ca.cfg File

Purpose

The ca.cfg file consists of CA stanzas. The CA stanzas contain public CA information used by the Certificate Authentication Services for generating certificate requests and certificate revocation requests.

Description

For every CA stanza in the ca.cfg file, the acct.cfg file should contain an equivalently named CA stanza. Each CA stanza name in the ca.cfg file must be unique. At least one stanza named local must exist. No stanza should be named ldap or default.

Examples

* Multiple components of the PKI implementation use this file for configuration
* information.
*
* algorithm      Defines the encryption algorithm used for CMP requests.
*                Supported values are RSA and DSA. The default is RSA.
*
* crl            Specifies the CA's root certificate file.
*
* dn             Defines the default Distinguished Name value for newly
*                created certificates. (Optional) Example:
*                dn = "c=US, o=ZZZ Corp., ou=Sales OEM, sp=Texas, l=Austin"
*
* keysize        Defines the minimum number of bits required when generating
*                an encryption/signing key. The default is 1024.
*
* program        Specifies the PKI service module file name.
*                (Required)
*
* retries        Defines the number of retry attempts when contacting a CA.
*                The default is 5.
*
* server         Defines the URL address of the CA server. Example:
*                "cmp:://9.53.149.39:1077".

* signinghash    Specifies the hash algorithm used to verify keys and to
*                perform trusted certificate signing when validating users.
*                Supported values are MD2, MD5, and SHA1. The default is MD5.
*
* trustedkey     Defines the keystore location containing the system-wide
*                trusted signing key used to sign/verify user certificates.
*
* url            Defines the default subject alternate name URI value to be
*                added to new certificates.
*
local:
      program = /usr/lib/security/pki/JSML
      trustedkey = file:/usr/lib/security/pki/trusted.p15
      server = "cmp://9.53.149.39:1077"
      crl = ldap://9.53.149.39/o=XYZ, c=us
      dn = "c=US, o=XYZ"
      url = "http://www.ibm.com/"
      algorithm = RSA
      keysize = 512
      retries = 5
      signinghash = MD5

File

/usr/lib/security/pki/ca.cfg