ipa-cacert-manage man page

ipa-cacert-manage ā€” Manage CA certificates in IPA

Synopsis

ipa-cacert-manage [OPTIONS...] renew

ipa-cacert-manage [OPTIONS...] install CERTFILE

Description

ipa-cacert-manage can be used to manage CA certificates in IPA.

Commands

renew

- Renew the IPA CA certificate

This command can be used to manually renew the CA certificate of the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca"). To renew other certificates, use getcert-resubmit(1).

When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish.

When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to manually renew the CA certificate in this setup.

When the IPA CA is not configured, this command is not available.

install

- Install a CA certificate

This command can be used to install the certificate contained in CERTFILE as an additional CA certificate to IPA.

Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.

Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.

Common Options

--version

Show the program's version and exit.

-h, --help

Show the help for this program.

-p DM_PASSWORD, --password=DM_PASSWORD

The Directory Manager password to use for authentication.

-v, --verbose

Print debugging information.

-q, --quiet

Output only errors.

--log-file=FILE

Log to the given file.

Renew Options

--self-signed

Sign the renewed certificate by itself.

--external-ca

Sign the renewed certificate by external CA.

--external-ca-type=TYPE

Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.

--external-cert-file=FILE

File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

Install Options

-n NICKNAME, --nickname=NICKNAME

Nickname for the certificate.

-t TRUST_FLAGS, --trust-flags=TRUST_FLAGS

Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.

The supported trust flags are:

C - CA trusted to issue server certificates

T - CA trusted to issue client certificates

p - not trusted

Exit Status

0 if the command was successful

1 if an error occurred

See Also

getcert-resubmit(1)

Info

Aug 12 2013 FreeIPA Manual Pages