## Configuration File for RA Manager Utility ## (c) 1998 by Massimiliano Pala - All Rights Reserved ## Crypto Section ## ============== openssl "/usr/bin/openssl" sslconfig "/etc/openca/openssl/openssl.cnf" OCSPindex "/var/lib/openca/crypto/ocsp_index.txt" MakePath "/usr/bin/make -s" ## General Section ## =============== DEFAULT_LANGUAGE "@default_language@" DEFAULT_CHARSET "@default_charset@" CgiLibPath "/usr/share/openca/functions" CgiServerType "ra" CgiServerName "ra" HtdocsUrlPrefix "/openca/ra" EtcPrefix "/etc/openca" SessionDir /var/lib/openca/session/cookie SessionLifetime 1200 ModuleID @ra_module_id@ ModuleShift @module_shift@ AccessControlConfiguration "/etc/openca/access_control/ra.xml" SoftwareConfiguration "/etc/openca/config.xml" RoleConfiguration "/etc/openca/rbac/roles.xml" ModuleConfiguration "/etc/openca/rbac/modules.xml" TokenConfiguration "/etc/openca/token.xml" LogConfiguration "/etc/openca/log.xml" MenuConfiguration "/etc/openca/menu.xml" LOAConfiguration "/etc/openca/loa.xml" # New Browser Configuration BrowserRequestConfig "/etc/openca/browser_req.xml" # Authenticated Browser Request AuthBrowserRequestConfig "/etc/openca/auth_browser_req.xml" DataSourcesConfig "/etc/openca/datasources.xml" EnableAuthBrowserReq "YES" DBmodule "@dbmodule@" CertDir "/var/lib/openca/crypto/certs" TempDir "/var/lib/openca/tmp" MaxReturnedItems 20 ## ==================== [ LOA Support ] ========================= ## USE_LOAS takes either YES or NO USE_LOAS "@USE_LOAS@" ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department" "telephone" ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Department" "Telephone" ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "LATIN1_LETTERS" "LATIN1_LETTERS" CSR_SUPPORTED_ATTRIBUTES "emailAddress" "CN" "SN" "unstructuredName" "unstructuredAddress" "OU" "L" "ST" "O" "C" "DC" "serialNumber" "UID" CSR_DEFAULT_ATTRIBUTE_FIELDS 7 CSR_ALLOW_MULTIVALUED_ATTRIBUTES YES CSR_SUPPORTED_SUBJECT_ALT_NAMES "email" "DNS" "IP" "DirName" "URI" "RID" "otherName" "Microsoft_GUID" "Microsoft_UPN" CSR_DEFAULT_SUBJECT_ALT_NAME_FIELDS 4 ## create key ## ========== RegistrationAuthority "Trustcenter itself" "Help Desk 1" "Help Desk 2" MinPinLength 10 ## ================== [ Basic CSR Section ] ===================== ## Basic CSR Forms Basic_CSR_Keysizes "1024" "2048" "4096" "512" "768" DN_TYPES "SPKAC" "IE" ## ================== [ DN_TYPE ::= SPKAC ] ===================== DN_TYPE_SPKAC_BODY "YES" DN_TYPE_SPKAC_KEYGEN_MODE "SPKAC" DN_TYPE_SPKAC_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_SPKAC_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_SPKAC_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_SPKAC_NAME "Basic User Request" DN_TYPE_SPKAC_BASE_1 "OpenCA PKI Services" DN_TYPE_SPKAC_BASE_2 "IT" DN_TYPE_SPKAC_ELEMENT_1 "E-Mail" DN_TYPE_SPKAC_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_SPKAC_ELEMENT_1_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_SPKAC_ELEMENT_2 "Name" DN_TYPE_SPKAC_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_SPKAC_ELEMENT_2_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_2_CHARACTERSET "UTF8_LETTERS" DN_TYPE_SPKAC_ELEMENT_3 "Certificate Request Group" DN_TYPE_SPKAC_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_SPKAC_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_SPKAC_ELEMENT_3_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" ## ================== [ DN_TYPE ::= IE ] ===================== DN_TYPE_IE_BODY "YES" DN_TYPE_IE_KEYGEN_MODE "IE" DN_TYPE_IE_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_IE_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_IE_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_IE_NAME "Basic User Request" DN_TYPE_IE_BASE_1 "OpenCA PKI Services" DN_TYPE_IE_BASE_2 "IT" DN_TYPE_IE_ELEMENT_1 "E-Mail" DN_TYPE_IE_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_IE_ELEMENT_1_REQUIRED "YES" DN_TYPE_IE_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_IE_ELEMENT_2 "Name" DN_TYPE_IE_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_IE_ELEMENT_2_REQUIRED "YES" DN_TYPE_IE_ELEMENT_2_CHARACTERSET "UTF8_LETTERS" DN_TYPE_IE_ELEMENT_3 "Certificate Request Group" DN_TYPE_IE_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_IE_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_IE_ELEMENT_3_REQUIRED "YES" DN_TYPE_IE_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" CmdRefs_viewCert "REVOCATION" "SENDCERT" "SEND_CERT_KEY" "VIEW_CSR" "TOKENHANDLING" "MAIL" "SET_PUBLIC_PASSWD" "DELETE_PUBLIC_PASSWD" CmdRefs_viewCSR "APPROVE_WITHOUT_SIGNING" "APPROVE" "DELETE_SIGNED" "DELETE_PENDING" "DELETE_RENEW" "DELETE_NEW" "EDIT" "RENEW" "GENERATE_KEY" CmdRefs_viewCRR "APPROVE_WITHOUT_SIGNING" "APPROVE" "DELETE_SIGNED" "DELETE_PENDING" "DELETE_NEW" "EDIT" "VIEW_CERT" "VIEW_USER_CRR" CmdRefs_revoke_req "NO_AUTH" REQUIRE_PASSWD_PUBLIC "NO" CHANGE_DAYS "YES" ## Images Section ================= ValidSigImage "/openca/ra/images/validSig.png" SigErrorImage "/openca/ra/images/sigError.png" ## Certificates and CRLs Section ## ============================= CACertificate "/var/lib/openca/crypto/cacerts/cacert.pem" CACertificateDER "/var/lib/openca/crypto/cacerts/cacert.der" CACertificateCRT "/var/lib/openca/crypto/chain/cacert.crt" CACertsDir "/var/lib/openca/crypto/cacerts" CertsDir "/var/lib/openca/crypto/certs" ChainDir "/var/lib/openca/crypto/chain" CRLDir "/var/lib/openca/crypto/crls" ## Mail Section ## ============ ## ## The RA Manager program needs to send an e-mail to each user when he ## certificate has been successuffly published. Because of this you ## have to configure the sendmail program to use the right server. ## Watch out for mail attacs. Secure yourself. ## Do you want to send mail when certificate is published ? warnuser yes ## Now let's define the command line for the sendmail with right options mailcommand "@sendmail@" basemailfile "/usr/share/openca/mails/__LANGUAGE__/certsMail.msg" SERVICE_MAIL_ACCOUNT "pki@openca.org" WARN_EXPIRING_MSG "/usr/share/openca/mails/__LANGUAGE__/expiringMail.msg" WARN_EXPIRING_DAYS 31 ## ## Role management Section ## ----------------------- RBAC_DIR "/etc/openca/rbac" RBAC_MODULE "RA 1" ROLES_DIR "roles" RIGHTS_DIR "rights" SCRIPT_CONFIG_DIR "scripts" OPENSSL_DIR "/etc/openca/openssl/openssl" EXT_DIR "/etc/openca/openssl/extfiles" ###################### ## support for PKIX ## ###################### SET_REQUEST_SERIAL_IN_DN "N" REQUEST_SERIAL_NAME "sn" SET_CERTIFICATE_SERIAL_IN_DN "Y" CERTIFICATE_SERIAL_NAME "serialNumber" DN_WITHOUT_EMAIL "YES" AUTOMATIC_SUBJECT_ALT_NAME "Y" DEFAULT_SUBJECT_ALT_NAME "Email" UNIQUE_DN "YES" ################################## ## secure PIN support for certs ## ################################## MAIL_DIR "/var/lib/openca/mail" CRIN_MAIL_DIR "/var/lib/openca/mail/crins" DEFAULT_MAIL_DIR "/var/lib/openca/mail/default" SENT_MAIL_CRIN_COUNTER "/var/lib/openca/mail/crins/mailcounter" SENT_MAIL_DEFAULT_COUNTER "/var/lib/openca/mail/default/mailcounter"