sscep.conf

#
# sscep.conf -- configuration file for SSCEP
#
# All configuration options are key-value pairs, grouped into sections:
#
# [section]
# Key = Value
#
# Quotation marks are optional - they are needed only if the value contains
# space characters (space or tab). Quotation marks inside the value string
# must be escaped using a backslash:
#
# Key = "Value \"containing quotation marks\""
#
# Comment lines (lines starting with '#') and empty lines are discarded.
#

# sscep is the default section. Do not alter its name
[sscep]

# Reference to an engine definition section (see below)
# Uncomment to use the defined engine instead of the filesystem.
# engine = sscep_engine

# SCEP server URL
URL = http://localhost/scep
# URL = http://localhost/cgi-bin/pkiclient.exe

# Use proxy server at host:port
# Proxy = localhost:8080

# CA certificate file (write if OPERATION is getca)
# CACertFile = ca.crt

# PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)
# EncAlgorithm = 3des

# PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512)
# SigAlgorithm = sha1

# Note: this could be very misleading, the SCEP standard provides no
# mechanism to "negotiate" the algorithm - even if you send 3des, reply
# might be des.

# Verbose operation (true|false)
Verbose = false

# Debug (even more verbose operation)
Debug = false


[sscep_engine]
# Engine definition. It can have any name, as long as the name is referenced
# by the "engine" option in the [sscep] section.
# The parameter engine_id is mandatory.

# Engine ID. The engine will use the OpenSSL's engine interface.
# Supported engines are:
# - Any installed OpenSSL engine (e.g. tpm2tss)
# - capi (Microsoft CryptoAPI)
# - dynamic (loaded via dynamic_path)
# engine_id = capi

# If the engine needs to be loaded dynamically, specify the path to the SO file here.
# It is possible to provide paths relative to the sscep binary
# Note: On Windows use double slashes, see example
# Note: You HAVE to specify this unless you *know* it will be found otherwise. On
# Windows this can lead to problems since OpenSSL is often compiled with a Unix-
# Search-Path. In this case this can't be omitted at all.
# dynamic_path = ..\\capi\\capi.dll

# Some Engines require an additional module (take PKCS#11 interface for example)
# For these engines you can specify an additional module path here
# Note: On Windows use double slashes, see "dynamic_path" option
# MODULE_PATH = 

# Special Options for engines are defined in their corresponding
# sections, always named [sscep_engine_*] where * is the defined
# engine id. You can see currently supported special options in
# each of these sections. If a section does not exist, it does
# not mean the engine is not supported, there are just no special
# options avaiable for it.

[sscep_engine_capi]
# This section defines CryptoAPI specific settings
# Only if the [engine]-section's engine_id is set to capi, this will be loaded,
# otherwise it will be ignored.

# Specific CryptoAPI option: Set this option to whatever
# location your newly generated key will reside in.
# In case of certreq creating your key, it will be in REQUEST.
new_key_location = REQUEST

# Which store should be used for all operations.
# The basic layout is storelocation\storename, e.g.
# LOCAL_MACHINE\MY and LOCAL_MACHINE\REQUEST
# The following options are accepted here:
# CURRENT_USER - default option, user store
# LOCAL_MACHINE - system store
storelocation = LOCAL_MACHINE

[sscep_engine_jksengine]
# This section defines JKSEngine specific settings
# Only if engine_id is set to "JKSEngine" this will be loaded, otherwise ignored.

# Password of Java KeyStore (Default: 123456)
# See JKSEngine for further documentation
# KeyStorePass = 

# Path of Java tool (Path to ConnJKSEngine)
# JavaConnectorPath = 

# Java Cryptography Provider of used Keystore
# KeyStoreProvider = 

# Path of Java Runtime Environment
# This is normally not necessary
# JavaPath = 


[sscep_getca]
# Options for retrieving CA Certificates (operation getca)

# CA identifier string, required by some CA
# CAIdentifier = "CA Identifier"

# Fingerprint algorithm (md5|sha1|sha224|sha256|sha384|sha512)
# FingerPrint = md5


[sscep_enroll]
# Operation for Certificate Enrollment (see SCEP documentation for details)

# Private key file
# PrivateKeyFile = local.key

# Certificate request file
# CertReqFile = local.csr

# Signature private key file, use with SignCertFile
# SignKeyFile = previous.key

# Signature certificate (used instead of self-signed)
# SignCertFile = previous.crt

# Write enrolled certificate in file
# LocalCertFile = local.crt

# Use different CA cert for encryption
# EncCertFile = enc.crt

# Write selfsigned certificate in file
# SelfSignedFile = selfsigned.crt

# Polling interval for pending certificate (seconds)
# PollInterval = 60

# Maximum polling time (seconds)
# MaxPollTime = 28800

# Max number of GetCertInitial requests
# MaxPollCount = 256

# Resume interrupted enrollment (true|false)
# Resume = 


[sscep_getcert]
# Private key file
# PrivateKeyFile = local.key

# Local certificate file
# LocalCertFile = local.crt

# Certificate serial number (decimal)
# GetCertSerial = 1

# Write certificate in file
# GetCertFile = cert.crt


[sscep_getcrl]
# Private key file
# PrivateKeyFile = local.key

# Local certificate file
# LocalCertFile = local.crt

# Write CRL in file
# GetCrlFile = crl.crl


[sscep_getnextca]
#NYI