Table of Contents
This Administrator's Guide describes ways to customize Kleopatra that are not accessible via the GUI, but only via config files.
It is assumed that the reader is familiar with the technology used for KDE application configuration, including layout, file system location and cascading of KDE config files, as well as the KIOSK framework.
Kleopatra allows you to customize the fields that the user is allowed to enter in order to create their certificate.
Create a group called
CertificateCreationWizard
in the system-wide
kleopatrarc
. If you want a custom order of
attributes or if you only want certain items to appear, create a key
called DNAttributeOrder
. The argument is one or
more of CN,SN,GN,L,T,OU,O,PC,C,SP,DC,BC,EMAIL
If
you want to initialize fields with a certain value, write something like
Attribute=value. If you want the attribute to be treated as a required
one, append an exclamation mark
(e.g. CN!,L,OU,O!,C!,EMAIL!
, which happens to be
the default configuration).
Using the KIOSK mode modifier
$e
allows to retrieve the values from
environment variables or from an evaluated script or binary. If you
want to disallow editing of the respective field in addition, use the
modifier $i
. If you want to disallow the use
button, set
ShowSetWhoAmI
to false.
Tip
Due to the nature of the KDE KIOSK
framework, using the immutable flag ($i
) makes it
impossible for the user to override the flag. This is intended
behavior. $i
and $e
can be used
with all other config keys in KDE applications as well.
The following example outlines possible customizations:
[CertificateCreationWizard] ;Disallow to copy personal data from the addressbook, do not allow local override ShowSetWhoAmI[$i]=false ;sets the user name to $USER CN[$e]=$USER ;sets the company name to "My Company", disallows editing O[$i]=My Company ;sets the department name to a value returned by a script OU[$ei]=$(lookup_dept_from_ip) ; sets country to DE, but allows for changes by the user C=DE
Kleopatra also allows to restrict which type of certificates a user is allowed to create. Note, however, that an easy way around these restrictions is to just create one on the command line.
To restrict the public key algorithm to use, add the
config key PGPKeyType
(and
CMSKeyType
, but only
RSA is supported for
CMS anyway) to the
CertificateCreationWizard
section of
kleopatrarc
.
The allowed values are RSA
for
RSA keys, DAS
for
DSA (sign-only) keys, and
DSA+ELG
for a DSA
(sign-only) key with an Elgamal subkey for encryption.
The default is read from GpgConf or else
RSA
if GpgConf doesn't provide a
default.
To restrict the available keys sizes for a public
algorithm, add the config key
(where <ALG>
KeySizesALG
may be
RSA
, DSA
or
ELG
) to the
CertificateCreationWizard
section of
kleopatrarc
, containing a
comma-separated list of keysizes (in bits). A default may
be indicated by prefixing the keysize with a hyphen
(-
).
RSAKeySizes = 1536,-2048,3072
The above would restrict allowed RSA key sizes to 1536, 2048 and 3072, with 2048 the default.
In addition to the sizes themselves, you may also specify
labels for each of the sizes. Simply set the config key
to a comma-separated list of labels.
ALG
KeySizeLabels
RSAKeySizeLabels = weak,normal,strong
The above, in connection with the previous example, would print something like the following options for selection:
weak (1536 bits) normal (2048 bits) strong (3072 bits)
The defaults are as if the following was in effect:
RSAKeySizes = 1536,-2048,3072,4096 RSAKeySizeLabels = DSAKeySizes = -1024,2048 DSAKeySizeLabels = v1,v2 ELGKeySizes = 1536,-2048,3072,4096