# # sscep.conf -- configuration file for SSCEP # # All configuration options are key-value pairs, grouped into sections: # # [section] # Key = Value # # Quotation marks are optional - they are needed only if the value contains # space characters (space or tab). Quotation marks inside the value string # must be escaped using a backslash: # # Key = "Value \"containing quotation marks\"" # # Comment lines (lines starting with '#') and empty lines are discarded. # # sscep is the default section. Do not alter its name [sscep] # Reference to an engine definition section (see below) # Uncomment to use the defined engine instead of the filesystem. # engine = sscep_engine # SCEP server URL #URL = http://localhost/scep URL = http://pki.secmayl.com/scep # Use proxy server at host:port #Proxy = localhost:8080 # CA certificate file (write if OPERATION is getca) #CACertFile = ca.crt CACertFile = ca.pem # PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256) #EncAlgorithm = 3des EncAlgorithm = aes256 # PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512) # SigAlgorithm = sha1 SigAlgorithm = sha256 # Note: this could be very misleading, the SCEP standard provides no # mechanism to "negotiate" the algorithm - even if you send 3des, reply # might be des. # Verbose operation (true|false) Verbose = false # Debug (even more verbose operation) Debug = false [sscep_engine] # Engine definition. It can have any name, as long as the name is referenced # by the "engine" option in the [sscep] section. # The parameter engine_id is mandatory. # Engine ID. The engine will use the OpenSSL's engine interface. # Supported engines are: # - Any installed OpenSSL engine (e.g. tpm2tss) # - capi (Microsoft CryptoAPI) # - dynamic (loaded via dynamic_path) # engine_id = capi # If the engine needs to be loaded dynamically, specify the path to the SO file here. # It is possible to provide paths relative to the sscep binary # Note: On Windows use double slashes, see example # Note: You HAVE to specify this unless you *know* it will be found otherwise. On # Windows this can lead to problems since OpenSSL is often compiled with a Unix- # Search-Path. In this case this can't be omitted at all. # dynamic_path = ..\\capi\\capi.dll # Some Engines require an additional module (take PKCS#11 interface for example) # For these engines you can specify an additional module path here # Note: On Windows use double slashes, see "dynamic_path" option # MODULE_PATH = # Special Options for engines are defined in their corresponding # sections, always named [sscep_engine_*] where * is the defined # engine id. You can see currently supported special options in # each of these sections. If a section does not exist, it does # not mean the engine is not supported, there are just no special # options avaiable for it. [sscep_engine_capi] # This section defines CryptoAPI specific settings # Only if the [engine]-section's engine_id is set to capi, this will be loaded, # otherwise it will be ignored. # Specific CryptoAPI option: Set this option to whatever # location your newly generated key will reside in. # In case of certreq creating your key, it will be in REQUEST. new_key_location = REQUEST # Which store should be used for all operations. # The basic layout is storelocation\storename, e.g. # LOCAL_MACHINE\MY and LOCAL_MACHINE\REQUEST # The following options are accepted here: # CURRENT_USER - default option, user store # LOCAL_MACHINE - system store storelocation = LOCAL_MACHINE [sscep_engine_jksengine] # This section defines JKSEngine specific settings # Only if engine_id is set to "JKSEngine" this will be loaded, otherwise ignored. # Password of Java KeyStore (Default: 123456) # See JKSEngine for further documentation # KeyStorePass = # Path of Java tool (Path to ConnJKSEngine) # JavaConnectorPath = # Java Cryptography Provider of used Keystore # KeyStoreProvider = # Path of Java Runtime Environment # This is normally not necessary # JavaPath = [sscep_getca] # Options for retrieving CA Certificates (operation getca) # CA certificate file (write if OPERATION is getca) #CACertFile = ca.crt CACertFile = ca.pem # CA identifier string, required by some CA #CAIdentifier = "CA Identifier" # Fingerprint algorithm (md5|sha1|sha224|sha256|sha384|sha512) #FingerPrint = md5 FingerPrint = sha1 [sscep_enroll] # Operation for Certificate Enrollment (see SCEP documentation for details) # CA certificate file #CACertFile = ca.crt CACertFile = ca.pem # Private key file #PrivateKeyFile = local.key PrivateKeyFile = key.pem # Certificate request file #CertReqFile = local.csr CertReqFile = csr.pem # Signature private key file, use with SignCertFile #SignKeyFile = previous.key SignKeyFile = prev/key.pem # Signature certificate (used instead of self-signed) #SignCertFile = previous.crt SignCertFile = prev/crt.pem # Write enrolled certificate in file #LocalCertFile = local.crt LocalCertFile = crt.pem # Use different CA cert for encryption #EncCertFile = enc.crt # Write selfsigned certificate in file #SelfSignedFile = selfsigned.crt # Polling interval for pending certificate (seconds) #PollInterval = 60 # Maximum polling time (seconds) #MaxPollTime = 28800 # Max number of GetCertInitial requests #MaxPollCount = 256 # Resume interrupted enrollment (true|false) #Resume = #Resume = true [sscep_getcert] # Private key file #PrivateKeyFile = local.key PrivateKeyFile = key.pem # Local certificate file #LocalCertFile = local.crt LocalCertFile = crt.pem # Certificate serial number (decimal) #GetCertSerial = 1 # Write certificate in file #GetCertFile = cert.crt GetCertFile = crt.pem [sscep_getcrl] # Private key file #PrivateKeyFile = local.key PrivateKeyFile = key.pem # Local certificate file #LocalCertFile = local.crt LocalCertFile = crt.pem # Write CRL in file #GetCrlFile = crl.crl GetCrlFile = crl.pem [sscep_getnextca] #NYI