ipa-ca-install - Man Page

Install a CA on a server

Synopsis

ipa-ca-install [OPTION]...

Description

Adds a CA as an IPA-managed service. This requires that the IPA server is already installed and configured.

ipa-ca-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica.

Domain level 0 is not supported anymore.

Options

-d,  --debug
Enable debug logging when more verbose output is needed
-p DM_PASSWORD, --password=DM_PASSWORD

Directory Manager (existing master) password

-w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD

Admin user Kerberos password used for connection check

--external-ca

Generate a CSR for the IPA CA certificate to be signed by an external CA.

--external-ca-type=TYPE

Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see --external-ca-profile for full details).

--external-ca-profile=PROFILE_SPEC

Specify the certificate profile or template to use at the external CA.

When --external-ca-type is "ms-cs" the following specifiers may be used:

<oid>:<majorVersion>[:<minorVersion>]

Specify a certificate template by OID and major version, optionally also specifying minor version.

<name>

Specify a certificate template by name.  The name cannot contain any : characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).

default

If no template is specified, the template name "SubCA" is used.

--external-cert-file=FILE

File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

--ca-subject=SUBJECT

The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).

--subject-base=SUBJECT

The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).

--pki-config-override=FILE

File containing overrides for CA installation.

--ca-signing-algorithm=ALGORITHM

Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

--no-host-dns

Do not use DNS for hostname lookup during installation

--random-serial-numbers

Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.

--token-name=TOKEN_NAME

The PKCS#11 token name if using an HSM to store and generate private keys.

--token-library-path=TOKEN_LIBRARY_PATH

The full path to the PKCS#11 shared library needed to access the HSM device.

--token-password=TOKEN_PASSWORD

The PKCS#11 token password for the HSM.

--token-password-file=TOKEN_PASSWORD_FILE

The full path to a file containing the PKCS#11 token password.

--skip-conncheck

Skip connection check to remote master

--skip-schema-check

Skip check for updated CA DS schema on the remote master

-U,  --unattended

An unattended installation that will never prompt for user input

Exit Status

0 if the command was successful

1 if an error occurred

Info

Mar 30 2017 IPA Manual Pages