openscep.cnf(8)openscep.cnf(8)NAMEopenscep.cnf - OpenSCEP configuration file
DESCRIPTION
OpenSCEP uses the configuration file mechanism provided by OpenSSL for
its own configuration. All the OpenSCEP utilities read the configura‐
tionfile /usr/local/etc/openscep/openscep.cnf where various sections
describe parameters foreign to OpenSSL and only useful to OpenSCEP.
See the next sections for the configuration parameters specific to
OpenSCEP.
SECTIONS
There are three main sections used by OpenSCEP. The CA sections are
more or less standard from OpenSSL.
CA DEFINITIONS
See the OpenSSL documentation about details of the configuration of a
CA.
SCEPD DEFINITIONS
These are the options the control the behaviour of the scepd(8) pro‐
gramm from the OpenSCEP distribution. To keep the scripts that also
use these variables simple, there are no defaults for them. All of them
must be set, which is especially easy to do incorrectly when upgrading.
name = CAname
Name of this CA, used to find the right CA section during CA
operations.
cacert =
Path to the PEM encoded CA certificate.
cakey = /path/to/cakey.pem
Path to the PEM encoded and unencrypted CA key.
crl = /path/to/crl.pem
Path to a PEM encoded certificate revokation list.
grantcmd = /path/to/scepgrant
Path to the scepgrant(8) program.
automatic = {true|false}
Specifies whether automatic enrollment is possible or not.
debug = {true|false}
Specifies whether debug output should be generated.
logfile = /path/to/logfile
Defines the log file. syslog(8) must be configured to direct
log messages to this file. This variable influences only the
CGI-program used to display the log file.
openssl = /path/to/openssl/binary
Sets the fully qualified path to the openssl(1) binary. Note
that on many installations, openssl(1) is not on the path, and
there is no easy way for a CGI program to find this program,
hence the requirement that the path to it must be configured.
crlusers = users
This option allows to define a white space separated list of
users (as authenticated by the web server) which are allowed to
perform certificate revocations without specifying the challenge
password from the request.
crlpublic = {true|false}
If set to true, public access to certificate revocation is
granted. Any user who knows the challenge password of a cer‐
tificate request can revoke the corresponding certificate. Note
that trusted users as defined in the crlusers variable are not
required to give the challenge password, even if crlpublic is
set to false.
LDAP SECTION
In this section, all parameters needed to access the ldap directory are
defined. There are no defaults for these values, they must all be set
in the configuration file (this simplifies the code for the CGI pro‐
grams a little bit).
ldaphost = ldapservername
Specifies the name of the LDAP server used as back end for the
certificate data.
ldapport = ldapserverport
Specifies the TCP port number of the LDAP server used as back
end for the certificate data.
ldapbase = basedn
The base distinguished name to be used by OpenSCEP.
binddn = binddn
Some of the OpenSCEP programms need to update the directory,
which requires additional privileges. They therefore use this
distinguished name to bind to the directory, and the password as
specified by the bindpw variable (see below).
bindpw = bindpw
see binddn.
ldapmodify = /path/to/ldapmodify
Full path to the ldapmodify(1) programm to be used to modify the
directory. Note that a binary from the OpenLDAP version 2 dis‐
tribution must be used, as the CGI scripts use some options only
available in OpenLDAP.
ldapsearch = /path/to/ldapsearch
program to be used to read the directory, only used in the crl
revocation program.
SEE ALSO
The OpenSCEP distribution comes with an example openscep.cnf file that
one can use as a starting point when setting up a CA.
VERSION
This page documents openscep.cnf as it appears in version 0.4.2 of
OpenSCEP.
AUTHOR
Andreas F. Mueller <andreas.mueller@othello.ch>
OpenSCEP 02/19/16 openscep.cnf(8)
