The configuration files of CF are found in <configuration_root>/config. The main configuration file is cm.conf. The operation of CF is controlled by parameters in this well commented file. 

Date, time and time zone settings (in the Control Panel) must be the same on both the Certificate Issuing System (CIS) and CF.

You can configure CF to:

• run CIS internally within the CF service, or
• connect to an external independent CIS service located on a separate or on the local machine.

Options for CIS

• If you do not select CIS to be installed during the installation, the installation program will configure CF to run CIS internally by default.
• If you select to install CIS together with CF, the installation program will configure CF to connect to the external CIS service on the local machine. 

To manually change this after the installation, modify the value of cis.hostport in cm.conf.

Distributed configuration

• When running in a distributed production configuration, update the localhost name in the parameter Database.name

The configuration file may contain sensitive information, for example, the pin code for tokens, which should be protected.

1. Add the keyword .encrypted to the configuration parameter.
2. The next time the service starts it scans the configuration file for unscrambled values, scrambles the values and saves the updated file to disk.

This feature is not limited to cm.conf . It can also be used in kar.conf, cis.conf or da.conf.

You can configure CF to process certificate requests that include transport certificates. A special modifier in CF needs to be configured in order to verify the transport certificate.

1. In the certificate format file being used, add the new modifier(s) after modifier Id2Legacy but before modifier Id2Signer1. This is so that the transport certificate can be verified before the signing takes place.

   1. These are examples of two configured transport certificate modifiers:
      TransportCertificateA=<m>
TransportCertificateB=<n>
      where <m> and <n> are correct sequence numbers.
      
      

      Note
      All sequence numbers that follow TransportCertificate must be incremented.

      
      

2. The processing and checking performed by this modifier is controlled by parameters in a configuration file, for example, tcconfig.conf, pointed to by parameter InitData in either the default module table, or a customized entry in modules.conf. 

   1. This example shows an extract from modules.conf:
      
      

      Code Block
      title Example: Extract from modules.conf
      ;; ;; Transport Certificate ;; ;; Used to verify that generated key pairs where generated by ;; a trusted CA ;; [TransportCertificate] FileName=com.id2tech.cm.cf.modifiers.TransportCertificateModifier InitData=config/tcconfig.conf

      
      

   2. This is an example of a configuration file:
      
      

      Code Block
      title Example of a configuration file
      ;; ;; Configuration file for trusted certificates. ;; File: tcconfigA.conf ;; Version: x.x ;; Date: 200x-xx-xx ;; ;; Location of CA certificate, relative to file or ;; an absolute path. ;CA-cert=..\certs\tcsigner.cer CA-cert.1=..\certs\tccert_org1.crt CA-cert.2=..\certs\tccert_org2.crt ;; ;; ExpirationCheck (default false) ;; Set to true if CA certificates and transport certificates ;; are to be checked for validFrom and validTo. ;;ExpirationCheck=true ;; ;; If no transport certificate sent from RA, modifier will ;; succeed if it isn't critical (default false) ;; critical=true

      
      

      1. CA-cert specifies which CA certificates to use when verifying the transport certificate. If more than one CA certificate is accepted they must be numbered as in the example. Alternatively, the parameter can be a path to a directory where the DER coded CA certificates are stored.
      2. ExpirationCheck specifies to what extent the checking should be performed.
      3. Critical specifies if the transport certificate is mandatory.
3. CM is shipped with a sample transport certificate named tcsigner.cer. To use transport certificates, replace this sample certificate by another one and update the parameter ca-cert in tcconfig.conf accordingly.
   

   Example:
   
   

   Code Block
   CA-cert=<configuration_root>/certs/tcsigner.cer

   
   

The mapping of individual labels to use custom keys is described in the Technical Description where the necessary configuration changes are shown in chapter “Certificate Formats”.

The configuring of the Revocation Password function is described in detail in the Technical Description.