Chapter 13. The Certificate System Configuration Files
CS.cfg
file. This chapter covers basic information about and rules for editing the CS.cfg
file. This chapter also describes some other useful configuration files used by the subsystems, such as password and web services files.
13.1. File and Directory Locations for Certificate System Subsystems
pkispawn
command.
13.1.1. Instance-specific Information
Table 13.1. Certificate Server Port Assignments (Default)
Port Type | Port Number | Notes |
---|---|---|
Secure port | 8443 | Main port used to access PKI services by end-users, agents, and admins over HTTPS. |
Insecure port | 8080 | Used to access the server insecurely for some end-entity functions over HTTP. Used for instance to provide CRLs, which are already signed and therefore need not be encrypted. |
AJP port | 8009 | Used to access the server from a front end Apache proxy server through an AJP connection. Redirects to the HTTPS port. |
Tomcat port | 8005 | Used by the web server. |
13.1.2. CA Subsystem Information
Table 13.2. CA Subsystem Information for the Default Instance (pki-tomcat)
Setting | Value |
---|---|
Main directory | /var/lib/pki/pki-tomcat/ca/ |
Configuration directory | /var/lib/pki/pki-tomcat/ca/conf/[a] |
Configuration file | /var/lib/pki/pki-tomcat/ca/conf/CS.cfg |
Subsystem certificates | CA signing certificate |
OCSP signing certificate (for the CA's internal OCSP service) | |
TLS server certificate | |
Audit log signing certificate | |
Subsystem certificate[b] | |
Security databases | /var/lib/pki/pki-tomcat/alias/[c] |
Log files | /var/log/pki/pki-tomcat/ca/logs/[d] |
Install log | /var/log/pki/pki-ca-spawn.date.log |
Uninstall log | /var/log/pki/pki-ca-destroy.date.log |
Audit logs | /var/log/pki/pki-tomcat/ca/signedAudit/ |
Profile files | /var/lib/pki/pki-tomcat/ca/profiles/ca/ |
Email notification templates | /var/lib/pki/pki-tomcat/ca/emails/ |
Web services files | Agent services: /var/lib/pki/pki-tomcat/ca/webapps/ca/agent/ |
Admin services: /var/lib/pki/pki-tomcat/ca/webapps/ca/admin/ | |
End user services: /var/lib/pki/pki-tomcat/ca/webapps/ca/ee/ | |
[a]
Aliased to /etc/pki/pki-tomcat/ca/
[b]
The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
[c]
Note that all subsystem certificates are stored in the instance security database
[d]
Aliased to /var/lib/pki/pki-tomcat/ca
|
13.1.3. KRA Subsystem Information
Table 13.3. KRA Subsystem Information for the Default Instance (pki-tomcat)
Setting | Value |
---|---|
Main directory | /var/lib/pki/pki-tomcat/kra/ |
Configuration directory | /var/lib/pki/pki-tomcat/kra/conf/[a] |
Configuration file | /var/lib/pki/pki-tomcat/kra/conf/CS.cfg |
Subsystem certificates | Transport certificate |
Storage certificate | |
TLS server certificate | |
Audit log signing certificate | |
Subsystem certificate[b] | |
Security databases | /var/lib/pki/pki-tomcat/alias/[c] |
Log files | /var/lib/pki/pki-tomcat/kra/logs/ |
Install log | /var/log/pki/pki-kra-spawn-date.log |
Uninstall log | /var/log/pki/pki-kra-destroy-date.log |
Audit logs | /var/log/pki/pki-tomcat/kra/signedAudit/ |
Web services files | Agent services: /var/lib/pki/pki-tomcat/kra/webapps/kra/agent/ |
Admin services: /var/lib/pki/pki-tomcat/kra/webapps/kra/admin/ | |
[a]
Linked to /etc/pki/pki-tomcat/kra/
[b]
The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
[c]
Note that all subsystem certificates are stored in the instance security database
|
13.1.4. OCSP Subsystem Information
Table 13.4. OCSP Subsystem Information for the Default Instance (pki-tomcat)
Setting | Value |
---|---|
Main directory | /var/lib/pki/pki-tomcat/ocsp/ |
Configuration directory | /var/lib/pki/pki-tomcat/ocsp/conf/[a] |
Configuration file | /var/lib/pki/pki-tomcat/ocsp/conf/CS.cfg |
Subsystem certificates | Transport certificate |
Storage certificate | |
TLS server certificate | |
Audit log signing certificate | |
Subsystem certificate[b] | |
Security databases | /var/lib/pki/pki-tomcat/alias/[c] |
Log files | /var/lib/pki/pki-tomcat/ocsp/logs/ |
Install log | /var/log/pki/pki-ocsp-spawn-date.log |
Uninstall log | /var/log/pki/pki-ocsp-destroy-date.log |
Audit logs | /var/log/pki/pki-tomcat/ocsp/signedAudit/ |
Web services files | Agent services: /var/lib/pki/pki-tomcat/ocsp/webapps/ocsp/agent/ |
Admin services: /var/lib/pki/pki-tomcat/ocsp/webapps/ocsp/admin/ | |
[a]
Linked to /etc/pki/pki-tomcat/ocsp/
[b]
The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
[c]
Note that all subsystem certificates are stored in the instance security database
|
13.1.5. TKS Subsystem Information
Table 13.5. Every time a subsystem is created either through the initial installation or creating additional instances with (pki-tomcat)
Setting | Value |
---|---|
Main directory | /var/lib/pki/pki-tomcat/tks/ |
Configuration directory | /var/lib/pki/pki-tomcat/tks/conf/[a] |
Configuration file | /var/lib/pki/pki-tomcat/tks/conf/CS.cfg |
Subsystem certificates | Transport certificate |
Storage certificate | |
TLS server certificate | |
Audit log signing certificate | |
Subsystem certificate[b] | |
Security databases | /var/lib/pki/pki-tomcat/alias/[c] |
Log files | /var/lib/pki/pki-tomcat/tks/logs/ |
Install log | /var/log/pki/pki-tks-spawn-date.log |
Uninstall log | /var/log/pki/pki-tks-destroy-date.log |
Audit logs | /var/log/pki/pki-tomcat/tks/signedAudit/ |
Web services files | Agent services: /var/lib/pki/pki-tomcat/tks/webapps/tks/agent/ |
Admin services: /var/lib/pki/pki-tomcat/tks/webapps/tks/admin/ | |
[a]
Linked to /etc/pki/pki-tomcat/tks/
[b]
The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
[c]
Note that all subsystem certificates are stored in the instance security database
|
13.1.6. TPS Subsystem Information
Table 13.6. TPS Subsystem Information for the Default Instance (pki-tomcat)
Setting | Value |
---|---|
Main directory | /var/lib/pki/pki-tomcat/tps |
Configuration directory | /var/lib/pki/pki-tomcat/tps/conf/[a] |
Configuration file | /var/lib/pki/pki-tomcat/tps/conf/CS.cfg |
Subsystem certificates | Transport certificate |
Storage certificate | |
TLS server certificate | |
Audit log signing certificate | |
Subsystem certificate[b] | |
Security databases | /var/lib/pki/pki-tomcat/alias/[c] |
Log files | /var/lib/pki/pki-tomcat/tps/logs/ |
Install log | /var/log/pki/pki-tps-spawn-date.log |
Uninstall log | /var/log/pki/pki-tps-destroy-date.log |
Audit logs | /var/log/pki/pki-tomcat/tps/signedAudit/ |
Web services files | Agent services: /var/lib/pki/pki-tomcat/tps/webapps/tps/agent/ |
Admin services: /var/lib/pki/pki-tomcat/tps/webapps/tps/admin/ | |
[a]
Linked to /etc/pki/pki-tomcat/tps/
[b]
The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
[c]
Note that all subsystem certificates are stored in the instance security database
|