forked from certnanny/sscep
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sscep.conf
194 lines (142 loc) · 5.31 KB
/
sscep.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
#
# sscep.conf -- configuration file for SSCEP
#
# All configuration options are key-value pairs, grouped into sections:
#
# [section]
# Key = Value
#
# Quotation marks are optional - they are needed only if the value contains
# space characters (space or tab). Quotation marks inside the value string
# must be escaped using a backslash:
#
# Key = "Value \"containing quotation marks\""
#
# Comment lines (lines starting with '#') and empty lines are discarded.
#
# sscep is the default section. Do not alter its name
[sscep]
# Reference to an engine definition section (see below)
# Uncomment to use the defined engine instead of the filesystem.
# engine = sscep_engine
# SCEP server URL
URL = http://localhost/scep
# URL = http://localhost/cgi-bin/pkiclient.exe
# Use proxy server at host:port
# Proxy = localhost:8080
# CA certificate file (write if OPERATION is getca)
# CACertFile = ca.crt
# PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)
# EncAlgorithm = 3des
# PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512)
# SigAlgorithm = sha1
# Note: this could be very misleading, the SCEP standard provides no
# mechanism to "negotiate" the algorithm - even if you send 3des, reply
# might be des.
# Verbose operation (true|false)
Verbose = false
# Debug (even more verbose operation)
Debug = false
[sscep_engine]
# Engine definition. It can have any name, as long as the name is referenced
# by the "engine" option in the [sscep] section.
# The parameter engine_id is mandatory.
# Engine ID. The engine will use the OpenSSL's engine interface.
# Supported engines are:
# - Any installed OpenSSL engine (e.g. tpm2tss)
# - capi (Microsoft CryptoAPI)
# - dynamic (loaded via dynamic_path)
# engine_id = capi
# If the engine needs to be loaded dynamically, specify the path to the SO file here.
# It is possible to provide paths relative to the sscep binary
# Note: On Windows use double slashes, see example
# Note: You HAVE to specify this unless you *know* it will be found otherwise. On
# Windows this can lead to problems since OpenSSL is often compiled with a Unix-
# Search-Path. In this case this can't be omitted at all.
# dynamic_path = ..\\capi\\capi.dll
# Some Engines require an additional module (take PKCS#11 interface for example)
# For these engines you can specify an additional module path here
# Note: On Windows use double slashes, see "dynamic_path" option
# MODULE_PATH =
# Special Options for engines are defined in their corresponding
# sections, always named [sscep_engine_*] where * is the defined
# engine id. You can see currently supported special options in
# each of these sections. If a section does not exist, it does
# not mean the engine is not supported, there are just no special
# options avaiable for it.
[sscep_engine_capi]
# This section defines CryptoAPI specific settings
# Only if the [engine]-section's engine_id is set to capi, this will be loaded,
# otherwise it will be ignored.
# Specific CryptoAPI option: Set this option to whatever
# location your newly generated key will reside in.
# In case of certreq creating your key, it will be in REQUEST.
new_key_location = REQUEST
# Which store should be used for all operations.
# The basic layout is storelocation\storename, e.g.
# LOCAL_MACHINE\MY and LOCAL_MACHINE\REQUEST
# The following options are accepted here:
# CURRENT_USER - default option, user store
# LOCAL_MACHINE - system store
storelocation = LOCAL_MACHINE
[sscep_engine_jksengine]
# This section defines JKSEngine specific settings
# Only if engine_id is set to "JKSEngine" this will be loaded, otherwise ignored.
# Password of Java KeyStore (Default: 123456)
# See JKSEngine for further documentation
# KeyStorePass =
# Path of Java tool (Path to ConnJKSEngine)
# JavaConnectorPath =
# Java Cryptography Provider of used Keystore
# KeyStoreProvider =
# Path of Java Runtime Environment
# This is normally not necessary
# JavaPath =
[sscep_getca]
# Options for retrieving CA Certificates (operation getca)
# CA identifier string, required by some CA
# CAIdentifier = "CA Identifier"
# Fingerprint algorithm (md5|sha1|sha224|sha256|sha384|sha512)
# FingerPrint = md5
[sscep_enroll]
# Operation for Certificate Enrollment (see SCEP documentation for details)
# Private key file
# PrivateKeyFile = local.key
# Certificate request file
# CertReqFile = local.csr
# Signature private key file, use with SignCertFile
# SignKeyFile = previous.key
# Signature certificate (used instead of self-signed)
# SignCertFile = previous.crt
# Write enrolled certificate in file
# LocalCertFile = local.crt
# Use different CA cert for encryption
# EncCertFile = enc.crt
# Write selfsigned certificate in file
# SelfSignedFile = selfsigned.crt
# Polling interval for pending certificate (seconds)
# PollInterval = 60
# Maximum polling time (seconds)
# MaxPollTime = 28800
# Max number of GetCertInitial requests
# MaxPollCount = 256
# Resume interrupted enrollment (true|false)
# Resume =
[sscep_getcert]
# Private key file
# PrivateKeyFile = local.key
# Local certificate file
# LocalCertFile = local.crt
# Certificate serial number (decimal)
# GetCertSerial = 1
# Write certificate in file
# GetCertFile = cert.crt
[sscep_getcrl]
# Private key file
# PrivateKeyFile = local.key
# Local certificate file
# LocalCertFile = local.crt
# Write CRL in file
# GetCrlFile = crl.crl
[sscep_getnextca]
#NYI