Overridable configuration parameters

horizon.acme.max.timeout

"5 minutes"

Maximum configurable timeout in the ACME profiles

horizon.acme.max.retry.delay

"1 hour"

Maximum configurable delay in the ACME profiles

horizon.acme.max.retry.count

15

Maximum configurable retry count in the ACME profiles

horizon.acme.order.updater.prefix

"Actor OrderUpdater#"

Name of the ACME order updater in the technical logs

horizon.acme.response.verifier.prefix

"Actor ResponseVerifier#"

Name of the ACME response verifier in the technical logs

horizon.acme.response.verifier.worker

5

Number of instances that will be started for each Horizon node to perform the ACME validation

horizon.acme.order.updater.worker

5

Number of instances that will be started for each Horizon node to perform the ACME validation

horizon.acme.authorization.methods

["http-01", "dns-01", "tls-alpn-01"]

Allowed methods that can be used to complete an ACME challenge

horizon.acme.order.ttl

"1 minute"

TTL of an ACME order

horizon.acme.challenge.entropy

32

Size of the ACME authorization value (challenge size)

horizon.acme.http.json.prettify

true

Whether the ACME responses should be JSON-pretty formatted

horizon.acme.behavior.emulate.boulder

true

Defines whether Horizon should behave like the Boulder ACME implementation (if set to false, Horizon will strictly follow the RFC). Only applicable if horizon.acme.http.json.prettify is set to "true".

horizon.acme.url.scheme

https

Protocol to use to calculate the ACME base URL if there isn’t any X-Forwarded-Proto nor X-Forwarded-Host in the header of the request

horizon.acme.url.prefix

"/acme"

Prefix used to calculate the ACME base URL

horizon.acme.behavior.enable.post-as-get.legacy

true

Whether the ACME API can be used with GET requests instead of POST ones

horizon.bootstrap.timeout

"1 minute"

Duration after which the bootstrap of Horizon times out

horizon.bootstrap.administrator.name

"administrator"

Default administrator account name

horizon.bootstrap.administrator.display.name

"Horizon Administrator"

Default administrator account display name

horizon.bootstrap.local.identity.provider

"local"

Default administrator account identity provider to use

horizon.bootstrap.administrator.password.path

"var/run/adminPassword"

Relative path of the file where the initial admin password should be stored into (starting at /opt/horizon/)

horizon.bootstrap.administrator.password.length

24

Length (in bytes) of the initial admin password

horizon.ca.manager.cache.default.timeToIdle

"30 days"

Duration that the CA is kept in the CA manager’s cache without being used, after which it is removed

horizon.crl.updater.parallelism

5

Number of certificates processed in parallel when Horizon synchronizes its database with the CRL

horizon.pki.manager.default.parallelism

5

Number of parallel certificate requests (enrollment, revocation…​) on the default queue

horizon.pki.manager.default.size

100

Number of certificate requests (enrollment, revocation) that can be queued on the default queue

horizon.discovery.event.ttl

(No default value)

Time to live of the discovery events. If not set, events never expire

horizon.event.chainsign

true

Specify whether to chain and sign the Horizon events to ensure they haven’t been tampered with

horizon.event.seal.algorithm

"HS_512"

Algorithm to use to hash the signature of the events in Horizon (other possible values are "HS_384" and "HS_256")

horizon.http.header.enforce_connection_close

true

Defines whether HTTP connections should remain open

horizon.http.header.realip

"X-Real-IP"

Name of the HTTP header to use as Real IP

play.http.session.maxAge

Duration after which the authentication session expires

"15 minutes"

horizon.security.http.headers.xapi.key

"X-API-KEY"

Name of the HTTP header to use as XAPI-KEY

horizon.security.http.headers.xapi.id

"X-API-ID"

Name of the HTTP header to use as XAPI-ID

horizon.security.http.headers.xapi.idprov

"X-API-IDPROV"

Header used to store the identity provider that will be used to validate the authentication

horizon.notification.mail.attachment.extension.der

"der"

File extension that DER certificates sent as email attachments (through the notifications feature) will be given

horizon.notification.mail.attachment.extension.p7b

"p7b"

File extension that PKCS#7 certificates sent as email attachments (through the notifications feature) will be given

horizon.notification.mail.attachment.extension.pem

"pem"

File extension that PEM certificates sent as email attachments (through the notifications feature) will be given

horizon.[nonce type].nonce.ttl

"5 seconds"

Duration for which a nonce stays in Horizon before being removed ([nonce type] can be replaced by either automation, acme, openid or request)

horizon.[nonce type].nonce.size

32

Size (in bytes) of the challenge stored in the nonce ([nonce type] can be replaced by either automation, acme, openid or request)

horizon.security.[nonce type]_certificate_pop.iat.future

"5 seconds"

Difference of time allowed between the "Issued At Time" and the validation time (or the server time) (in the future only) ([nonce type] can be replaced by either automation or request)

horizon.security.[nonce type]_certificate_pop.iat.past

"5 seconds"

Difference of time allowed between the "Issued At Time" and the validation time (or the server time) (in the past only) ([nonce type] can be replaced by either automation or request)

horizon.security.[nonce type]_certificate_pop.iat.clock_skew

"30 seconds"

Difference of time allowed between the client time and the server time ([nonce type] can be replaced by either automation or request)

horizon.security.identity.provider.openid.nonce.size

32

Size of the nonce value used for the OpenID authentication

horizon.security.identity.provider.openid.nonce.ttl

"60 seconds"

"Time to live" of the OpenID authentication nonce

horizon.automation.nonce.size

32

Size of the nonce value used for the JWT authentication token

horizon.automation.nonce.ttl

"5 seconds"

Time to live of the nonce used to validate the JWT authentication token

horizon.security.local.identity.password.reset.duration

"120 second"

Time to live of a password reset request (from the login prompt)

horizon.request.grace_period.[module].[request workflow]

"30 days"

Time to live of an expired or completed request. Module can be est, scep or webra and the request workflow can be enroll, revoke, update, recover, migrate or renew.

horizon.request.default_duration.[module].[request workflow]

"7 days"

Duration that a request can stay in either pending or approved state before expiring. Module can be est, scep or webra and the request workflow can be enroll, revoke, update, recover, migrate or renew.

horizon.automation.policy.default.keyType

"rsa-2048"

Default key type sent to the automation client on ACME, EST and SCEP

horizon.certificate.search.csv.delimiter

';'

The CSV delimiter to use when exporting an HCQL query result to a CSV file

horizon.certificate.search.item.separator

'\n'

The CSV item separator to use when exporting an HCQL query result to a CSV file

horizon.certificate.search.item.attribute.separator

':'

The CSV item attribute separator to use when exporting an HCQL query result to a CSV file

horizon.security.principal.search.page.default_size

50

How many elements to retrieve in a security principals search query if no pageSize has been specified

horizon.security.principal.search.page.max_size

(No default value)

How big can the pageSize parameter be in a security principals search query (Must be a positive integer)

horizon.discovery.event.search.page.default_size

50

How many elements to retrieve in a discovery events search query if no pageSize has been specified

horizon.discovery.event.search.page.max_size

(No default value)

How big can the pageSize parameter be in a discovery events search query (Must be a positive integer)

horizon.discovery.event.search.csv.delimiter

';'

The CSV delimiter to use when exporting a discovery events query result to a CSV file

horizon.request.search.page.default_size

50

How many elements to retrieve in a request search query if no pageSize has been specified

horizon.request.search.page.max_size

(No default value)

How big can the pageSize parameter be in a request search query (Must be a positive integer)

horizon.request.search.csv.delimiter

';'

The CSV delimiter to use when exporting an HRQL query result to a CSV file

horizon.event.search.page.default_size

50

How many elements to retrieve in an event search query if no pageSize has been specified

horizon.event.search.page.max_size

(No default value)

How big can the pageSize parameter be in an event search query (Must be a positive integer)

horizon.trigger.retry.initial_delay

"5 minutes"

How long must a trigger that fails for the first time wait before retrying

horizon.trigger.max.retry

15

Maximum amount of failed attempts that a trigger can have before canceling

horizon.security.trustmanager.enforce_serverauth

false

If set to true, enforces the use of the serverAuth EKU in the server authentication certificates (when Horizon accesses a service through TLS)

horizon.ca.maximum.timeout

"5 minutes"

Maximum configurable timeout duration on certificate authorities

horizon.ca.maximum.refresh

"7 days"

Maximum configurable CRL refresh period on certificate authorities

horizon.pki-connector.max.timeout

"5 minutes"

Maximum configurable timeout on the PKI connectors

horizon.trigger.manager.interval

"5 minutes"

How often does the trigger manager check for triggers to run

horizon.trigger.manager.timeout

"60 seconds"

Trigger manager timeout

horizon.grading.manager.timeout

"5 seconds"

Duration after which the grading manager times out when retrieving the grading configuration from the database

horizon.grading.manager.queue.size

100

How large can the grading manager queue can get before it discards new grading requests

horizon.grading.timeout

"5 seconds"

Duration after which the grading actor times out when grading a certificate (upon enrolment)

horizon.security.manager.timeout

"1 minute"

Duration after which the security manager times out when trying to authenticate a principal with its session

horizon.ca.manager.timeout

"1 minute"

Duration that the CA manager actor will wait to retrieve information about certificates (is it trusted ? its trust chain ?)

horizon.ca.manager.prefix

"Actor "

Name of the CA manager actor in the technical logs

horizon.security.manager.prefix

"Actor "

Name of the security manager actor in the technical logs

horizon.grading.actor.prefix

"Actor "

Name of the grading actor in the technical logs

horizon.grading.manager.prefix

"Actor "

Name of the grading manager actor in the technical logs

horizon.crl.updater.prefix

"Actor CRLUpdater-"

Name of the CRL updater actor in the technical logs

horizon.scheduler.manager.timeout

"60 seconds"

Duration after which the Scheduler manager actor times out when retrieving scheduled tasks in the database

horizon.scheduler.manager.prefix

"Actor "

Name of the Scheduler manager actor in the technical logs

horizon.event.timeout

"30 seconds"

Duration after which the event manager times out when trying to retrieve the last signed event in the database

horizon.event.manager.prefix

"Actor "

Name of the Event manager actor in the technical logs

horizon.event.manager.interval

"5 seconds"

How often will the Event Manager actor check in the database if new a new event appeared to sign it and display it in the "Events" section of Horizon

horizon.vault.manager.timeout

"1 minute"

Duration after which the Vault Manager times out when trying to encipher or decipher a configuration or certificate secret

horizon.pki.manager.timeout

"1 minute"

Duration after which the PKI Manager times out when trying to enroll or revoke a certificate