Your browser does not allow storing cookies. We recommend enabling them.

PreviousNextUp[Front page] [Index]

Certifier Engine Configuration File

The adjustable parameters of the engine.conf are the following:

  • data-source-name

    The ODBC data source name of the database connection. When used outside the embedded Certifier Database, the value of this parameter needs to be the DSN of the appropriate database.

  • service-address

    The address and the port that Certifier Engine listens to.

  • tls

    This parameter defines whether TLS is being used between Certifier Servers and Certifier Engine. For insecure configuration this is set to false.

  • pid-directory

    The location of the PID files.

  • syslog-facility

    The system log facility name can be given in here.

  • max-unfinished-publications

    The maximum number of concurrent publishing attempts. If this limit is reached, the publication status of the oldest unpublished certificate is set as failed and the certificate publication will not be automatically tried again. This limit does not concern CRL publishing.

  • max-crl-publication-safety-limit

    CRL generation is usually quite fast (typically a couple of seconds), but with extremely large databases or overloaded systems it may require more time. Because of this, CRL generation is always started before the actual update time. This variable specifies the maximum advance time. The value is defined in seconds.

  • expired-timeout-period

    One of the certificate statuses in the system is expired. A certificate is marked with this status after its validity period has ended. This status is used only as a method of optimization, as it divides the certificate set in the database and enables more efficient searches for valid certificates.

    This status cannot feasibly be updated in real time, but is done in batches instead. This variable controls the period between the times that these batches are run. Usually the value is set to one hour or less. The shorter the period, the more accurate the expired status becomes.

  • dynamic-crl-validity-period

    In some cases the actual CRL generation may be unnecessary. But even in those cases it might occasionally be useful to see the 'current' CRL. If the CRL update period is set to zero (meaning that the CRL distribution point is disabled), requesting the current CRL will generate a new CRL on the fly, with the validity period starting at the current time and ending after the value specified for dynamic-crl-validity-period, which is given in seconds.

  • heartbeat-interval

    The interval (measured in minutes) of the heartbeats written in system log, when the Certifier Engine process is running.

  • keep-old-crls

    When several CAs in the system publish CRLs frequently, the size of Certifier Database can increase significantly. By defining keep-old-crls as false, CRLs are not stored in the database. The default value is true. Please note that non-repudiation may require storing CRLs in order to enable later verification of a signature.

PreviousNextUp[Front page] [Index]




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now