2016-03-21 21:42:39 +00:00
|
|
|
[authentication]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The authentiction backend specifies how the user is authenticated,
|
|
|
|
# in case of 'pam' simplepam.authenticate is used to authenticate against
|
|
|
|
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
|
|
|
|
# user against eg. Active Directory or Samba4.
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backends = pam
|
2016-03-29 09:29:15 +00:00
|
|
|
;backends = kerberos
|
|
|
|
;backends = ldap
|
|
|
|
;backends = kerberos ldap
|
|
|
|
;backends = kerberos pam
|
2017-05-07 19:11:24 +00:00
|
|
|
ldap uri = ldaps://dc.example.lan
|
2017-04-13 14:33:40 +00:00
|
|
|
kerberos keytab = FILE:{{ kerberos_keytab }}
|
2016-03-21 21:42:39 +00:00
|
|
|
|
|
|
|
[accounts]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The accounts backend specifies how the user's given name, surname and e-mail
|
|
|
|
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
|
2017-01-25 09:43:19 +00:00
|
|
|
# in case of 'ldap' a search is performed on LDAP server specified by ldap uri
|
2016-09-17 21:00:14 +00:00
|
|
|
# with Kerberos credential cache initialized at path specified by environment variable KRB5CCNAME
|
2017-01-20 10:56:46 +00:00
|
|
|
# If certidude setup authority was performed correctly the credential cache should be
|
|
|
|
# updated automatically by /etc/cron.hourly/certidude
|
2016-03-29 09:29:15 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backend = posix
|
2016-03-29 09:29:15 +00:00
|
|
|
;backend = ldap
|
2017-01-20 10:56:46 +00:00
|
|
|
ldap gssapi credential cache = /run/certidude/krb5cc
|
2017-05-07 19:11:24 +00:00
|
|
|
ldap uri = ldap://dc.example.lan
|
|
|
|
ldap base = {% if base %}{{ base }}{% else %}dc=example,dc=lan{% endif %}
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
[authorization]
|
2016-03-29 09:29:15 +00:00
|
|
|
# The authorization backend specifies how the users are authorized.
|
|
|
|
# In case of 'posix' simply group membership is asserted,
|
|
|
|
# in case of 'ldap' search filter with username as placeholder is applied.
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
backend = posix
|
2016-03-27 21:00:41 +00:00
|
|
|
posix user group = users
|
|
|
|
posix admin group = sudo
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
;backend = ldap
|
|
|
|
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
|
2016-03-31 21:01:58 +00:00
|
|
|
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
|
2017-05-07 19:11:24 +00:00
|
|
|
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=lan{% endif %})(samaccountname=%s))
|
|
|
|
|
|
|
|
;backend = whitelist
|
|
|
|
user whitelist =
|
|
|
|
admin whitelist =
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Users are allowed to log in from user subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
user subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Authority administrators are allowed to sign and revoke certificates from these subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
admin subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Certificate signing requests are allowed to be submitted from these subnets
|
2016-03-21 21:42:39 +00:00
|
|
|
request subnets = 0.0.0.0/0
|
2016-03-29 09:29:15 +00:00
|
|
|
|
|
|
|
# Certificates are automatically signed for these subnets
|
2017-04-25 13:40:33 +00:00
|
|
|
autosign subnets = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2017-05-18 19:29:49 +00:00
|
|
|
# Simple Certificate Enrollment Protocol enabled subnets
|
|
|
|
scep subnets =
|
2017-07-08 12:08:39 +00:00
|
|
|
;scep subnets = 0.0.0.0/0
|
2017-05-18 19:29:49 +00:00
|
|
|
|
2017-05-25 19:20:29 +00:00
|
|
|
# Online Certificate Status Protocol enabled subnets
|
2017-06-04 14:19:29 +00:00
|
|
|
ocsp subnets =
|
2017-07-08 12:08:39 +00:00
|
|
|
;ocsp subnets = 0.0.0.0/0
|
2017-05-25 19:20:29 +00:00
|
|
|
|
2017-07-07 21:07:25 +00:00
|
|
|
# Certificate Revocation lists can be accessed from anywhere by default
|
2017-07-08 12:08:39 +00:00
|
|
|
;crl subnets =
|
2017-07-07 21:07:25 +00:00
|
|
|
crl subnets = 0.0.0.0/0
|
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
[logging]
|
2017-04-25 20:42:55 +00:00
|
|
|
# Disable logging
|
|
|
|
;backend =
|
2017-02-07 22:07:21 +00:00
|
|
|
|
2017-04-25 20:42:55 +00:00
|
|
|
# Use SQLite backend
|
|
|
|
backend = sql
|
2017-05-01 16:20:50 +00:00
|
|
|
database = sqlite://{{ directory }}/meta/db.sqlite
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
[signature]
|
2017-03-13 11:42:58 +00:00
|
|
|
# Server certificate is granted to certificate with
|
|
|
|
# common name that includes period which translates to FQDN of the machine.
|
|
|
|
# TLS Server Auth and IKE Intermediate flags are attached to such certificate.
|
|
|
|
# Due to problematic CRL support in client applications
|
|
|
|
# we keep server certificate lifetime short and
|
|
|
|
# have it renewed automatically.
|
|
|
|
server certificate lifetime = 3
|
|
|
|
|
|
|
|
# Client certificates are granted to everything else
|
|
|
|
# TLS Client Auth flag is attached to such certificate.
|
|
|
|
# In this case it's set to 4 months.
|
|
|
|
client certificate lifetime = 120
|
|
|
|
|
|
|
|
revocation list lifetime = 24
|
|
|
|
|
|
|
|
# URL where CA certificate can be fetched from
|
|
|
|
authority certificate url = {{ certificate_url }}
|
|
|
|
|
2017-07-08 12:08:39 +00:00
|
|
|
# Strongswan can automatically fetch CRL if
|
|
|
|
# CRL distribution point extension is included in the certificate
|
|
|
|
;revoked url =
|
2016-03-29 09:29:15 +00:00
|
|
|
revoked url = {{ revoked_url }}
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2017-07-08 12:08:39 +00:00
|
|
|
# StrongSwan can automatically query OCSP responder if
|
|
|
|
# AIA extension includes OCSP responder URL
|
|
|
|
responder url =
|
|
|
|
;responder url = {{ responder_url }}
|
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
# If certificate renewal is allowed clients can request a certificate
|
|
|
|
# for the same public key with extended lifetime
|
|
|
|
renewal allowed = false
|
|
|
|
;renewal allowed = true
|
|
|
|
|
2017-05-03 21:03:51 +00:00
|
|
|
|
2015-12-12 22:34:08 +00:00
|
|
|
[push]
|
2017-04-14 11:06:09 +00:00
|
|
|
# This should occasionally be regenerated
|
2017-02-07 22:07:21 +00:00
|
|
|
event source token = {{ push_token }}
|
2017-04-14 11:06:09 +00:00
|
|
|
|
|
|
|
# For local nchan
|
|
|
|
event source publish = http://localhost/ev/pub/%s
|
|
|
|
long poll publish = http://localhost/lp/pub/%s
|
|
|
|
event source subscribe = /ev/sub/%s
|
|
|
|
long poll subscribe = /lp/sub/%s
|
|
|
|
|
2017-04-14 11:08:26 +00:00
|
|
|
# For remote nchan, make sure you use https:// if SSL is configured on push server
|
|
|
|
;event source publish = http://push.example.com/ev/pub/%s
|
2017-04-14 11:06:09 +00:00
|
|
|
;long poll publish = http://push.example.com/lp/pub/%s
|
|
|
|
;event source subscribe = //push.example.com/ev/sub/%s
|
2017-04-14 11:08:26 +00:00
|
|
|
;long poll subscribe = //push.example.com/lp/sub/%s
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
[authority]
|
2017-03-13 11:42:58 +00:00
|
|
|
# Present form for CSR submission for logged in users
|
|
|
|
;request submission allowed = true
|
|
|
|
request submission allowed = false
|
|
|
|
|
2016-03-31 22:55:51 +00:00
|
|
|
# User certificate enrollment specifies whether logged in users are allowed to
|
|
|
|
# request bundles. In case of 'single allowed' the common name of the
|
|
|
|
# certificate is set to username, this should work well with REMOTE_USER
|
|
|
|
# enabled web apps running behind Apache/nginx.
|
|
|
|
# In case of 'multiple allowed' the common name is set to username@device-identifier.
|
2017-03-13 11:42:58 +00:00
|
|
|
;user enrollment = forbidden
|
|
|
|
;user enrollment = single allowed
|
|
|
|
user enrollment = multiple allowed
|
|
|
|
|
|
|
|
# Machine certificate enrollment specifies whether Kerberos authenticated
|
|
|
|
# machines are allowed to automatically enroll with certificate where
|
|
|
|
# common name is set to machine's account name
|
|
|
|
machine enrollment = forbidden
|
|
|
|
;machine enrollment = allowed
|
|
|
|
|
2016-03-31 22:55:51 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
private key path = {{ ca_key }}
|
2017-12-30 13:57:48 +00:00
|
|
|
certificate path = {{ ca_cert }}
|
2016-03-29 09:29:15 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
requests dir = {{ directory }}/requests/
|
|
|
|
signed dir = {{ directory }}/signed/
|
|
|
|
revoked dir = {{ directory }}/revoked/
|
2016-03-29 09:29:15 +00:00
|
|
|
expired dir = {{ directory }}/expired/
|
2017-02-07 22:07:21 +00:00
|
|
|
|
2017-04-21 16:58:01 +00:00
|
|
|
[mailer]
|
|
|
|
# Certidude submits mails to local MTA.
|
|
|
|
# In case of Postfix configure it as "Sattelite system",
|
|
|
|
# and make sure Certidude machine doesn't try to accept mails.
|
|
|
|
# uncomment mail sender address to enable e-mails.
|
|
|
|
# Make sure used e-mail address is reachable for end users.
|
|
|
|
name = Certificate management
|
2017-05-03 14:42:37 +00:00
|
|
|
address = certificates@example.lan
|
2016-03-29 15:37:28 +00:00
|
|
|
|
2017-03-26 10:09:18 +00:00
|
|
|
[tagging]
|
|
|
|
owner/string = Owner
|
|
|
|
location/string = Location
|
|
|
|
phone/string = Phone
|
|
|
|
other/ = Other
|
2017-04-12 13:56:29 +00:00
|
|
|
|
|
|
|
[bootstrap]
|
|
|
|
# Following can be used to set up clients easily: certidude bootstrap ca.example.lan
|
|
|
|
# Services template is rendered on certidude server with relevant variables and
|
|
|
|
# placed to /etc/certidude/services.conf on the client
|
2017-04-20 05:20:10 +00:00
|
|
|
services template = {{ template_path }}/bootstrap.conf
|
2017-04-21 21:22:08 +00:00
|
|
|
|
|
|
|
[token]
|
|
|
|
# Token mechanism allows authority administrator to send invites for users.
|
2017-12-30 13:57:48 +00:00
|
|
|
# Token API call /api/token/ could be for example exposed on the internet via proxypass.
|
|
|
|
# Token mechanism disabled by setting URL setting to none
|
|
|
|
;url = http://ca.example.com/
|
|
|
|
url =
|
2017-04-22 11:10:54 +00:00
|
|
|
|
2017-04-24 17:33:55 +00:00
|
|
|
# Token lifetime in minutes, 30 minutes by default.
|
|
|
|
# Note that code tolerates 5 minute clock skew.
|
|
|
|
lifetime = 30
|
2017-04-21 21:22:08 +00:00
|
|
|
|
2017-04-22 11:10:54 +00:00
|
|
|
# Secret for generating and validating tokens, regenerate occasionally
|
|
|
|
secret = {{ token_secret }}
|
|
|
|
|
2017-12-30 13:57:48 +00:00
|
|
|
|
|
|
|
[profile]
|
|
|
|
# title, flags, lifetime, organizational unit
|
|
|
|
default = client, 120,
|
|
|
|
srv = server, 365, Server
|
|
|
|
gw = server, 3, Gateway
|
|
|
|
ap = client, 1825, Access Point
|