Imported Debian patch 4.8.10-2

install/share/ipaca_customize.ini

@@ -0,0 +1,119 @@
+#
+# Dogtag PKI configuration file
+#
+# Notes:
+#  - "%" must be quoted as "%%".
+#  - options in the [CA] and [KRA] section cannot be overriden from options
+#    in the [DEFAULT] section
+#  - pki_*_token options are hard-coded to pki_token_name
+#  - pki_sslserver_token is hard-coded to 'internal'
+#  - pki_backup_keys is automatically disabled when HSM support is enabled,
+#    as HSM backup is not possible with the default mechanism.
+#
+# Predefined variables
+#  - ipa_ca_subject
+#  - ipa_ajp_secret
+#  - ipa_fqdn
+#  - ipa_subject_base
+#  - pki_admin_password
+#  - pki_dns_domainname
+#  - softhsm2_so
+
+
+[DEFAULT]
+# default algorithms for all certificates
+ipa_key_algorithm=SHA256withRSA
+ipa_key_size=2048
+ipa_key_type=rsa
+ipa_signing_algorithm=SHA256withRSA
+
+# Used for IPA CA
+# signing algorithm can be overriden on command line
+ipa_ca_key_algorithm=%(ipa_key_algorithm)s
+ipa_ca_key_size=3072
+ipa_ca_key_type=%(ipa_key_type)s
+ipa_ca_signing_algorithm=%(ipa_signing_algorithm)s
+
+# HSM support
+pki_hsm_enable=False
+pki_hsm_libfile=
+pki_hsm_modulename=
+pki_token_name=internal
+# backup is automatically disabled when HSM support is enabled
+pki_backup_keys=True
+pki_backup_password=%(pki_admin_password)s
+
+pki_admin_email=root@localhost
+
+## auditSigningCert cert-pki-ca / auditSigningCert cert-pki-kra
+pki_audit_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_audit_signing_key_size=%(ipa_key_size)s
+pki_audit_signing_key_type=%(ipa_key_type)s
+pki_audit_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_audit_signing_token=%(pki_token_name)s
+
+# Configures the status request timeout, i.e. the connect/data
+# timeout on the HTTP request to get the status of Dogtag.
+#
+# This configuration is needed in "multiple IP address" scenarios
+# where this server's hostname has multiple IP addresses but the
+# HTTP server is only listening on one of them.  Without a timeout,
+# if a "wrong" IP address is tried first, it will take a long time
+# to timeout, exceeding the overall timeout hence the request will
+# not be re-tried.  Setting a shorter timeout allows the request
+# to be re-tried.
+#
+# Note that HSMs cause different behaviour so this value might
+# not be suitable for when we implement HSM support.  It is
+# known that a value of 5s is too short in HSM environment.
+#
+pki_status_request_timeout=15
+
+# for supporting server cert SAN injection
+pki_san_inject=False
+pki_san_for_server_cert=
+
+## Server-Cert cert-pki-ca
+pki_sslserver_key_algorithm=%(ipa_key_algorithm)s
+pki_sslserver_key_size=%(ipa_key_size)s
+pki_sslserver_key_type=%(ipa_key_type)s
+
+## subsystemCert cert-pki-ca
+pki_subsystem_key_algorithm=%(ipa_key_algorithm)s
+pki_subsystem_key_size=%(ipa_key_size)s
+pki_subsystem_key_type=%(ipa_key_type)s
+pki_subsystem_token=%(pki_token_name)s
+
+[CA]
+pki_random_serial_numbers_enable=False
+
+## caSigningCert cert-pki-ca
+pki_ca_signing_key_algorithm=%(ipa_ca_key_algorithm)s
+pki_ca_signing_key_size=%(ipa_ca_key_size)s
+pki_ca_signing_key_type=%(ipa_ca_key_type)s
+pki_ca_signing_signing_algorithm=%(ipa_ca_signing_algorithm)s
+pki_ca_signing_token=%(pki_token_name)s
+
+## ocspSigningCert cert-pki-ca
+pki_ocsp_signing_key_algorithm=%(ipa_key_algorithm)s
+pki_ocsp_signing_key_size=%(ipa_key_size)s
+pki_ocsp_signing_key_type=%(ipa_key_type)s
+pki_ocsp_signing_signing_algorithm=%(ipa_signing_algorithm)s
+pki_ocsp_signing_token=%(pki_token_name)s
+
+[KRA]
+pki_kra_ephemeral_requests=True
+
+## storageCert cert-pki-kra
+pki_storage_key_algorithm=%(ipa_key_algorithm)s
+pki_storage_key_size=%(ipa_key_size)s
+pki_storage_key_type=%(ipa_key_type)s
+pki_storage_signing_algorithm=%(ipa_signing_algorithm)s
+pki_storage_token=%(pki_token_name)s
+
+## transportCert cert-pki-kra
+pki_transport_key_algorithm=%(ipa_key_algorithm)s
+pki_transport_key_size=%(ipa_key_size)s
+pki_transport_key_type=%(ipa_key_type)s
+pki_transport_signing_algorithm=%(ipa_signing_algorithm)s
+pki_transport_token=%(pki_token_name)s