1ipa-cacert-manage(1)           IPA Manual Pages           ipa-cacert-manage(1)
2
3
4

NAME

6       ipa-cacert-manage - Manage CA certificates in IPA
7

SYNOPSIS

9       ipa-cacert-manage [OPTIONS...] renew

ipa-cacert-manage [OPTIONS...] install CERTFILE

11

DESCRIPTION

13       ipa-cacert-manage can be used to manage CA certificates in IPA.
14

COMMANDS

16       renew  - Renew the IPA CA certificate
17
18              This command can be used to manually renew the CA certificate of
19              the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
20              To renew other certificates, use getcert-resubmit(1).
21
22              When  the IPA CA is the root CA (the default), it is not usually
23              necessary to manually renew the CA certificate, as  it  will  be
24              renewed automatically when it is about to expire, but you can do
25              so if you wish.
26
27              When the IPA CA is subordinate of an external  CA,  the  renewal
28              process  involves  submitting  a  CSR  to  the  external  CA and
29              installing the newly issued certificate in IPA, which cannot  be
30              done  automatically.  It  is  necessary to manually renew the CA
31              certificate in this setup.
32
33              When the IPA CA is not configured, this command  is  not  avail‐
34              able.
35
36       install
37              - Install a CA certificate
38
39              This command can be used to install the certificate contained in
40              CERTFILE as an additional CA certificate to IPA.
41
42              Important: this does not replace IPA CA but  adds  the  provided
43              certificate  as  a  known  CA.  This is useful for instance when
44              using ipa-server-certinstall to replace  HTTP/LDAP  certificates
45              with third-party certificates signed by this additional CA.
46
47              Please  do  not  forget to run ipa-certupdate on the master, all
48              the replicas and all the clients after this command in order  to
49              update IPA certificates databases.
50

COMMON OPTIONS

52       --version
53              Show the program's version and exit.
54
55       -h, --help
56              Show the help for this program.
57
58       -p DM_PASSWORD, --password=DM_PASSWORD
59              The Directory Manager password to use for authentication.
60
61       -v, --verbose
62              Print debugging information.
63
64       -q, --quiet
65              Output only errors.
66
67       --log-file=FILE
68              Log to the given file.
69

RENEW OPTIONS

71       --self-signed
72              Sign the renewed certificate by itself.
73
74       --external-ca
75              Sign the renewed certificate by external CA.
76
77       --external-ca-type=TYPE
78              Type of the external CA. Possible values are "generic", "ms-cs".
79              Default value is "generic". Use "ms-cs" to include the  template
80              name  required  by Microsoft Certificate Services (MS CS) in the
81              generated CSR (see --external-ca-profile for full details).
82
83
84       --external-ca-profile=PROFILE_SPEC
85              Specify the certificate profile or template to use at the exter‐
86              nal CA.
87
88              When  --external-ca-type is "ms-cs" the following specifiers may
89              be used:
90
91
92              <oid>:<majorVersion>[:<minorVersion>]
93                     Specify a certificate template by OID and major  version,
94                     optionally also specifying minor version.
95
96              <name> Specify  a certificate template by name.  The name cannot
97                     contain any : characters and cannot be an OID  (otherwise
98                     the  OID-based  template  specifier  syntax  takes prece‐
99                     dence).
100
101              default
102                     If no template is specified, the template name "SubCA" is
103                     used.
104
105
106       --external-cert-file=FILE
107              File  containing the IPA CA certificate and the external CA cer‐
108              tificate chain. The file is accepted in PEM and DER  certificate
109              and  PKCS#7  certificate  chain formats. This option may be used
110              multiple times.
111

INSTALL OPTIONS

113       -n NICKNAME, --nickname=NICKNAME
114              Nickname for the certificate.
115
116       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
117              Trust flags for the certificate in certutil format. Trust  flags
118              are  of  the  form "A,B,C" or "A,B,C,D" where A is for SSL, B is
119              for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
120              for no explicit trust.
121
122              The supported trust flags are:
123
124                     C - CA trusted to issue server certificates
125
126                     T - CA trusted to issue client certificates
127
128                     p - not trusted
129

EXIT STATUS

131       0 if the command was successful
132
133       1 if an error occurred
134
135

SEE ALSO

137       getcert-resubmit(1)
138
139
140
141IPA                               Aug 12 2013             ipa-cacert-manage(1)
Impressum