16.5. File and Directory Locations for Certificate System

Certificate System servers consist of subsystems and instances. Server subsystems are servers for a specific type of PKI function. General, shared subsystem information is contained in non-relocatable, RPM-defined shared libraries, Java archive files, binaries, and templates. These are stored in a fixed location.

Server instances are somewhat relocatable and have user-specific default and customized forms and data.

16.5.1. CA Instance Information

The directories are instance specific, tied to the instance name. In these examples, the instance name is pki-ca; the true value is whatever is specified at the time the instance is created with pkicreate.

Table 16.3. CA Instance Information

Setting

Value

Ports

Standard port

End users port

End users client authentication port

Agents port

Admin port

Tomcat port

Main Directory

/var/lib/pki-ca

Configuration Directory

/etc/pki-ca

Configuration File

/etc/pki-ca/CS.cfg

/etc/pki-ca/password.conf

Subsystem Certificates

CA signing certificate

OCSP signing certificate (for the CA's internal OCSP service)

SSL server certificate

Audit log signing certificate

Subsystem certificate ^[a]

Security Databases

/var/lib/pki-ca/alias

Log Files

/var/log/pki-ca/logs

Install Logs

/var/log/pki-ca/logs-install.log

Process File

/var/run/pki-ca.pid

Profile Files

/var/lib/pki-ca/profiles/ca

Email Notification Templates

/var/lib/pki-ca/emails

Web Services Files

/var/lib/pki-ca/webapps - Agent services

/var/lib/pki-ca/webapps.admin - Admin services

/var/lib/pki-ca/webapps.ee - End user services

^[a] The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.