cesecore.properties

# Set to true to allow dynamic re-configuration using properties files in the file 
# system. Using this you can place a file /etc/cesecore/conf/cesecore.properties in the file system and
# override default values compiled into ejbca.ear.
#
# Default: false
#allow.external-dynamic.configuration=false

# -------------- NOTE for Upgrades --------------
# When upgrading, the important options are:
# - ca.keystorepass
# - password.encryption.key
# - ca.cmskeystorepass (in ejbca.properties)

# -------------- General security --------------
# The following key (strictly speaking, PBE input password) allows for encrypting passwords used in EJBCA (e.g. End Entity and Crypto Token
#   passwords stored in database).
# This property should be set before initial EJBCA installation and it should't be changed later, because there could exist
#   passwords encrypted with the key about to be changed and EJBCA would be unable to decrypt them (note that the current implementation
#   is capable to try decryption with the default key, i.e. qhrnf.f8743;12%#75, but it won't be able to decrypt passwords encrypted
#   with a custom key being replaced for another custom key).
# For setting this property you could use any password you consider safe, but it is strongly recommended that you use a randomly
#   generated password, e.g. by using `openssl rand -base64 24`.
#
# When upgrading a 100% up-time cluster all nodes must produce password encryption that is decryptable by old nodes.
# When all nodes run EJBCA 6.8.0 or higher you can change the password, and count, to increase security when passwords are saved in clear text.
# (mostly used for batch generation and auto-activation) 
#
# Default: qhrnf.f8743;12%#75
#password.encryption.key=!secret!

# Nr of rounds when creating password based encryption keys (PBE).
# To be able to change this you also need to set password.encryption.key to something other than the default (with applicable 100% uptime consideration). 
#password.encryption.count=100

# ------------ Basic CA configuration ---------------------
# This password is used internally to protect CA keystores in database unless a password has been set manually. 
# CA keystores are the CAs private key, where a password can be defined manually instead when creating the Crypto Token, 
# and Extended CA Services, such as the 'CMS Service', where a manual password can not be defined..
# Default value is foo123, which is needed to keep compatibility with default installations of EJBCA 3.0, please change this if possible.
# This value is not very important if you don't use the CMS Service (which most do not), if you define your own 
# Crypto Token Authentication Codes, which is recommended.
# Note! If changing this value AFTER installation of EJBCA you must do 'ant clean; ant bootstrap' in order to activate changes.
#ca.keystorepass=foo123
#ca.keystorepass=!secret!

# Default Random Number Generator algorithm for certificate serial number generation.
# Available algorithms are: SHA1PRNG, default, defaultstrong
# Using the value "default" (or an empty value which is hard to set here) uses the OS:es default implementation, 
#   which may vary. See the documentation of Java's SecureRandom for more information. On Linux this uses /dev/(u)random.
# Using the value "defaultstrong" is only available in JDK 8 and later and will use the SecureRandom.getInstanceStrong(), to get
#   an ensured "strong" random number generator. On JDK's below 8 it will throw an error if used. 
#   Before using "defaultstrong" take note that it will on most cases use a blocking random number generator, 
#   and if you don't have enough entropy it may take a long time, >60 seconds, to create a single random number (i.e. to generate a certificate). 
#   Test well before using. 
# Default value (if property left unset) is SHA1PRNG which is FIPS compliant according to Java documentation
#ca.rngalgorithm=SHA1PRNG

# The default length in octets of certificate serial numbers configured when creating new CAs. 
# Possible values: between 4 and 20 
# Default: 20 
#ca.serialnumberoctetsize=20 

# The date and time from which an expire date of a certificate is to be considered to be too far in the future.
# The time could be specified in two ways:
# 1. The unix time see http://en.wikipedia.org/wiki/Unix_time given as an integer decoded to an hexadecimal string.
#    The value 80000000 will give the time when the integer becomes negative if casted to 32 bit.
#    This is when the year 2038 problem occurs. See http://en.wikipedia.org/wiki/Year_2038_problem .
#    Set to this value if you don't want to issue any certificates that could cause this problem.
# 2. For you convenience this could also be specified in the ISO8601 date format.
# Default: no limitation
# The 2038 problem:
#ca.toolateexpiredate=80000000
#ca.toolateexpiredate=2038-01-19 03:14:08+00:00

# This offsets the certificates 'notBefore' value (and the 'notAfter' value if a relative validity is configured).
# The offset can be overwritten by the user with it's corresponding value in a certificate profile
certificate.validityoffset=-10m

# The idea of a HSM to use a HSM is to have the private keys protected. It should not be possible to extract them.
# To prevent using a key with the private part extractable a test is made before activating a CA.
# If this test shows that you can read the private part from the key the CA will not be activated unless the key is a SW key.
# You may (but should not) permit using extractable private keys by setting this property to 'true'.
# Default: false
#ca.doPermitExtractablePrivateKeys=true

# Forbidden characters in DB.
# When one of these characters is found in any string that should be stored in
# the DB it will be replaced by a forward slash (/). Same replacement will also
# be done when searching for strings in the DB.
# Example of strings affected by this:
# * user names
# * issuer and subject DN of certificates.
# * profile names
# It will also be impossible to use any of these characters in any field of a
# certificate (like issuer or subject DN).
# It is strongly discouraged to change this property. Instead set it to the
# desired value before you install EJBCA.
# If you change these characters later it might be that some search for a string
# that include one of the characters that have been changed will fail. This could
# result in that some important functionality stops working. Examples what could
# fail is:
# * An administrator user can not be used any more.
# * A certificate can not be found.
# * A certificate can not be issued since the used profile can not be found.
# The default are these characters: '\n', '\r', ';', '!', '\0', '%', '`', '?', '$', '~'.
# The property value is a string with all forbidden characters concatenated
# (without any space). Note that '\' is an escape character.
# This will be the same as not defining the property:
#
# NOTE: this value can not be changed dynamically, but requires a restart of EJBCA after changing.
#
#forbidden.characters = \n\r;!\u0000%`?$~
# And nothing forbidden will be:
#forbidden.characters  =

# When generating large CRLs, the RAM of the Java process will limit how many entries that can be
# fetched from the database at the time. A small value will lead to multiple round-trips to the
# database and CRL generation will take more time.
#
# The heap usage can be estimated to roughly 600 bytes * rows per database read. The default of
# 0.5M revoked entries per database round trip will usually fit within a 2GiB heap assigned to the
# application server. If multiple large CRLs are generated at the same time, the used heap will be
# the sum of the heap used by each CRL generation.
#
# If you have plenty of RAM assigned to the application server you should increase this value.
# Default: 500000
#database.crlgenfetchsize=500000

# ------------- Core language configuration -------------
# The language that should be used internally for logging, exceptions and approval notifications.
# The languagefile is stored in 'src/intresources/ejbcaresources.xx.properties' and 'intresources.xx.properties'.
# Should be one of: en, fr, ja, pt, sv, vi.
# Default: en
#intresources.preferredlanguage=en

# The language used internally if a resource not found in the preferred language.
# Default: en
#intresources.secondarylanguage=en

# ------------ Audit log configuration ---------------------
# I you want to use integrity protection of the audit log (in the IntegrityProtectedDevice) you
# must also configure integrity protection in conf/databaseprotection.properties
# 

#### Secure audit log configuration.

# All security log events are written to all enabled/configured devices.
# The following AuditLogDevice implementations are available:
#securityeventsaudit.implementation.X=org.cesecore.audit.impl.log4j.Log4jDevice
#securityeventsaudit.implementation.X=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice

# Default is to use the Log4jDevice and the IntegrityProtectedDevice (without integrity protection enabled),
# To de-configure these devices, set their implementation to "null" value (don't forget to comment out default section below).
# i.e.
#securityeventsaudit.implementation.0=null
#securityeventsaudit.implementation.1=null

# Each device can have a different exporter.
# The following AuditExporter implementations are available:
#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterDummy (default)
#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExportCsv
#securityeventsaudit.exporter.X=org.cesecore.audit.impl.AuditExporterXml

# Device implementation specific parameters (e.g. "key.subkey=value") can be passed by using 
#securityeventsaudit.deviceproperty.X.key.subkey=value

# Example configuration of Log4jDevice that logs to log4j server log file.
# The Log4jDevice does not support query, validation or export operations
#securityeventsaudit.implementation.0=org.cesecore.audit.impl.log4j.Log4jDevice

# Example configuration of IntegrityProtectedDevice that logs to the database
# With XML export to /tmp/ (default export dir)
# On windows a path would be for example 'C:/Temp/'
#securityeventsaudit.implementation.1=org.cesecore.audit.impl.integrityprotected.IntegrityProtectedDevice
#securityeventsaudit.exporter.1=org.cesecore.audit.impl.AuditExporterXml
#securityeventsaudit.deviceproperty.1.export.dir=/tmp/
#securityeventsaudit.deviceproperty.1.export.fetchsize=1000
#securityeventsaudit.deviceproperty.1.validate.fetchsize=1000

# Nodeid used for integrity protected audit log. If not set the hostname of local host is used.
# Default: not set
#cluster.nodeid=

#------------------- ECDSA implicitlyCA settings -------------
# Sets pre-defined EC curve parameters for the implicitlyCA facility.
# See the User's Guide for more information about the implicitlyCA facility.
# Setting these parameters are not necessary when using regular named curves. 
# if you don't know what this means, you can safely ignore these settings.
#
# Default values that you can experiment with:
# ecdsa.implicitlyca.q=883423532389192164791648750360308885314476597252960362792450860609699839
# ecdsa.implicitlyca.a=7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc
# ecdsa.implicitlyca.b=6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a
# ecdsa.implicitlyca.g=020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf
# ecdsa.implicitlyca.n=883423532389192164791648750360308884807550341691627752275345424702807307

#------------------- PKCS#11 -------------------------------------
# Configuration of PKCS#11 tokens.
#
# Disabling of sign mechanisms that are using PKCS#11 to hash the data before signing.
# If these mechanisms are disabled then the sun PKCS#11 wrapper will do the hashing
# before PKCS#11 is called.
# Default: true (the mechanisms are disabled).
#pkcs11.disableHashingSignMechanisms=false

# Caching the references to PKCS#11 objects can make a big performance difference.
# Default: true
#cryptotoken.keystorecache=true

# Setting the PKCS#11 attribute CKA_MODIFYABLE to FALSE after a key is generated.
#
# This is only done if the file '$EJBCA_HOME/dist/ext/cesecore-p11.jar' has been
# deployed to the 'java.ext.dirs' classpath (https://docs.oracle.com/javase/tutorial/ext/basics/install.html).
# If true and if the jar is not deployed then a warning will be written to the
# log each time a key (all key types even none p11) is generated.
# If the key is not a PKCS#11 key then nothing is done.
# Default: false
#pkcs11.makeKeyUnmodifiableAfterGeneration=true

# ------------------- Authentication Key Binding settings -------------------
# Configuration of available cipher suites for outgoing SSL/TLS connections
# that can be selected for an Authentication Key Binding.
# 
# Java 6: http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
#   TLS versions: SSLv3, TLSv1, SSLv2Hello
# Java 7: http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
#   TLS versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2
#   Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later.
# Java 8: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
#   TLS versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2
#   Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later.
#
# Use TLSv1.2 or better unless you have too keep compatibility with really old systems.
#
# The configuration format is "<TLS version>;cipher" and the follow ciphers are defined by default
# and can be undefined by setting the properties to "undefined".
#authkeybind.ciphersuite.0=TLSv1.2;TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
#authkeybind.ciphersuite.1=TLSv1.2;TLS_RSA_WITH_AES_256_CBC_SHA256
#authkeybind.ciphersuite.2=TLSv1.2;TLS_RSA_WITH_AES_128_CBC_SHA
#authkeybind.ciphersuite.3=TLSv1;TLS_DHE_RSA_WITH_AES_256_CBC_SHA
#authkeybind.ciphersuite.4=TLSv1;TLS_RSA_WITH_AES_256_CBC_SHA
#authkeybind.ciphersuite.5=TLSv1;TLS_RSA_WITH_AES_128_CBC_SHA


# ------------------- Certificate Transparency settings -------------------
# If your EJBCA has support for CT in it, you may configure caching of SCTs
# here. The cache is only used when using CT in OCSP responses (and not in
# the CT publisher or when using CT in new certificates). The fastfail
# options are applied to all CT log submissions.
#
# Enables or disables the cache.
# Default: true (caching enabled)
#ct.cache.enabled=false
#
# Maximum number of OCSP response extensions to cache, or -1 for no limit.
# You may need to adjust java heap parameters if you adjust this.
# Default: 100000
#ct.cache.maxentries=1000000
#
# Maximum frequency in milliseconds of clean ups when the cache is over its
# limit. During a clean up, cache entries are randomly queued for removal
# at the next clean up if they aren't used.
# Default: 10000 (10 seconds)
#ct.cache.cleanupinterval=60000
#
# Whether log availability should be tracked, and requests should "fast fail"
# whenever a log is known to be down. A log is "known to be down" when it
# is either unreachable or responds with an HTTP error status to a request.
# NOTE: Since a single error will cause ALL subsequent requests that are not
# cached to "fast fail" until the backoff time is over, make sure to:
#   1. Disallow CAs that are not trusted by the CT logs in CT-enabled
#      certificate profiles. If a log server receives a request for a
#      certificate from an untrusted CA, it will return an error, and trigger
#      "fail fail" for other certificates.
#   2. Make sure the certificate profiles are restrictive and do not allow
#      uncommon certificate fields etc., that could cause a parse error
#      in the CT log, which would also trigger fast fail.
# Default: false (fast fail disabled)
#ct.fastfail.enabled=true
#
# How long time (in milliseconds) EJBCA should wait until trying to use a log
# which has failed to respond to a request.
# Default: 1000 (1 second)
#ct.fastfail.backoff=60000

# ------------ Upgrade and compatibility setting ---------------------
# In order to enable 100% uptime, i.e. old versions running in parallell with new versions
# we need some configuration option to force old behavior in new versions, until we have upgrade
# all nodes and can set the system to use new (improved) behavior.

# When upgrading a 100% up-time cluster, all nodes should be deployed with db.keepjbossserialization=true.
# For upgrades from EJBCA version 4.0 to later versions.
# Once all nodes are running > 4.0, set to false to increase efficiency and portability.
# Default: false
#db.keepjbossserialization=true

# Option if we should keep internal CA keystores in the CAData table to be compatible with CeSecore 1.1/EJBCA 5.0.
# Default to true. Set to false when all nodes in a cluster have been upgraded to CeSecore 1.2/EJBCA 5.1 or later,
# then internal keystore in CAData will be replaced with a foreign key in to the migrated entry in CryptotokenData.
#
# When upgrading a 100% up-time cluster, all nodes should initially be deployed with db.keepinternalcakeystores=true.
# Once all nodes are running > EJBCA 5.0, set to false again to increase efficiency and portability.
# For upgrades from EJBCA version 5.0 to later versions.
# Default: true
#db.keepinternalcakeystores=true

# When upgrading a 100% up-time cluster, all nodes should be deployed with ca.keepocspextendedservice=true.
# Once all nodes are running > 6.0, set to false to increase efficiency and portability.
# Default: false
#ca.keepocspextendedservice=true