NAME

kx509 - LCFG Component to manage the KCA Kerberos->X509 certification agency

SYNOPSIS

kx509 METHOD [ARGS]

DESCRIPTION

An LCFG component that is used to configure the kx509 certification agency (or KCA).

Managing the KCA service is a complicated process that cannot be simply automated within the LCFG system. This component provides automation of day to day management functions, but installation of new instances of the service are likely to require manual intervention, as described elsewhere.

METHODS

The non-standard component methods are described below.

createcsr

Create a public key pair, and a certificate signing request for this service. The signing request generated should be used to obtain a certificate for the service from a certification authority. Note that this authority _must_ sign this request as a CA certificate.

selfsign

Turn the request generated by the createcsr method into a self signed certificate, for testing purposes.

RESOURCES

The non-standard component resources are described below.

SERVICE CONFIGURATION

increment

The amount to increment the CA serial number by with each request. In an environment with a single KCA, this can be one. If there are multiple CAs sharing a common certificate it must be larger than the number of CAs, in order to preserve the uniqueness of the serial number across the CAs.

startserial

The number to start the CA's serial number at. In a cluster of multiple CAs, each CA must have a unique value for this number.

ldap_hosts

Space seperated list of LDAP servers to contact to resolve the users Kerberos principal into system identity. Note that the connection used is not secured in anyway, so localhost is reccommended here.

ldap_binddn

DN to bind to the ldap service with in order to resolve the users identity. Leave blank for an anonymous bind.

ldap_basedn

Base DN to start the search for the user's identity.

ldap_group

Name of a group which the user most belong to in order to be granted certificates by the service.

CERTIFICATE CONFIGURATION

These resources control the certificate that kca uses to sign incoming requests. Changing these resources will not affect running services, it will be necessary to destroy the existing certificate to cause changes to occur.

Please read the accompanying documentation on managing a kx509 KCA service before experimenting with these resources.

x509_country

x509_state

x509_locality

x509_organization

x509_ou

x509_cn

The above resources all control the corresponding portions of the Distinguished Name of the server's X509 certificate.

FILES

/var/kca/kca.cnf

/var/kca/conf/kca.crt

/var/kca/conf/kca.csr

/var/kca/conf/kca.key

/var/kca/serial

PLATFORMS

Redhat7, Redhat9

SEE ALSO

kca

AUTHOR

Simon Wilkinson <simon@sxw.org.uk>