diff options
| -rw-r--r-- | myrpki.rototill/examples/myrpki.conf | 44 |
1 files changed, 34 insertions, 10 deletions
diff --git a/myrpki.rototill/examples/myrpki.conf b/myrpki.rototill/examples/myrpki.conf index 068da6f9..2ec34b78 100644 --- a/myrpki.rototill/examples/myrpki.conf +++ b/myrpki.rototill/examples/myrpki.conf @@ -93,11 +93,35 @@ pubd_server_port = 4402 want_rootd = false +# Server port number for rootd, if you're running it. This can be any +# legal TCP port number that you're not using for something else. + +rootd_server_port = 4401 + +# Resource class name for rootd. rootd uses this for several +# different things: it's used along with pubd_server_host to construct +# the rsync URI for the root of the publication tree; it's used by +# rootd as a resource class name in the up-down protocol; and it's +# used to construct the filename for the one and only RPKI certificate +# that rootd issues. You need to configure this. + +rootd_resource_class_name = Me + # Where to put BPKI stuff for the IRBE operator (entity that operates # rpkid etc). Don't change this without a reason. myirbe_bpki_directory = bpki/myirbe +# Root of local directory tree where pubd (and rootd, sigh) should +# write out published data. You need to configure this, and the +# configuration should match up with the directory where you point +# rsyncd. Neither pubd nor rsyncd much cares -where- you tell them to +# put this stuff, the important thing is that the rsync:// URIs in +# generated certificates match up with the published objects so that +# relying parties can find and verify rpkid's published outputs. + +publication_base_directory = publication/ + # Don't touch these, they're here because I haven't yet updated all of # the myrpki tools to use the latest config file variables. These # will go away eventually, for now just leave them alone. @@ -183,7 +207,7 @@ sql-password = fnord # with the published objects so that relying parties can find and # verify rpkid's published outputs. -publication-base = publication/ +publication-base = ${myrpki::publication_base_directory} # Host and port on which pubd should listen for HTTPS service # requests. These should match pubd_base in the [myirbe] section. @@ -250,20 +274,20 @@ child-bpki-cert = ${myrpki::myirbe_bpki_directory}/child.cer # Server port on which rootd should listen. -server-port = 4401 +server-port = ${myrpki::rootd_server_port} # Where rootd should write its output. Yes, rootd should be using # pubd instead of publishing directly, but it doesn't. -rpki-root-dir = publication/ +rpki-root-dir = ${myrpki::publication_base_directory} # rsync URI for directory containing rootd's outputs -rpki-base-uri = rsync://rpki.example.org/Me/ +rpki-base-uri = rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/ # rsync URI for rootd's root (self-signed) RPKI certificate -rpki-root-cert-uri = rsync://rpki.example.org/Me/root.cer +rpki-root-cert-uri = rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/root.cer # Private key corresponding to rootd's root RPKI certificate @@ -271,7 +295,7 @@ rpki-root-key = ${myrpki::myirbe_bpki_directory}/ca.key # Filename (as opposed to rsync URI) of rootd's root RPKI certificate -rpki-root-cert = publication/root.cer +rpki-root-cert = ${myrpki::publication_base_directory}/root.cer # Where rootd should stash a copy of the PKCS #10 request it gets from # its one (and only) child @@ -295,12 +319,12 @@ rpki-root-manifest = root.mnf # Up-down protocol class name for RPKI certificate rootd issues to its # one (and only) child -rpki-class-name = Me +rpki-class-name = ${myrpki::rootd_resource_class_name} # Filename (relative to rootd-base-uri and rpki-root-dir) of the one # (and only) RPKI certificate rootd issues -rpki-subject-cert = Me.cer +rpki-subject-cert = ${myrpki::rootd_resource_class_name}.cer # The last four paramters in this section are really parameters for # myirbe.py to use when constructing rootd's root RPKI certificate, @@ -319,11 +343,11 @@ root_cert_addrs = IPv4:0.0.0.0/0,IPv6:0::/0 # Whatever you put in rpki-base-uri, earlier in this section -root_cert_sia = rsync://rpki.example.org/Me/ +root_cert_sia = rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/ # root_cert_sia + rpki-root-manifest -root_cert_manifest = rsync://rpki.example.org/Me/root.mnf +root_cert_manifest = rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/root.mnf ################################################################# |