Certificate Management Service
Installation Answer File Options
| Key | Sample Value | Description |
|---|---|---|
| CMS_NOSETUP | false | Determines whether “setup” will be executed after installation. Typically this is set to “false” to install and perform setup in one action. The “true” option is intended for building the service as a container, where the installation would be part of the image build, and setup would be performed when the container starts for the first time to generate any persistent data. |
| CMS_PORT | 8445 | Defines the HTTPS port the service will use. |
| AAS_API_URL | https://\<Hostname or IP address of the AAS>:8444/aas/v1/ | URL to connect to the AAS, used during setup for authentication. |
| AAS_TLS_SAN | \<Comma-separated list of IPs/hostnames for the AAS> | SAN list populated in special JWT token, this token is used by AAS to get TLS certificate signed from CMS. SAN list in this token and CSR generated by AAS must match. |
| LOG_ROTATION_PERIOD | hourly, daily, weekly, monthly, yearly | log rotation period, for more details refer- https://linux.die.net/man/8/logrotate |
| LOG_COMPRESS | Compress | Old versions of log files are compressed with gzip, for more details refer- https://linux.die.net/man/8/logrotate |
| LOG_DELAYCOMPRESS | delaycompress | Postpone compression of the previous log file to the next rotation cycle, for more details refer- https://linux.die.net/man/8/logrotate |
| LOG_COPYTRUNCATE | Copytruncate | Truncate the original log file in place after creating a copy,'create' creates new one, for more details refer- https://linux.die.net/man/8/logrotate |
| LOG_SIZE | 1K | Log files are rotated when they grow bigger than size bytes, for more details refer- https://linux.die.net/man/8/logrotate |
| LOG_OLD | 12 | Log files are rotated count times before being removed, for more details refer- https://linux.die.net/man/8/logrotate |
| CMS_CA_CERT_VALIDITY | 5 | CMS Root Certificate Validity in years |
| CMS_CA_ORGANIZATION | INTEL | CMS Certificate Organization |
| CMS_CA_LOCALITY | US | CMS Certificate locality |
| CMS_CA_PROVINCE | CA | CMS Certificate province |
| CMS_CA_COUNTRY | USA | CMS Certificate country |
| CMS_TLS_SAN_LIST | Comma-separated list of IP addresses and hostnames to be added to the SAN list of CMS server | |
| CMS_SERVER_READ_TIMEOUT | 30s | MS server - ReadTimeout is the maximum duration for reading the entire request, including the body. |
| CMS_SERVER_READ_HEADER_TIMEOUT | 10s | CMS server - ReadHeaderTimeout is the amount of time allowed to read request headers |
| CMS_SERVER_WRITE_TIMEOUT | 10s | CMS server - WriteTimeout is the maximum duration before timing out writes of the response. |
| CMS_SERVER_IDLE_TIMEOUT | 10s | CMS server - IdleTimeout is the maximum amount of time to wait for the next request when keep-alives are enabled. |
| CMS_SERVER_MAX_HEADER_BYTES | 1048576 | CMS server - MaxHeaderBytes controls the maximum number of bytes the server will read parsing the request header's keys and values, including the request line. |
| AAS_JWT_CN | AAS JWT Signing Certificate | CN of AAS JWT certificate, this gets populated in special JWT token. AAS must send JWT certificate CSR with this CN. |
| AAS_TLS_CN | AAS TLS Certificate | CN of AAS TLS certificate, this gets populated in special JWT token. AAS must send TLS certificate CSR with this CN. |
| AAS_TLS_SAN | SAN list populated in special JWT token, this token is used by AAS to get TLS certificate signed from CMS. SAN list in this token and CSR generated by AAS must match. |
Configuration Options
The CMS configuration can be found in /etc/cms/config.yml
port: 8445
loglevel: info
authserviceurl: https://<AAS IP or hostname>:8444/aas/v1/
cacertvalidity: 5
organization: INTEL
locality: SC
province: CA
country: US
keyalgorithm: rsa
keyalgorithmlength: 3072
rootcacertdigest: <sha384>
tlscertdigest: <sha384>
tokendurationmins: 20
aasjwtcn: ""
aastlscn: ""
aastlssan: ""
authdefender:
maxattempts: 5
intervalmins: 5
lockoutdurationmins: 15
Command-Line Options
Help
cms help
Displays the list of available CLI commands.
Start
cms start
Starts the services.
Stop
cms stop
Stops the service.
Status
cms status
Reports whether the service is currently running.
Uninstall
cms uninstall
Uninstalls the service, including the deletion of all files and folders.
Version
cms version
Reports the version of the service.
Tlscertsha384
Shows the SHA384 of the TLS certificate.
setup [task]
Usage of cms setup:
cms setup
Available Tasks for setup: all Runs all setup tasks root-ca Creates a self signed Root CA key pair in /etc/cms/root-ca/ for quality of life intermediate-ca Creates a Root CA signed intermediate CA key pair(signing, tls-server and tls-client) in /etc/cms/intermediate-ca/ for quality of life tls Creates an intermediate-ca signed TLS key pair in /etc/cms for quality of life cms-auth-token Create its own self signed JWT key pair in /etc/cms/jwt for quality of life update-service-config Sets or Updates the Service configuration
Directory Layout
The Certificate Management Service installs by default to /opt/cms with
the following folders.
Bin
This folder contains executable scripts.
Cacerts
This folder contains the CMS root CA certificate.