## Configuration File for OpenCA Software Package ## (c) 1999-2002 by Massimiliano Pala and OpenCA Group ## All Rights Reserved ## Crypto Section ## ============== openssl "/usr/bin/openssl" sslconfig "/etc/openca/openssl/openssl.cnf" sslindex "/var/lib/openca/crypto/index.txt" sslserial "/var/lib/openca/crypto/serial" MakePath "/usr/bin/make -s" ## General Section ## =============== DEFAULT_LANGUAGE "@default_language@" DEFAULT_CHARSET "@default_charset@" ## use DB or DBI here - DB is DBM-files and DBI is RDBMS ## config DBI via DBI.conf DBmodule "@dbmodule@" CgiLibPath "/usr/share/openca/functions" CgiServerType "batch" CgiServerName "batch" HtdocsUrlPrefix "/openca/batch" SessionDir /var/lib/openca/session/cookie SessionLifetime 1200 ModuleID @batch_module_id@ ModuleShift @module_shift@ AccessControlConfiguration "/etc/openca/access_control/batch.xml" SoftwareConfiguration "/etc/openca/config.xml" RoleConfiguration "/etc/openca/rbac/roles.xml" ModuleConfiguration "/etc/openca/rbac/modules.xml" TokenConfiguration "/etc/openca/token.xml" LogConfiguration "/etc/openca/log.xml" MenuConfiguration "/etc/openca/menu.xml" LOAConfiguration "/etc/openca/loa.xml" StatemachineConfiguration "/etc/openca/bp/bp.xml" ## ==================== [ LOA Support ] ========================= ## USE_LOAS takes either YES or NO USE_LOAS "@USE_LOAS@" MaxReturnedItems 20 TempDir "/var/lib/openca/tmp" certsIndex "/var/lib/openca/crypto/index.txt" extFilesDir "/etc/openca/openssl/extfiles" certDir "/var/lib/openca/crypto/certs" ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department" "telephone" ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Department" "Telephone" ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "LATIN1_LETTERS" "LATIN1_LETTERS" CSR_SUPPORTED_ATTRIBUTES "emailAddress" "CN" "SN" "unstructuredName" "unstructuredAddress" "OU" "L" "ST" "O" "C" "DC" "serialNumber" "UID" CSR_DEFAULT_ATTRIBUTE_FIELDS 7 CSR_ALLOW_MULTIVALUED_ATTRIBUTES YES CSR_SUPPORTED_SUBJECT_ALT_NAMES "email" "DNS" "IP" "DirName" "URI" "RID" "otherName" "Microsoft_GUID" "Microsoft_UPN" CSR_DEFAULT_SUBJECT_ALT_NAME_FIELDS 4 NewCertsDir "/var/lib/openca/crypto/certs" CmdRefs_viewCert "SENDCERT" "SEND_CERT_KEY" "VIEW_CSR" "TOKENHANDLING" "SET_PUBLIC_PASSWD" CmdRefs_viewCSR "ISSUE_CERT" "DELETE" "EDIT" "GENERATE_KEY" CmdRefs_viewCRR "APPROVE_WITHOUT_SIGNING" "APPROVE" "REVOKE_CERT" "DELETE" "EDIT" "VIEW_CERT" "VIEW_USER_CRR" REQUIRE_PASSWD_PUBLIC "NO" CHANGE_DAYS "YES" ## Batch Processors ## ================ KEY_BACKUP_KEY "/var/lib/openca/crypto/keys/keybackup_key.pem" KEY_BACKUP_CERTIFICATE "/var/lib/openca/crypto/cacerts/keybackup_cert.pem" BP_KEY "/var/lib/openca/crypto/keys/bp_key.pem" BP_CERTIFICATE "/var/lib/openca/crypto/cacerts/bp_cert.pem" BP_DIR "/var/lib/openca/batch"; BP_EXPORT_PKCS12_DIR "/var/lib/openca/bp/dataexchange/pkcs12"; ## use DENY, (ALLOW|OPTIONAL), (EN)FORCE BP_KEY_BACKUP_MODE "ALLOW" BP_DEFAULT_KEY_ALGORITHM "rsa" BP_DEFAULT_KEY_LENGTH "1024" BP_MINIMUM_KEY_LENGTH "1024" BP_File_ImportNewUser "batch_new_user.txt" BP_File_ImportUpdateUser "batch_update_user.txt" BP_File_ImportACL "batch_acl.txt" BP_File_ExportPIN "batch_export_pin.txt" ## Images Section ## ============== ValidSigImage "/openca/batch/images/validSig.png" SigErrorImage "/openca/batch/images/sigError.png" ## Certificates Section ## ==================== CACertificate "/var/lib/openca/crypto/cacerts/cacert.pem" CACertificateDER "/var/lib/openca/crypto/cacerts/cacert.der" CACertificateTXT "/var/lib/openca/crypto/cacerts/cacert.txt" CACertificateCRT "/var/lib/openca/crypto/chain/cacert.crt" CACertDir "/var/lib/openca/crypto/cacerts" ChainDir "/var/lib/openca/crypto/chain" ReqDir "/var/lib/openca/crypto/reqs" CAKey "/var/lib/openca/crypto/keys/cakey.pem" CRLDir "/var/lib/openca/crypto/crls" ## Dataexchange section ## ==================== ## please see *_node.conf for more details ## dataexchange with a lower level of the hierarchy EXPORT_IMPORT_DOWN_DEVICE "@dataexchange_device_down@" EXPORT_IMPORT_DOWN_START "" EXPORT_IMPORT_DOWN_STOP "" EXPORT_IMPORT_DOWN_EXPORT "/bin/tar -cvpf @__DEVICE__@ -C @__SRC__@ ." EXPORT_IMPORT_DOWN_IMPORT "/bin/tar -xvf @__DEVICE__@ -C @__DEST__@" EXPORT_IMPORT_DOWN_TEST "/bin/tar -tvf @__DEVICE__@" ## local dataexchange (backup, recovery and batchprocessors) EXPORT_IMPORT_LOCAL_DEVICE "@dataexchange_device_local@" EXPORT_IMPORT_LOCAL_START "" EXPORT_IMPORT_LOCAL_STOP "" EXPORT_IMPORT_LOCAL_EXPORT "/bin/tar -cvpf @__DEVICE__@ -C @__SRC__@ ." EXPORT_IMPORT_LOCAL_IMPORT "/bin/tar -xvf @__DEVICE__@ -C @__DEST__@" EXPORT_IMPORT_LOCAL_TEST "/bin/tar -tvf @__DEVICE__@" EXPORT_IMPORT_MODULES LOG_ENROLL_DIR "/var/lib/openca/log/enroll" LOG_RECEIVE_DIR "/var/lib/openca/log/receive" ENROLL_CA_CERTIFICATE_STATES @enroll_ca_certificate_states@ ## RBAC Section ## ============ ############# # variables # ############# ## rights RBAC on MODULE_NAME "RA_1" ## openssl OpenSSL_DIR "/etc/openca/openssl/openssl" EXT_DIR "/etc/openca/openssl/extfiles" OPENSSL_SAMPLE_CONF "/etc/openca/openssl/sample-openssl.conf" OPENSSL_SAMPLE_EXT "/etc/openca/openssl/sample-openssl.ext" # genral RBAC_DIR "/etc/openca/rbac" MODULES_DIR "modules" SCRIPT_CONFIG_DIR "scripts" ROLES_DIR "roles" RIGHTS_DIR "rights" ###################### ## support for PKIX ## ###################### SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" SET_CERTIFICATE_SERIAL_IN_DN "Y" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "Y" AUTOMATIC_SUBJECT_ALT_NAME "Y" DEFAULT_SUBJECT_ALT_NAME "Email" UNIQUE_DN "YES" ###################### ## support for PINs ## ###################### USE_REQUEST_PIN NO # secure PIN_LENGTH limits the PIN itself so please use # SECURE_PIN_RANDOM because this option ensures the number # of the secret random bits # 16 x 8 = 128 bit SECURE_PIN_LENGTH 0 SECURE_PIN_RANDOM 16 MAIL_DIR "/var/lib/openca/mail" CRIN_MAIL_DIR "/var/lib/openca/mail/crins" DEFAULT_MAIL_DIR "/var/lib/openca/mail/default" SERVICE_MAIL_ACCOUNT "pki@openca.org" REQUEST_PIN_MAIL "/usr/share/openca/mails/__LANGUAGE__/request_pin_mail.msg" SECURE_PIN_MAIL "/usr/share/openca/mails/__LANGUAGE__/secure_pin_mail.msg" CONFIRM_CERT_SIGN "/usr/share/openca/mails/__LANGUAGE__/confirm_cert_sign.msg"