policy.cfg File

Purpose

The policy.cfg file contains attributes that are used while creating certificates when creating users or adding certificates to the local LDAP repository.

Description

The policy.cfg file consists of four stanzas: newuser, storage, crl and comm. These stanzas modify the behavior of some system administration commands. The mkuser command uses the newuser stanza. The certlink command uses the storage stanza. The certadd and certlink command use the comm and crl stanzas.

Examples

*******************************************************************************
* Example policy.cfg file

* newuser Stanza:
*
* cert            Specifies whether the mkuser command generates a certificate (new) or
*                 not (get) by default.
* ca              Specifies the CA used by the mkuser command when generating
*                 a certificate.
* version         Specifies the version number of the certificate to be created.
*                 The value 3 is the only supported value.
* tag             Specifies the auth_cert tag value used by the mkuser command when
*                 creating a user when cert = new.
* label           Specifies the private key label used by the mkuser command when
*                 generating a certificate.
* keystore        Specifies the keystore URI used by the mkuser command when generating
*                 a certificate.
* passwd          Specifies the keystore's password used by the mkuser command when
*                 generating a certificate.
* domain          Specifies the domain part of the certificate's subject alternate name
*                 email value used by the mkuser command when generating a
*                 certificate.
* validity        Specifies the certificate's validity period value used by the mkuser
*                 command when generating a certificate.
* algorithm       Specifies the public key algorithm used by the mkuser command when
*                 generating a certificate.
* keysize         Specifies the minimum encryption key size in bits used by the mkuser
*                 command when generating a certificate.
* keyusage        Specifies the certificate's key usage value used by the mkuser
*
* subalturi       Specifies the certificate's subject alternate name URI value
*                 used by the mkuser command when generating a certificate.
*
* storage Stanza: 
*
*                 command when generating a certificate.
* replicate       Specifies whether the certlink command saves a copy of the certificate
*                 (yes) or just the link (no).
*
* crl Stanza
*
* check           Specifies whether the certadd and certlink commands should check the
*                 CRL (yes) or not (no).
*
* comm Stanza
*
* timeout         Specifies the timeout period in seconds when requesting certificate
*                 information using HTTP (e.g., retrieving CRLs).

newuser:
        cert = new
        ca = local
        passwd = pki
        version = "3"
        keysize = 1024
        keystore = test
        validity = 60

storage:
        replicate = no

crl:
        check = yes

comm:
        timeout = 10
* end of policy.cfg

File

/usr/lib/security/pki/policy.cfg