsystem_nickname = pki_subsystem
pki_subsystem_key_size = nistp256
pki_subsystem_key_type = ecc
pki_subsystem_key_algorithm = SHA256withEC
pki_subsystem_signing_algorithm = SHA256withEC

#================================================

pki_audit_signing_nickname = pki_ca_audit_sign
pki_audit_signing_key_size = nistp521
pki_audit_signing_key_type = ecc
pki_audit_signing_key_algorithm = SHA512withEC
pki_audit_signing_signing_algorithm = SHA512withEC

pki_ocsp_signing_nickname = pki_ca_ocsp_sign
pki_ocsp_signing_key_size = nistp521
pki_ocsp_signing_key_type = ecc
pki_ocsp_signing_key_algorithm = SHA512withEC
pki_ocsp_signing_signing_algorithm = SHA512withEC


[OCSP]
pki_import_system_certs = True
pki_import_admin_cert = True

pki_ds_hostname = %(ldap_host)s
pki_ds_ldap_port = %(ldap_port)s
pki_ds_secure_connection = False
pki_ds_base_dn = dc=ocsp,%(basedn)s
pki_ds_bind_dn = cn = dirman
pki_ds_database = userroot

pki_ds_create_new_db = False
pki_ds_remove_data = True

pki_share_db = True
pki_share_dbuser_dn = uid=pkidbuser,ou=people, dc=ca, %(basedn)s

pki_admin_uid = ocspadmin
pki_admin_name = %(pki_admin_uid)s
pki_admin_email = %(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_nickname = ocspadmin

pki_security_domain_name = %(domain_name)s
pki_security_domain_user = %(secdomain_user)s


#================================================

pki_ca_signing_nickname = pki_root_ca
pki_ca_signing_key_size = nistp384
pki_ca_signing_key_type = ecc
pki_ca_signing_key_algorithm = SHA384withEC
pki_ca_signing_signing_algorithm = SHA384withEC

pki_sslserver_nickname = pki_ssl_server
pki_sslserver_key_size = nistp256
pki_sslserver_key_type = ecc
pki_sslserver_key_algorithm = SHA256withEC
pki_sslserver_signing_algorithm = SHA256withEC

pki_subsystem_nickname = pki_subsystem
pki_subsystem_key_size = nistp256
pki_subsystem_key_type = ecc
pki_subsystem_key_algorithm = SHA256withEC
pki_subsystem_signing_algorithm = SHA256withEC

#================================================

pki_audit_signing_nickname = pki_ocsp_audit_sign
pki_audit_signing_key_size = nistp521
pki_audit_signing_key_type = ecc
pki_audit_signing_key_algorithm = SHA512withEC
pki_audit_signing_signing_algorithm = SHA512withEC

pki_ocsp_signing_nickname = pki_ocsp_sign
pki_ocsp_signing_key_size = nistp521
pki_ocsp_signing_key_type = ecc
pki_ocsp_signing_key_algorithm = SHA512withEC
pki_ocsp_signing_signing_algorithm = SHA512withEC


[KRA]
pki_import_system_certs = True
pki_import_admin_cert = True

pki_admin_uid = kraadmin
pki_admin_name = %(pki_admin_uid)s
pki_admin_email = %(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_nickname = kraadmin

pki_ds_hostname = %(ldap_host)s
pki_ds_ldap_port = %(ldap_port)s
pki_ds_secure_connection = False
pki_ds_bind_dn = cn = dirman
pki_ds_base_dn = dc=kra,%(basedn)s
pki_ds_database = userroot

pki_ds_create_new_db = False
pki_ds_remove_data = True

pki_share_db = True
pki_share_dbuser_dn = uid=pkidbuser,ou=people, dc=ca, %(basedn)s

pki_security_domain_name = %(domain_name)s
pki_security_domain_user = %(secdomain_user)s


#================================================

pki_ca_signing_nickname = pki_root_ca
pki_ca_signing_key_size = nistp521
pki_ca_signing_key_type = ecc
pki_ca_signing_key_algorithm = SHA512withEC
pki_ca_signing_signing_algorithm = SHA512withEC

pki_sslserver_nickname = pki_ssl_server
pki_sslserver_key_size = nistp521
pki_sslserver_key_type = ecc
pki_sslserver_key_algorithm = SHA256withEC
pki_sslserver_signing_algorithm = SHA256withEC

pki_subsystem_nickname = pki_subsystem
pki_subsystem_key_size = nistp521
pki_subsystem_key_type = ecc
pki_subsystem_key_algorithm = SHA256withEC
pki_subsystem_signing_algorithm = SHA256withEC

#================================================

pki_storage_nickname = pki_kra_storage
pki_storage_key_size = 2048
pki_storage_key_type = rsa
pki_storage_key_algorithm = SHA512withRSA
pki_storage_signing_algorithm = SHA512withRSA

pki_transport_nickname = pki_kra_transport
pki_transport_key_size = 2048
pki_transport_key_type = rsa
pki_transport_key_algorithm = SHA512withRSA
pki_transport_signing_algorithm = SHA512withRSA

#================================================

pki_audit_signing_nickname = pki_kra_audit_sign
pki_audit_signing_key_size = nistp521
pki_audit_signing_key_type = ecc
pki_audit_signing_key_algorithm = SHA512withEC
pki_audit_signing_signing_algorithm = SHA512withEC

pki_ocsp_signing_nickname = pki_kra_ocsp_sign
pki_ocsp_signing_key_size = nistp521
pki_ocsp_signing_key_type = ecc
pki_ocsp_signing_key_algorithm = SHA512withEC
pki_ocsp_signing_signing_algorithm = SHA512withEC


Récupérée de « https://wiki.adadov.net/index.php?title=Installation_d%27un_PKI_DogTag_avec_backend_LDAP/ca.cfg&oldid=3530 »