etoken-ca

NAME
DESCRIPTION
VARIABLES
BUGS
SEE ALSO
AUTHORS
COPYRIGHT

NAME

etoken-ca − eToken-based CA sysconf configuration file

DESCRIPTION

The etoken-ca package provides a way to fully privilege separate the myproxy server and the pincode for unlocking the etoken containing the private key for the CA. It contains a client, called by the myproxy-server and running as MYPROXY_USER user, and a daemon, running as root, which has the pincode in memory and signs the certificates as yet-another user CA_USER.

The behaviour of both the client and server, as well as the revoke-cert commandline tool, is configured using various variables defined in the /etc/sysconfig/etoken-ca file.

VARIABLES

DN_FORMAT

Subject DN printf format string. Needs to contain exactly one %s which will be replaced by the username. For end-entity certificates it should be the complete DN, for proxy certificates is should be only the part extra compared to the signer’s subject DN, i.e. the extra /CN= RDN.

CA_OIDS

Comma separated lists of policy OIDs to be inserted in the issued certificate.

CA_ID

Identifier to identify this specific CA instance, for example the (fully qualified) hostname of the delegation server. The value is passed as second argument to the NOTIFIER_HOOK.

SERIAL_PERIOD

For a high availability setup, you can use serial numbers of the form SERIAL_PERIOD * n + SERIAL_OFFSET. For a single instance, you can use the settings period==1, offset==0. Default 1. See also SERIAL_OFFSET.

SERIAL_OFFSET

For a high availability setup, you can use serial numbers of the form SERIAL_PERIOD * n + SERIAL_OFFSET. Its value is passed as third argument to the NOTIFIER_HOOK. For a single instance, you can use the settings period==1, offset==0. Default 0. See also SERIAL_PERIOD and NOTIFIER_HOOK.

MAX_LIFETIME

Maximum lifetime for issued certificates. The actual lifetime is the minimum of this lifetime and the requested lifetime. Can be suffixed with a d for days and a h for hours. Default 11d.

CRL_DAYS

CRL validity time (time till nextUpdate at issuing time). Default 30.

CRL_URLS

CRL Distribution Points, will be put in issued certificates. Should be prefixed with URI: and comma separated.

CA_DIR

CA directory, must be owned by CA_USER. Default /var/lib/myproxyca.

CA_CONFIG

OpenSSL CA configuration file. Default /var/lib/myproxyca/myproxy-openssl.cnf.

USB_DEVICE

Vendor:Product string for the eToken, e.g. 1234:5678.

KEY

Slot and key ID, colon-separated, for the private key. Although optional, key ID should be given when multiple keys are present on the same eToken. Default 0:

MAX_PIN_TRIES

Maximum number of retries for entering pincode before the server stops. Default 5.

PIN_TERMINAL

Virtual terminal to read the pincode from. Default 8.

LOG_FILE

Logfile for the etoken-ca-server. Default /var/log/myproxy/etoken-ca.log.

DEBUG

Whether to log debug messages or not. Default 0.

NOTIFIER_HOOK

When set, it should point to an executable (script) that will be run when the eToken is removed. The executable may not be writeable by any user but root. It is passed three arguments, PID of the etoken-ca-server, the value of CA_ID and the value of SERIAL_OFFSET. See also NOTIFIER_USER, CA_ID and SERIAL_OFFSET.

NOTIFIER_USER

Account under which the notifier hook must be run. Note that the hook may only be writeable by user root, independent from this variable. Default nobody.

POST_CRL_HOOK

When set, it should point to an executable (script) that will be run when a new CRL has successfully been created. The executable may not be writeable by any user but root. See also POST_CRL_USER.

POST_CRL_USER

Account under which the post-CRL hook must be run. Note that the hook may only be writeable by user root, independent from this variable. Default root.

REQUEST_TIMEOUT

When creating the request link, which is essentially a lockfile, the etoken-ca-client will try for this amount of seconds before giving up. When there are many simultaneous requests on the myproxy-server, one might need to increase this timeout. Default 20.

CERT_TIMEOUT

After creating the symlink, the etoken-ca-client will wait for this amount of seconds for the appearance of the certificate. When there are many simultaneous requests on the myproxy-server, one might need to increase this timeout. Default 10.

MYPROXY_USER

Account under which the myproxy-server process runs. Default myproxy.

CA_USER

Account to use for running the OpenSSL command line tools, i.e. the owner of the OpenSSL CA files in /var/lib/myproxyca and the user signing the certificates. Should be different from the MYPROXY_USER. Default causer.

The remaining options should normally not need any changing.
PID_FILE

Pid file for the etoken-ca-server, should normally not need changing. Default /var/run/etoken-ca.pid.

LOCK_FILE

Lock file for the etoken-ca-server, should normally not need changing. Default /var/lock/subsys/etoken-ca.

REQUEST_DIR

Directory used for exchanging requests and certificates between the etoken-ca-client and etoken-ca-server, should normally not need changing. Default /var/cache/etoken-ca/request.

REVOCATION_DIR

Directory used by revoke-cert for informing the etoken-ca-server of certificates which are to-be-revoked, should normally not need changing. Default /var/cache/etoken-ca/revocation.

REQ_LINK

Name of symlink/lockfile created by the etoken-ca-client and read and removed by the etoken-ca-server, should normally not need changing. Default ${REQUEST_DIR}/request.csr

CERT_SUFFIX

Suffix added after the request filename (the target of the REQ_LINK symlink) forming the name of the output certificate symlink created by the server, should normally not need changing. Default .crt.

BUGS

Please report any errors to the Nikhef Grid Middleware Security Team <grid-mw-security-support@nikhef.nl>.

SEE ALSO

etoken-ca-client(1), etoken-ca-server(8), revoke-cert(8), myproxy-server.config(5), ca(1ssl)

AUTHORS

Written by Mischa Sallé

COPYRIGHT

Copyright © 2016- FOM-Nikhef