-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathadcs.yaml.template
More file actions
110 lines (101 loc) · 3.64 KB
/
adcs.yaml.template
File metadata and controls
110 lines (101 loc) · 3.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
global:
#30 days
next_update_hours_crl: 720
policy_provider:
policy_id: "{1158087D-44BE-436A-897B-EA76BA39CF5F}"
policyfriendlyname: TestCompany Policy
next_update_hours: 8
templates:
- callback:
path: "/etc/adcs/callbacks/user_template.py"
- callback:
path: "/etc/adcs/callbacks/computer_template.py"
- callback:
path: "/etc/adcs/callbacks/dc_template.py"
- callback:
path: "/etc/adcs/callbacks/smartcard_auth.py"
auth:
- kerberos: true
- callback:
path: "/etc/adcs/callbacks/auth_basic_template.py"
################Example########################
##cas:
##
## - id: "ca1-inter"
## issuer_ca_id: "ca1-root"
## display_name: "Intermediate CA"
## urls:
## crl_http: "http://testadcs.mydomain.lan/crl/ica/intermediate.crl"
## ca_issuers_http: "http://testadcs.mydomain.lan/certs/ica/ica.crt.pem"
## pem:
## certificate_path_pem: /var/lib/adcs/pki/certs/ica/ica.crt.pem
## key_path_pem: /var/lib/adcs/pki/private/ica/ica.key.pem
## key_passphrase: null
##
## crl:
## path_crl: /var/lib/adcs/pki/crl/ica/intermediate.crl
##
## storage_paths:
## cert_dir: /var/lib/adcs/pki/newcerts/ica/
## csr_dir: /var/lib/adcs/pki/csr/ica/
## private_dir: /var/lib/adcs/pki/private/ica/
##
## ket_cert_pem: /var/lib/adcs/pki/ket-self/ket.crt.pem
##
## auth_methods:
## - method: kerberos
## renewal_only: false
## - method: username_password
## renewal_only: false
## - method: x509
## renewal_only: false
##
##
## - id: "ca1-root"
## display_name: "root CA"
## urls:
## crl_http: "http://testadcs.mydomain.lan/crl/root/ca.crl"
## ca_issuers_http: "http://testadcs.mydomain.lan/certs/root/ca.crt.pem"
##
## pem:
## certificate_path_pem: /var/lib/adcs/pki/certs/root/ca.crt.pem
## key_path_pem: /var/lib/adcs/pki/private/root/ca.key.pem
## key_passphrase: null
##
## crl:
## path_crl: /var/lib/adcs/pki/crl/root/root.crl
##
## storage_paths:
## cert_dir: /var/lib/adcs/pki/newcerts/root/
## csr_dir: /var/lib/adcs/pki/csr/root/
## private_dir: /var/lib/adcs/pki/private/root/
##
## ket_cert_pem: /var/lib/adcs/pki/ket-self/ket.crt.pem
##
##
############### TPM (if not key_path_pem and key_passphrase) ###################
## hsm:
## pkcs11_lib: "/usr/lib/x86_64-linux-gnu/pkcs11/libtpm2_pkcs11.so.1"
## token_label: "CA-TOKEN-2"
## key_id: "30623531666439663333306165376463"
## key_label: "CA-KEY-ICA2-1761401895"
## user_pin_file: "/etc/adcs/secret/hsm_pin.txt"
##
############### YUBIKEY ###################
##### pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so -L|grep uri
##### pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --login --pin "123456" --list-objects --type privkey
## hsm:
## pkcs11_lib: "/usr/lib/x86_64-linux-gnu/libykcs11.so"
## pkcs11_uri: "pkcs11:model=YubiKey%20YK5;manufacturer=Yubico%20%28www.yubico.com%29;serial=34588777;token=YubiKey%20PIV%20%2334588777"
## key_id: "02"
## user_pin_file: "/etc/adcs/secret/hsm_pin.txt"
##
############### NITROKEY HSM ###################
##### pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L|grep uri
##### pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin "123456" --list-objects --type privkey
## hsm:
## pkcs11_lib: "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"
## pkcs11_uri: "pkcs11:model=PKCS%2315%20emulated;manufacturer=www.CardContact.de;serial=DENK0509429;token=SmartCard-HSM"
## key_id: "01"
## user_pin_file: "/etc/adcs/secret/hsm_pin.txt"
cas: