Skip to content

PKI 11 CA Clone Installation

Jump to bottom
Endi S. Dewata edited this page Dec 14, 2023 · 2 revisions 
[CA]

# Administrator
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert
pki_admin_cert_request_type = pkcs10
pki_admin_dualkey = False
pki_admin_email = root@localhost
pki_admin_name = admin-secondary.example.com
pki_admin_nickname = ipa-ca-agent
pki_admin_password = XXXXXXXX
pki_admin_subject_dn = cn=ipa-ca-agent,O=EXAMPLE.COM
pki_admin_uid = admin-secondary.example.com

# AJP
pki_ajp_host_ipv4 = 127.0.0.1
pki_ajp_host_ipv6 = ::1
pki_ajp_secret = 3HhjLyD9f6w7Fo4OAxIza5Dz5dizB3gpFhCCCqvAKTp9

pki_audit_group = pkiaudit

# Audit signing cert
pki_audit_signing_key_algorithm = SHA256withRSA
pki_audit_signing_key_size = 2048
pki_audit_signing_key_type = rsa
pki_audit_signing_nickname = auditSigningCert cert-pki-ca
pki_audit_signing_signing_algorithm = SHA256withRSA
pki_audit_signing_subject_dn = cn=CA Audit,O=EXAMPLE.COM
pki_audit_signing_token = internal

pki_backup_keys = True
pki_backup_password = XXXXXXXX

pki_ca_hostname = primary.example.com
pki_ca_port = 443

# CA signing cert
pki_ca_signing_cert_path =
pki_ca_signing_csr_path =
pki_ca_signing_key_algorithm = SHA256withRSA
pki_ca_signing_key_size = 3072
pki_ca_signing_key_type = rsa
pki_ca_signing_nickname = caSigningCert cert-pki-ca
pki_ca_signing_record_create = True
pki_ca_signing_serial_number = 1
pki_ca_signing_signing_algorithm = SHA256withRSA
pki_ca_signing_subject_dn = CN=Certificate Authority,O=EXAMPLE.COM
pki_ca_signing_token = internal
pki_ca_starting_crl_number = 0

# Cert chain
pki_cert_chain_nickname = caSigningCert External CA
pki_cert_chain_path = /etc/ipa/ca.crt

pki_cert_id_generator = legacy

# Client cert
pki_client_admin_cert_p12 = /root/ca-agent.p12
pki_client_database_password =
pki_client_database_purge = True
pki_client_dir = /root/.dogtag/pki-tomcat
pki_client_pkcs12_password = XXXXXXXX

# Clone
pki_clone = True
pki_clone_pkcs12_password = XXXXXXXX
pki_clone_pkcs12_path = /tmp/ca.p12
pki_clone_reindex_data = True
pki_clone_replicate_schema = False
pki_clone_replication_clone_port = 389
pki_clone_replication_master_port = 389
pki_clone_replication_security = TLS
pki_clone_setup_replication = False
pki_clone_uri = https://primary.example.com:443

pki_configuration_path = /etc/pki
pki_default_ocsp_uri = http://ipa-ca.example.com/ca/ocsp
pki_dns_domainname = example.com

# DS connection
pki_ds_base_dn = o=ipaca
pki_ds_bind_dn = cn=Directory Manager
pki_ds_create_new_db = False
pki_ds_database = ipaca
pki_ds_hostname = secondary.example.com
pki_ds_ldap_port = 389
pki_ds_ldaps_port = 636
pki_ds_password = XXXXXXXX
pki_ds_remove_data = True
pki_ds_secure_connection = True
pki_ds_secure_connection_ca_nickname = Directory Server CA certificate
pki_ds_secure_connection_ca_pem_file = /etc/ipa/ca.crt

pki_enable_proxy = True
pki_existing = False
pki_external = False
pki_external_pkcs12_password =
pki_external_pkcs12_path =
pki_external_step_two = False
pki_group = pkiuser
pki_hostname = secondary.example.com

# HSM
pki_hsm_enable = False
pki_hsm_libfile =
pki_hsm_modulename =

pki_import_admin_cert = False
pki_instance_configuration_path = /etc/pki/pki-tomcat
pki_instance_name = pki-tomcat
pki_issuing_ca = https://secondary.example.com:443
pki_issuing_ca_hostname = primary.example.com
pki_issuing_ca_https_port = 443
pki_issuing_ca_uri = https://secondary.example.com:443
pki_master_crl_enable = True

# OCSP signing cert
pki_ocsp_signing_key_algorithm = SHA256withRSA
pki_ocsp_signing_key_size = 2048
pki_ocsp_signing_key_type = rsa
pki_ocsp_signing_nickname = ocspSigningCert cert-pki-ca
pki_ocsp_signing_signing_algorithm = SHA256withRSA
pki_ocsp_signing_subject_dn = cn=OCSP Subsystem,O=EXAMPLE.COM
pki_ocsp_signing_token = internal

pki_pkcs12_password =
pki_pkcs12_path =
pki_profiles_in_ldap = True
pki_random_serial_numbers_enable = False

# Replica ID range
pki_replica_number_range_end = 100
pki_replica_number_range_start = 1

pki_replication_password =

# Cert request ID range
pki_request_id_generator = legacy
pki_request_number_range_end = 10000000
pki_request_number_range_start = 1

# SAN extension
pki_san_for_server_cert =
pki_san_inject = False

# Security domain
pki_security_domain_hostname = primary.example.com
pki_security_domain_https_port = 443
pki_security_domain_name = IPA
pki_security_domain_password = XXXXXXXX
pki_security_domain_user = admin-secondary.example.com

pki_self_signed_token = internal

# Cert serial number range
pki_serial_number_range_end = 10000000
pki_serial_number_range_start = 1

pki_server_database_password = XXXXXXXX
pki_share_db = False
pki_share_dbuser_dn = uid=pkidbuser,ou=people,o=ipaca
pki_skip_configuration = False
pki_skip_ds_verify = False
pki_skip_installation = False
pki_skip_sd_verify = False

# SSL server cert
pki_sslserver_key_algorithm = SHA256withRSA
pki_sslserver_key_size = 2048
pki_sslserver_key_type = rsa
pki_sslserver_nickname = Server-Cert cert-pki-ca
pki_sslserver_subject_dn = cn=secondary.example.com,O=EXAMPLE.COM
pki_sslserver_token = internal

pki_status_request_timeout = 15
pki_subordinate = False
pki_subordinate_create_new_security_domain = False
pki_subsystem = CA

# Subsystem cert
pki_subsystem_key_algorithm = SHA256withRSA
pki_subsystem_key_size = 2048
pki_subsystem_key_type = rsa
pki_subsystem_nickname = subsystemCert cert-pki-ca
pki_subsystem_subject_dn = cn=CA Subsystem,O=EXAMPLE.COM
pki_subsystem_token = internal

pki_subsystem_type = ca
pki_theme_enable = True
pki_theme_server_dir = /usr/share/pki/common-ui
pki_token_name = internal
pki_user = pkiuser
Clone this wiki locally