14.5. File and Directory Locations for Certificate System

Certificate System servers consist of subsystems and instances. Server subsystems are servers for a specific type of PKI function. General, shared subsystem information is contained in non-relocatable, RPM-defined shared libraries, Java archive files, binaries, and templates. These are stored in a fixed location.
Server instances are somewhat relocatable and have user-specific default and customized forms and data.

14.5.1. CA Instance Information

The directories are instance specific, tied to the instance name. In these examples, the instance name is pki-ca; the true value is whatever is specified at the time the instance is created with pkicreate.

Table 14.3. CA Instance Information

Setting Value
Standard port
End users port
End users client authentication port
Agents port
Admin port
Tomcat port
Main Directory /var/lib/pki-ca
Configuration Directory /etc/pki-ca
Configuration File
Subsystem Certificates
CA signing certificate
OCSP signing certificate (for the CA's internal OCSP service)
SSL server certificate
Audit log signing certificate
Subsystem certificate[a]
Security Databases /var/lib/pki-ca/alias
Log Files /var/lib/pki-ca/logs
Install Logs /var/lib/pki-ca/logs-install.log
Process File /var/run/pki-ca.pid
Profile Files /var/lib/pki-ca/profiles/ca
Email Notification Templates /var/lib/pki-ca/emails
Web Services Files
/var/lib/pki-ca/webapps - Agent services
/var/lib/pki-ca/webapps.admin - Admin services
/var/lib/pki-ca/webapps.ee - End user services
[a] The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.