...
1---
2# Tokens on which signing keys can be found. Each configured key refers to a token by name.
3tokens:
4
5 # Use a PKCS#11 library as a token
6 mytoken:
7 # Full path to provider library
8 provider: /usr/lib64/softhsm/libsofthsm.so
9
10 # Optional selectors to pick a token from those the provider offers
11 label: alpha
12 serial: 99999
13
14 # PIN is optional for command-line use, but required for servers. See also 'pinfile'.
15 pin: 123456
16 #pin: "" # blank PIN, without prompting
17
18 # If true, try to save the PIN in the system keyring (command-line only)
19 #usekeyring: false
20
21 # Optional login user. Useful values:
22 # 0 - CKU_SO
23 # 1 - CKU_USER (default)
24 # 2 - CKU_CONTEXT_SPECIFIC, SafeNet: CKU_AUDIT
25 # 0x80000001 - SafeNet: CKU_LIMITED_USER
26 #user: 1
27
28 # Optional parameters for server mode
29 #timeout: 60 # Terminate each attempt after N seconds (default: 60)
30 #retries: 5 # Retry failed commands N times (default: 5)
31
32 # Use GnuPG scdaemon as a token
33 myscd:
34 type: scdaemon
35 # Optionally specify the scdaemon socket path. If not provided then the
36 # default will be used.
37 provider: /run/myscd/S.scdaemon
38
39 # Optional serial number of the expected card.
40 serial: D99999999999999999999
41
42 # PIN is optional for command-line use, but required for servers. See also 'pinfile'.
43 pin: 123456
44
45 # Use private key files as a "token". The path to the key is specified in the key section(s)
46 file:
47 type: file
48 # If the private key is protected with a password, specify it here
49 pin: password
50
51# Keys that can be used for signing
52keys:
53
54 my_token_key:
55 # Which token, defined above, to find the key on
56 token: mytoken
57
58 # Optional selectors to pick a key from those in the token
59 # CKA_LABEL:
60 label: "label"
61 # CKA_ID:
62 id: 00112233
63
64 # Path to a PGP certificate, if PGP signing is desired. Can be ascii-armored or binary.
65 pgpcertificate: ./keys/rsa1.pub
66
67 # Path to a X509 certificate, if X509 signing is desired. Can be PEM, DER,
68 # or PKCS#7 (p7b) format, with optional certificate chain.
69 x509certificate: ./keys/rsa1.cer
70
71 # true if a RFC 3161 timestamp should be attached, see 'timestamp' below
72 timestamp: false
73
74 # Clients with any of these roles can utilize this key
75 roles: ['somegroup']
76
77 my_scd_key:
78 token: myscd
79 # Specify which key to use. For OpenPGP cards this will be either OPENPGP.1 or OPENPGP.3.
80 id: OPENPGP.1
81
82 # The remaining options are the same as above
83 pgpcertificate: ./keys/rsa1.pub
84 x509certificate: ./keys/rsa1.cer
85 timestamp: false
86 roles: ['somegroup']
87
88 my_file_key:
89 token: file
90 # Path to the private key file. The password is specified in the token configuration above.
91 keyfile: ./keys/rsa1.key
92
93 # The remaining options are the same as above
94 pgpcertificate: ./keys/rsa1.pub
95 x509certificate: ./keys/rsa1.cer
96 timestamp: false
97 roles: ['somegroup']
98
99 aliased_key:
100 # When alias is set, this key name becomes an alias for the other key.
101 # Alises cannot override any parameters of the key, including roles.
102 alias: my_token_key
103
104# Server-specific configuration
105server:
106 # What port to listen on. Defaults to :6300.
107 # Socket activation via systemd is also supported, in which case this is ignored.
108 listen: ":6300"
109
110 # Listen for non-secure connections. This is only useful for health checks,
111 # since every other endpoint requires a client certificate. Defaults to none.
112 listenhttp: ":6301"
113
114 # Private key for server TLS. PEM format, RSA or ECDSA
115 keyfile: /etc/relic/server/server.key
116
117 # X.509 certificate for server TLS. PEM format. If a cert chain is needed it
118 # should follow the main cert.
119 certfile: /etc/relic/server/server.key
120
121 # Optional logfile for server errors. If not set, then standard error is used
122 logfile: /var/log/relic/server.log
123
124 # How many worker subprocesses to spawn per token. Usually only 1 is required.
125 #numworkers: 1
126
127 # Set the frequency and tolerance of token health checks
128 #tokencheckinterval: 60 # ping the token every N seconds
129 #tokenchecktimeout: 30 # fail a ping if it is stuck for N seconds
130 #tokencheckfailures: 3 # the server will report "not healthy" after N failed pings
131
132 # Optional list of URLs that are part of a cluster of servers
133 #siblings:
134 #- https://relic1:6300
135 #- https://relic2:6300
136
137# Instead of including token PINs in this file, you can specify an alternate
138# "pin file" which is a YAML file holding key-value pairs where the key is the
139# name of the token and the value is the PIN.
140#pinfile: /etc/relic/pin.yaml
141
142# Configure trusted timestamping servers, used by keys that have timestamping
143# enabled when using a signature type that supports it.
144timestamp:
145 # RFC 3161 timestamp server(s). If more than one is provided then they will
146 # be tried in the order given until one succeeds.
147 urls:
148 - http://mytimestamp.server/rfc3161
149
150 # Non-RFC3161 timestamp server(s), used for appmanifest only
151 msurls:
152 - http://mytimestamp.server
153
154 # Optional timeout for each timestamp request
155 timeout: 60
156
157 # Optional alternate CA certificate file for contacting timestamp servers
158 # cacert: /etc/pki/tls/mychain.pem
159
160 # Optional memcache servers for memoizing timestamp requests
161 #memcache:
162 # - 127.0.0.1:11211
163
164 # Optional rate limit for timestamp requests
165 #ratelimit: 1 # requests per second
166 #rateburst: 10 # burst capacity
167
168# AMQP broker used to submit audit logs
169amqp:
170 # Optional audit logging to an AMQP broker
171 #url: amqp://guest:guest@127.0.0.1:5672
172
173 # Optional TLS parameters
174 #cacert:
175 #keyfile:
176 #certfile:
177
178 # "fanout" type exchange to send audit messages to, default relic.signatures
179 #sigsXchg: relic.signatures
180
181# Authentication to the server is via client certificate. Certificates are
182# identified by their fingerprint. Fingerprints can be obtained by using the
183# "relic remote register" command on the client to generate the key, or by
184# checking the server error log after attempting to connect.
185clients:
186 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855:
187 # Display name for this client
188 nickname: myuser
189 # List of roles this user possesses. Must contain at least one of the roles
190 # on a key for the user to access that key.
191 roles: ['somegroup']
192
193 # Alternately, clients can be authenticated using one or more CA
194 # certificates. The CA that the client matches determines the roles they have
195 # access to, and the subject DN of the leaf certificate is logged. This can
196 # be used to delegate access to a short-lived build process.
197 #my_root_ca:
198 # nickname: my_root_ca
199 # certificate: |
200 # -----BEGIN CERTIFICATE-----
201 # asdfasdfasdf
202 # -----END CERTIFICATE-----
203 # roles: ['somegroup']
View as plain text