## Secure Server Configuration File ## (c) 1999 by Massimiliano Pala and the OpenCA Group ## ## Please Refer to the Documentation for a full detailed ## description of params. Read the README file in this dir ## for more infos on programs accessing this file. ## ============== [ General Section ] ========================= DEFAULT_LANGUAGE "@default_language@" DEFAULT_CHARSET "@default_charset@" DBmodule "@dbmodule@" CgiLibPath "/usr/share/openca/functions" CgiServerType "scep" CgiServerName "scep" HtdocsUrlPrefix "" SessionDir /var/lib/openca/session/cookie SessionLifetime 1200 ModuleID @scep_module_id@ ModuleShift @module_shift@ AccessControlConfiguration "/etc/openca/access_control/scep.xml" SoftwareConfiguration "/etc/openca/config.xml" RoleConfiguration "/etc/openca/rbac/roles.xml" ModuleConfiguration "/etc/openca/rbac/modules.xml" TokenConfiguration "/etc/openca/token.xml" LogConfiguration "/etc/openca/log.xml" CertsDir "/var/lib/openca/crypto/certs" CACertificate "/var/lib/openca/crypto/cacerts/cacert.pem" ChainDir "/var/lib/openca/crypto/chain" CRLDir "/var/lib/openca/crypto/crls" ## Paths openssl "/usr/bin/openssl" sslconfig "/etc/openca/openssl/openssl.cnf" scepPath "/usr/bin/openca-scep" tempdir "/var/lib/openca/tmp" crlfile "/var/lib/openca/crypto/crls/cacrl.crl" ## ==================== [ LOA Support ] ========================= ## USE_LOAS takes either YES or NO USE_LOAS "@USE_LOAS@" ## ==================== [ SCEP Section ] ====================== ## It is just an example, you should change the 03.pem and/or ## the path pointing to the right key/cert pair ScepRACert "@SCEP_RA_CERT@" ScepRAKey "@SCEP_RA_KEY@" ScepRAPasswd "@SCEP_RA_PASSWD@" ## ## SCEP Policy definition ## # ScepAllowEnrollment: if set to "NO" the SCEP server will not accept # requests for certificate DNs that don't exist yet. ScepAllowEnrollment "YES" # ScepAllowRenewal: if set to "YES" the SCEP server will allow renewal # requests for existing certificates. ScepAllowRenewal "YES" # ScepKeepSubjectAltName: parse incoming request and keep supplied # SubjectAltName ScepKeepSubjectAltName "YES" # ScepRenewRDNMatch: List of request RDNs that must match an # existing certificate to identify the request as a renewal # Example: "CN,O,C" # Please note that CN might not be enough for your case if your CNs # are not unique. In this case add additional RDN components, such # as OU, O or DC in order to allow a match. ScepRenewalRDNMatch "CN" # Defaults for initial enrollment # Change these according to your setup ScepDefaultRole "VPN Server" ScepDefaultRA "Trustcenter itself" # ScepAutoApprove: if set to "YES" and the incoming SCEP request is signed # with the already existing end entity certificate (newer SCEP drafts only!) # the request is automatically approved in the RA. ScepAutoApprove "NO" ################################ ## ================== [ End SCEP Section ] ====================