ipa-ca-install man page

ipa-ca-install — Install a CA on a server

Synopsis

Domain Level 0

ipa-ca-install [OPTION]... [replica_file]

Domain Level 1

ipa-ca-install [OPTION]...

Description

Adds a CA as an IPA-managed service. This requires that the IPA server is already installed and configured.

In a domain at domain level 0, you can run ipa-ca-install without replica_file to upgrade from CA-less to CA-full, or with replica_file to install the CA service on the replica.

The replica_file is created using the ipa-replica-prepare utility and should be the same one used when originally installing the replica.

In a domain at domain level 1, ipa-ca-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica, and does not require any replica file.

Options

-d, --debug
Enable debug logging when more verbose output is needed
-p DM_PASSWORD, --password=DM_PASSWORD

Directory Manager (existing master) password

-w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD

Admin user Kerberos password used for connection check

--external-ca

Generate a CSR for the IPA CA certificate to be signed by an external CA.

--external-ca-type=TYPE

Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.

--external-cert-file=FILE

File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

--ca-subject=SUBJECT

The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).

--subject-base=SUBJECT

The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).

--ca-signing-algorithm=ALGORITHM

Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

--no-host-dns

Do not use DNS for hostname lookup during installation

--skip-conncheck

Skip connection check to remote master

--skip-schema-check

Skip check for updated CA DS schema on the remote master

-U, --unattended

An unattended installation that will never prompt for user input

Exit Status

0 if the command was successful

1 if an error occurred

Info

Mar 30 2017 FreeIPA Manual Pages