Configuration

This guide provides detailed information on how to configure each service in the Quantum-Safe PKI project. The services are primarily configured through environment variables, with some services also supporting configuration files.

Common Configuration

All services share some common configuration options, which are described below:

Variable	Description	Default
`KEY_DIR`	Directory to store/load cryptographic keys and certificates	`keys`
`LOG_LEVEL`	Logging level (`debug`, `info`, `warn`, `error`)	`info`
`LOG_FORMAT`	Logging format (`text` or `json`)	`text`
`GODEBUG`	Set to `tls13kem=1` to activate hybrid KEM (X25519+MLKEM768)	`tls13kem=0`

CA Service Configuration

The CA Service is configured using the following environment variables:

Variable	Description	Default
`PORT_CA` / `ADDR`	Listen address for the service	`:5000`
`KEYSTORE_TYPE`	Method for storing private keys: `fs` or `pkcs11`	`fs`
`PKCS11_MODULE`	Path to PKCS#11 module (required if KEYSTORE_TYPE=pkcs11)	None
`PKCS11_TOKEN_LABEL`	PKCS#11 token label (required if KEYSTORE_TYPE=pkcs11)	None
`PKCS11_PIN`	PKCS#11 PIN (required if KEYSTORE_TYPE=pkcs11)	None
`SERVICE_HOST`	Publicly accessible hostname for the service	Derived from request Host header
`TLS_CLIENT_AUTH`	Controls TLS client authentication mode (`none`, `request`, `require`, `require_and_verify`)	`require_and_verify`

ACME Server Configuration

The ACME Server is configured using the following environment variables:

Variable	Description	Default
`PORT_ACME` / `ADDR`	Listen address for the service	`:4000`
`DATABASE_URL`	PostgreSQL connection string	Required
`SKIP_DB`	Skip database initialization (for testing)	`false`
`SKIP_CA`	Use a self-signed certificate instead of requesting from CA Service	`false`
`CA_SIGN_URL`	URL of the CA's CSR signing endpoint	`https://localhost:5000/sign`
`CA_CRL_URL`	URL to fetch the Certificate Revocation List from the CA	`https://localhost:5000/crl`
`CA_OCSP_URL`	URL of the CA's OCSP responder	`https://localhost:5000/ocsp`
`TLS_CLIENT_AUTH`	Controls TLS client authentication mode (`none`, `request`, etc.)	`require_and_verify`

Transparency Log Configuration

The Transparency Log Service is configured using the following environment variables:

Variable	Description	Default
`PORT_CT` / `ADDR`	Listen address for the service	`:6000`
`LOG_FILE`	Path to the append-only log file	`ct-log.dat`
`CA_CERT_FILE`	Path to the CA root certificate PEM file	`ca-cert.pem`
`CA_CRL_URL`	URL to fetch the Certificate Revocation List from the CA	`https://localhost:5000/crl`
`TLS_CLIENT_AUTH`	Controls TLS client authentication mode (`none`, `request`, etc.)	`require_and_verify`

Signing Service Configuration

The Signing Service is configured using the following environment variables:

Variable	Description	Default
`SIGNING_ADDR` / `ADDR`	Listen address for the service	`:7000`
`DB_DSN`	SQLite database file path	`signing.db`
`KEYSTORE_TYPE`	Method for storing private keys: `fs` or `pkcs11`	`fs`
`PKCS11_MODULE`	Path to PKCS#11 module (required if KEYSTORE_TYPE=pkcs11)	None
`PKCS11_TOKEN_LABEL`	PKCS#11 token label (required if KEYSTORE_TYPE=pkcs11)	None
`PKCS11_PIN`	PKCS#11 PIN (required if KEYSTORE_TYPE=pkcs11)	None
`RATE_LIMIT_FREE`	Rate limit for free tier (signatures per hour)	`10`

Device Service Configuration

The Device Service is configured using the following environment variables:

Variable	Description	Default
`PORT_DEVICE` / `ADDR`	Listen address for the service	`:8000`
`CA_SIGN_URL`	URL of the CA's CSR signing endpoint	`https://localhost:5000/sign`
`DEVICE_DB`	SQLite database file path for device registration	`devices.db`

CLI Configuration

The CLI tool is configured using command-line flags or environment variables:

Flag / Variable	Description	Default
`--url` / `SIGNING_URL`	URL of the Signing Service	`https://localhost:7000`
`--api-key` / `API_KEY`	API key for authenticating with the Signing Service	None (required)
`--ca-cert` / `CA_CERT_FILE`	Path to the CA root certificate PEM file	`ca-cert.pem`

Configuration Files

In addition to environment variables, some services support configuration files in JSON or YAML format. To use a configuration file, specify the path using the --config flag:

# Start CA Service with a configuration file ./bin/ca-service --config ca-config.json # Start ACME Server with a configuration file ./bin/acme-server --config acme-config.yaml

Example Configuration Files

Here are some example configuration files for the services:

CA Service (ca-config.json)

{
  "addr": ":5000",
  "keyDir": "keys",
  "keystoreType": "fs",
  "logLevel": "info",
  "logFormat": "text",
  "tlsClientAuth": "require_and_verify"
}

ACME Server (acme-config.yaml)

addr: ":4000"
databaseUrl: "postgres://user:password@localhost:5432/acme_server"
keyDir: "keys"
caSignUrl: "https://localhost:5000/sign"
caCrlUrl: "https://localhost:5000/crl"
caOcspUrl: "https://localhost:5000/ocsp"
tlsClientAuth: "require_and_verify"
logLevel: "info"
logFormat: "text"

Environment Variables File

You can also use a .env file to set environment variables for all services. Create a file named .env in the root directory of the project with the following content:

# Common configuration
KEY_DIR=keys
LOG_LEVEL=info
LOG_FORMAT=text
GODEBUG=tls13kem=1

# CA Service
PORT_CA=5000
KEYSTORE_TYPE=fs

# ACME Server
PORT_ACME=4000
DATABASE_URL=postgres://user:password@localhost:5432/acme_server
CA_SIGN_URL=https://localhost:5000/sign
CA_CRL_URL=https://localhost:5000/crl
CA_OCSP_URL=https://localhost:5000/ocsp

# Transparency Log
PORT_CT=6000
LOG_FILE=ct-log.dat

# Signing Service
SIGNING_ADDR=:7000
DB_DSN=signing.db

# Device Service
PORT_DEVICE=8000
DEVICE_DB=devices.db

Next Steps

Now that you have configured the services, you can proceed to:

Running the Services: Start and operate the services.
API Endpoints: Learn about the API endpoints provided by each service.