Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Certifier Engine Configuration File

The adjustable parameters of the engine.conf are the following:

  • data-source-name

    The ODBC data source name of the database connection. When used outside the embedded Certifier Database, the value of this parameter needs to be the DSN of the appropriate database.

  • service-address

    The address and the port that Certifier Engine listens to.

  • tls

    This parameter defines whether TLS is being used between Certifier Servers and Certifier Engine. For insecure configuration this is set to false.

  • pid-directory

    The location of the PID files.

  • syslog-facility

    The system log facility name can be given in here.

  • max-unfinished-publications

    The maximum number of concurrent publishing attempts. If this limit is reached, the publication status of the oldest unpublished certificate is set as failed and the certificate publication will not be automatically tried again. This limit does not concern CRL publishing.

  • max-crl-publication-safety-limit

    CRL generation is usually quite fast (typically a couple of seconds), but with extremely large databases or overloaded systems it may require more time. Because of this, CRL generation is always started before the actual update time. This variable specifies the maximum advance time. The value is defined in seconds.

  • expired-timeout-period

    One of the certificate statuses in the system is expired. A certificate is marked with this status after its validity period has ended. This status is used only as a method of optimization, as it divides the certificate set in the database and enables more efficient searches for valid certificates.

    This status cannot feasibly be updated in real time, but is done in batches instead. This variable controls the period between the times that these batches are run. Usually the value is set to one hour or less. The shorter the period, the more accurate the expired status becomes.

  • dynamic-crl-validity-period

    In some cases the actual CRL generation may be unnecessary. But even in those cases it might occasionally be useful to see the 'current' CRL. If the CRL update period is set to zero (meaning that the CRL distribution point is disabled), requesting the current CRL will generate a new CRL on the fly, with the validity period starting at the current time and ending after the value specified for dynamic-crl-validity-period, which is given in seconds.

  • heartbeat-interval

    The interval (measured in minutes) of the heartbeats written in system log, when the Certifier Engine process is running.

  • keep-old-crls

    When several CAs in the system publish CRLs frequently, the size of Certifier Database can increase significantly. By defining keep-old-crls as false, CRLs are not stored in the database. The default value is true. Please note that non-repudiation may require storing CRLs in order to enable later verification of a signature.

PreviousNextUp[Front page] [Index]


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more