ipa-ca-install man page

ipa-ca-install — Install a CA on a server


Domain Level 0

ipa-ca-install [OPTION]... [replica_file]

Domain Level 1

ipa-ca-install [OPTION]...


Adds a CA as an IPA-managed service. This requires that the IPA server is already installed and configured.

In a domain at domain level 0, you can run ipa-ca-install without replica_file to upgrade from CA-less to CA-full, or with replica_file to install the CA service on the replica.

The replica_file is created using the ipa-replica-prepare utility and should be the same one used when originally installing the replica.

In a domain at domain level 1, ipa-ca-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica, and does not require any replica file.


-d, --debug
Enable debug logging when more verbose output is needed

Directory Manager (existing master) password


Admin user Kerberos password used for connection check


Generate a CSR for the IPA CA certificate to be signed by an external CA.


Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see --external-ca-profile for full details).


Specify the certificate profile or template to use at the external CA.

When --external-ca-type is "ms-cs" the following specifiers may be used:


Specify a certificate template by OID and major version, optionally also specifying minor version.


Specify a certificate template by name.  The name cannot contain any : characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).


If no template is specified, the template name "SubCA" is used.


File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.


The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).


The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs are in LDAP order (most specific RDN first).


Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.


Do not use DNS for hostname lookup during installation


Skip connection check to remote master


Skip check for updated CA DS schema on the remote master

-U, --unattended

An unattended installation that will never prompt for user input

Exit Status

0 if the command was successful

1 if an error occurred


Mar 30 2017 FreeIPA Manual Pages