## Secure Server Configuration File ## (c) 1999 by Massimiliano Pala and the OpenCA Group ## ## Please Refer to the Documentation for a full detailed ## description of params. Read the README file in this dir ## for more infos on programs accessing this file. ## ============== [ General Section ] ========================= DEFAULT_LANGUAGE "@default_language@" DEFAULT_CHARSET "@default_charset@" DBmodule "@dbmodule@" CgiLibPath "/usr/share/openca/functions" CgiServerType "public" CgiServerName "pub" HtdocsUrlPrefix "@pub_htdocs_url_prefix@" SessionDir /var/lib/openca/session/cookie SessionLifetime 1200 ModuleID @pub_module_id@ ModuleShift @module_shift@ AccessControlConfiguration "/etc/openca/access_control/pub.xml" SoftwareConfiguration "/etc/openca/config.xml" RoleConfiguration "/etc/openca/rbac/roles.xml" ModuleConfiguration "/etc/openca/rbac/modules.xml" TokenConfiguration "/etc/openca/token.xml" LogConfiguration "/etc/openca/log.xml" MenuConfiguration "/etc/openca/menu.xml" LOAConfiguration "/etc/openca/loa.xml" CertsDir "/var/lib/openca/crypto/certs" CACertificate "/var/lib/openca/crypto/cacerts/cacert.pem" ChainDir "/var/lib/openca/crypto/chain" ## Paths openssl "/usr/bin/openssl" sslconfig "/etc/openca/openssl/openssl.cnf" scepPath "/usr/bin/openca-scep" tempdir "/var/lib/openca/tmp" BP_DIR "/var/lib/openca/batch" ## ============== [ End General Section ] ==================== #================= [ LOA Support ] ========================= #USE_LOAS takes either YES or NO USE_LOAS "@USE_LOAS@" #================ End of LOA support ============================ ## ================ [ request Section ] ====================== ## Default Registration Authority RegistrationAuthority "Trustcenter itself" "Help Desk 1" "Help Desk 2" ## Misc configuration Parameters MinPinLength 10 ## ================== [ End request Section ] =================== ## ================== [ Basic CSR Section ] ===================== ## Basic CSR Forms Basic_CSR_Keysizes "1024" "2048" "4096" "512" "768" DN_TYPES "BASIC" "TOKEN" "SPKAC" "IE" "PKCS10" ## ================== [ DN_TYPE ::= BASIC ] ===================== DN_TYPE_BASIC_BODY "YES" DN_TYPE_BASIC_KEYGEN_MODE "SERVER" DN_TYPE_BASIC_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_BASIC_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_BASIC_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_BASIC_NAME "Basic User Request" DN_TYPE_BASIC_BASE_1 "@ca_organization@" DN_TYPE_BASIC_BASE_2 "@ca_country@" DN_TYPE_BASIC_ELEMENT_1 "E-Mail" DN_TYPE_BASIC_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_BASIC_ELEMENT_1_REQUIRED "YES" DN_TYPE_BASIC_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_BASIC_ELEMENT_2 "Name" DN_TYPE_BASIC_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_BASIC_ELEMENT_2_REQUIRED "YES" DN_TYPE_BASIC_ELEMENT_2_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_BASIC_ELEMENT_3 "Certificate Request Group" DN_TYPE_BASIC_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_BASIC_ELEMENT_3_REQUIRED "YES" DN_TYPE_BASIC_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_BASIC_SUBJECTALTNAMES "email" "IP" "DNS" "DNS" DN_TYPE_BASIC_SUBJECTALTNAME_1 "alternative email" DN_TYPE_BASIC_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_BASIC_SUBJECTALTNAME_1_REQUIRED "NO" DN_TYPE_BASIC_SUBJECTALTNAME_2 "IP address" DN_TYPE_BASIC_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_BASIC_SUBJECTALTNAME_2_REQUIRED "NO" DN_TYPE_BASIC_SUBJECTALTNAME_3 "DNS name" DN_TYPE_BASIC_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_BASIC_SUBJECTALTNAME_3_REQUIRED "NO" DN_TYPE_BASIC_SUBJECTALTNAME_4 "DNS name" DN_TYPE_BASIC_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_BASIC_SUBJECTALTNAME_4_REQUIRED "NO" ## ================== [ DN_TYPE ::= TOKEN ] ===================== DN_TYPE_TOKEN_BODY "NO" DN_TYPE_TOKEN_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_TOKEN_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_TOKEN_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_TOKEN_NAME "Basic User Request" DN_TYPE_TOKEN_BASE_1 "@ca_organization@" DN_TYPE_TOKEN_BASE_2 "@ca_country@" DN_TYPE_TOKEN_ELEMENT_1 "E-Mail" DN_TYPE_TOKEN_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_TOKEN_ELEMENT_1_REQUIRED "YES" DN_TYPE_TOKEN_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_TOKEN_ELEMENT_2 "Name" DN_TYPE_TOKEN_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_TOKEN_ELEMENT_2_REQUIRED "YES" DN_TYPE_TOKEN_ELEMENT_2_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_TOKEN_ELEMENT_3 "Certificate Request Group" DN_TYPE_TOKEN_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_TOKEN_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_TOKEN_ELEMENT_3_REQUIRED "YES" DN_TYPE_TOKEN_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_TOKEN_SUBJECTALTNAMES "email" "IP" "DNS" "DNS" DN_TYPE_TOKEN_SUBJECTALTNAME_1 "alternative email" DN_TYPE_TOKEN_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_TOKEN_SUBJECTALTNAME_1_REQUIRED "NO" DN_TYPE_TOKEN_SUBJECTALTNAME_2 "IP address" DN_TYPE_TOKEN_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_TOKEN_SUBJECTALTNAME_2_REQUIRED "NO" DN_TYPE_TOKEN_SUBJECTALTNAME_3 "DNS name" DN_TYPE_TOKEN_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_TOKEN_SUBJECTALTNAME_3_REQUIRED "NO" DN_TYPE_TOKEN_SUBJECTALTNAME_4 "DNS name" DN_TYPE_TOKEN_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_TOKEN_SUBJECTALTNAME_4_REQUIRED "NO" ## ================== [ DN_TYPE ::= SPKAC ] ===================== DN_TYPE_SPKAC_BODY "YES" DN_TYPE_SPKAC_KEYGEN_MODE "SPKAC" DN_TYPE_SPKAC_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_SPKAC_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_SPKAC_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_SPKAC_NAME "Basic User Request" DN_TYPE_SPKAC_BASE_1 "@ca_organization@" DN_TYPE_SPKAC_BASE_2 "@ca_country@" DN_TYPE_SPKAC_ELEMENT_1 "E-Mail" DN_TYPE_SPKAC_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_SPKAC_ELEMENT_1_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_SPKAC_ELEMENT_2 "Name" DN_TYPE_SPKAC_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_SPKAC_ELEMENT_2_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_2_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_SPKAC_ELEMENT_3 "Certificate Request Group" DN_TYPE_SPKAC_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_SPKAC_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_SPKAC_ELEMENT_3_REQUIRED "YES" DN_TYPE_SPKAC_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_SPKAC_SUBJECTALTNAMES "email" "IP" "DNS" "DNS" DN_TYPE_SPKAC_SUBJECTALTNAME_1 "alternative email" DN_TYPE_SPKAC_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_SPKAC_SUBJECTALTNAME_1_REQUIRED "NO" DN_TYPE_SPKAC_SUBJECTALTNAME_2 "IP address" DN_TYPE_SPKAC_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_SPKAC_SUBJECTALTNAME_2_REQUIRED "NO" DN_TYPE_SPKAC_SUBJECTALTNAME_3 "DNS name" DN_TYPE_SPKAC_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_SPKAC_SUBJECTALTNAME_3_REQUIRED "NO" DN_TYPE_SPKAC_SUBJECTALTNAME_4 "DNS name" DN_TYPE_SPKAC_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_SPKAC_SUBJECTALTNAME_4_REQUIRED "NO" ## ================== [ DN_TYPE ::= IE ] ===================== DN_TYPE_IE_BODY "YES" DN_TYPE_IE_KEYGEN_MODE "IE" DN_TYPE_IE_BASE "O" "C" # if you have more than one OU simply add them # this works for all possible attributes # DN_TYPE_IE_ELEMENTS "EMAIL" "CN" "OU" "OU" DN_TYPE_IE_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_IE_NAME "Basic User Request" DN_TYPE_IE_BASE_1 "@ca_organization@" DN_TYPE_IE_BASE_2 "@ca_country@" DN_TYPE_IE_ELEMENT_1 "E-Mail" DN_TYPE_IE_ELEMENT_1_MINIMUM_LENGTH 7 DN_TYPE_IE_ELEMENT_1_REQUIRED "YES" DN_TYPE_IE_ELEMENT_1_CHARACTERSET "EMAIL" DN_TYPE_IE_ELEMENT_2 "Name" DN_TYPE_IE_ELEMENT_2_MINIMUM_LENGTH 3 DN_TYPE_IE_ELEMENT_2_REQUIRED "YES" DN_TYPE_IE_ELEMENT_2_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_IE_ELEMENT_3 "Certificate Request Group" DN_TYPE_IE_ELEMENT_3_SELECT "Internet" "Partners" "Employees" "Trustcenter" DN_TYPE_IE_ELEMENT_3_MINIMUM_LENGTH 8 DN_TYPE_IE_ELEMENT_3_REQUIRED "YES" DN_TYPE_IE_ELEMENT_3_CHARACTERSET "LATIN1_LETTERS" DN_TYPE_IE_SUBJECTALTNAMES "email" "IP" "DNS" "DNS" DN_TYPE_IE_SUBJECTALTNAME_1 "alternative email" DN_TYPE_IE_SUBJECTALTNAME_1_MINIMUM_LENGTH 3 DN_TYPE_IE_SUBJECTALTNAME_1_REQUIRED "NO" DN_TYPE_IE_SUBJECTALTNAME_2 "IP address" DN_TYPE_IE_SUBJECTALTNAME_2_MINIMUM_LENGTH 7 DN_TYPE_IE_SUBJECTALTNAME_2_REQUIRED "NO" DN_TYPE_IE_SUBJECTALTNAME_3 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_3_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_3_REQUIRED "NO" DN_TYPE_IE_SUBJECTALTNAME_4 "DNS name" DN_TYPE_IE_SUBJECTALTNAME_4_MINIMUM_LENGTH 9 DN_TYPE_IE_SUBJECTALTNAME_4_REQUIRED "NO" ## ================== [ End Basic CSR Section ] ================= ##================== [ PKCS #10 Request DN Policy Section ] ==================== ## ## You may subtitute the value of any Attribute with "ANY" to make it accept any value ## but it will still check for the existance of the attribute ## DN_TYPE_PKCS10_REQUIRED_ELEMENTS "CN" "OU" "O" "C" DN_TYPE_PKCS10_BASE "O" "C" ## YES, EXIST, NO DN_TYPE_PKCS10_ENFORCE_BASE "EXIST" DN_TYPE_PKCS10_BASE_1 "@ca_organization@" DN_TYPE_PKCS10_BASE_2 "@ca_country@" ADDITIONAL_REQUEST_ATTRIBUTES "requestercn" "email" "department" "telephone" ADDITIONAL_ATTRIBUTES_DISPLAY_VALUE "Name (first and Last name)" "Email" "Department" "Telephone" ADDITIONAL_REQUEST_ATTRIBUTES_STRING_TYPE "LATIN1_LETTERS" "EMAIL" "LATIN1_LETTERS" "LATIN1_LETTERS" ## ================== [ Begin LDAP based CSR Section ] ================= LDAP_BASED_CSR_GENERATION "OFF" LDAP_CSR_BIND_DN_PREFIX "uid=" LDAP_CSR_BIND_DN_SUFFIX ", OU=Users, O=@ca_organization@, C=@ca_country@" DN_TYPE_LDAP_BASE "O" "C" DN_TYPE_LDAP_ELEMENTS "emailAddress" "CN" "OU" DN_TYPE_LDAP_BASE_1 "@ca_organization@" DN_TYPE_LDAP_BASE_2 "@ca_country@" DN_TYPE_LDAP_SUBJECTALTNAMES "email" "IP" "DNS" ## ================== [ End Basic CSR Section ] ================= ## =================== [ pending Section ] ====================== MaxReturnedItems 20 ## ================== [ End pending Section ] =================== ## ==================== [ lists Section ] ====================== CmdRefs_viewCert "INSTALL_CERT" "SENDCERT" "SEND_CERT_KEY" CmdRefs_revoke_req "REQUIRE_AUTH" REQUIRE_PASSWD_PUBLIC "YES" ## ================= [ End lists Section ] ===================== ## ================== [ sendcert Section ] ====================== ## ================= [ End sendcert Section ] =================== ## ================== [ testcert Section ] ====================== VerifyCACert "/var/lib/openca/crypto/cacerts/cacert.pem" ## ================= [ End testcert Section ] =================== ## ================== [ getcrl Section ] ====================== crlfile "/var/lib/openca/crypto/crls/cacrl.crl" ## ================= [ End getcrl Section ] =================== ## ================== [ Role Section ] ====================== RBAC_DIR "/etc/openca/rbac" ROLES_DIR "roles" ## ================= [ End Role Section ] =================== ## ================== [ Images Section ] ====================== SigErrorImage "@pub_htdocs_url_prefix@/images/sigError.png" ValidSigImage "@pub_htdocs_url_prefix@/images/validSig.png" ## ================= [ End Images Section ] ===================