The ca.cfg file consists of CA stanzas. The CA stanzas contain public CA information used by the Certificate Authentication Services for generating certificate requests and certificate revocation requests.
For every CA stanza in the ca.cfg file, the acct.cfg file should contain an equivalently named CA stanza. Each CA stanza name in the ca.cfg file must be unique. At least one stanza named local must exist. No stanza should be named ldap or default.
* Multiple components of the PKI implementation use this file for configuration
* information.
*
* algorithm Defines the encryption algorithm used for CMP requests.
* Supported values are RSA and DSA. The default is RSA.
*
* crl Specifies the CA's root certificate file.
*
* dn Defines the default Distinguished Name value for newly
* created certificates. (Optional) Example:
* dn = "c=US, o=ZZZ Corp., ou=Sales OEM, sp=Texas, l=Austin"
*
* keysize Defines the minimum number of bits required when generating
* an encryption/signing key. The default is 1024.
*
* program Specifies the PKI service module file name.
* (Required)
*
* retries Defines the number of retry attempts when contacting a CA.
* The default is 5.
*
* server Defines the URL address of the CA server. Example:
* "cmp:://9.53.149.39:1077".
* signinghash Specifies the hash algorithm used to verify keys and to
* perform trusted certificate signing when validating users.
* Supported values are MD2, MD5, and SHA1. The default is MD5.
*
* trustedkey Defines the keystore location containing the system-wide
* trusted signing key used to sign/verify user certificates.
*
* url Defines the default subject alternate name URI value to be
* added to new certificates.
*
local:
program = /usr/lib/security/pki/JSML
trustedkey = file:/usr/lib/security/pki/trusted.p15
server = "cmp://9.53.149.39:1077"
crl = ldap://9.53.149.39/o=XYZ, c=us
dn = "c=US, o=XYZ"
url = "http://www.ibm.com/"
algorithm = RSA
keysize = 512
retries = 5
signinghash = MD5
/usr/lib/security/pki/ca.cfg