1ipa-cacert-manage(1)         FreeIPA Manual Pages         ipa-cacert-manage(1)
2
3
4

NAME

6       ipa-cacert-manage - Manage CA certificates in IPA
7

SYNOPSIS

9       ipa-cacert-manage [OPTIONS...] renew

ipa-cacert-manage [OPTIONS...] install CERTFILE...

ipa-cacert-manage [OPTIONS...] list
12

DESCRIPTION
14       ipa-cacert-manage can be used to manage CA certificates in IPA.
15

COMMANDS
17       renew  - Renew the IPA CA certificate
18
19              This command can be used to manually renew the CA certificate of
20              the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
21              To renew other certificates, use getcert-resubmit(1).
22
23              When  the IPA CA is the root CA (the default), it is not usually
24              necessary to manually renew the CA certificate, as  it  will  be
25              renewed automatically when it is about to expire, but you can do
26              so if you wish.
27
28              When the IPA CA is subordinate of an external  CA,  the  renewal
29              process  involves  submitting  a  CSR  to  the  external  CA and
30              installing the newly issued certificate in IPA, which cannot  be
31              done  automatically.  It  is  necessary to manually renew the CA
32              certificate in this setup.
33
34              When the IPA CA is not configured, this command  is  not  avail‐
35              able.
36
37       install
38              - Install one or more CA certificates
39
40              This  command  can be used to install the certificates contained
41              in CERTFILE as additional CA certificates to IPA.
42
43              Important: this does not replace IPA CA but  adds  the  provided
44              certificate  as  a  known  CA.  This is useful for instance when
45              using ipa-server-certinstall to replace  HTTP/LDAP  certificates
46              with third-party certificates signed by this additional CA.
47
48              Please  do  not  forget to run ipa-certupdate on the master, all
49              the replicas and all the clients after this command in order  to
50              update IPA certificates databases.
51
52              The supported formats for the certificate files are DER, PEM and
53              PKCS#7 format.
54       list - List the stored CA certificates
55
56              Display a list of the nicknames or subjects of the  CA  certifi‐
57              cates that have been installed.
58

COMMON OPTIONS
60       --version
61              Show the program's version and exit.
62
63       -h, --help
64              Show the help for this program.
65
66       -p DM_PASSWORD, --password=DM_PASSWORD
67              The Directory Manager password to use for authentication.
68
69       -v, --verbose
70              Print debugging information.
71
72       -q, --quiet
73              Output only errors.
74
75       --log-file=FILE
76              Log to the given file.
77

RENEW OPTIONS
79       --self-signed
80              Sign the renewed certificate by itself.
81
82       --external-ca
83              Sign the renewed certificate by external CA.
84
85       --external-ca-type=TYPE
86              Type of the external CA. Possible values are "generic", "ms-cs".
87              Default value is "generic". Use "ms-cs" to include the  template
88              name  required  by Microsoft Certificate Services (MS CS) in the
89              generated CSR (see --external-ca-profile for full details).
90
91
92       --external-ca-profile=PROFILE_SPEC
93              Specify the certificate profile or template to use at the exter‐
94              nal CA.
95
96              When  --external-ca-type is "ms-cs" the following specifiers may
97              be used:
98
99
100              <oid>:<majorVersion>[:<minorVersion>]
101                     Specify a certificate template by OID and major  version,
102                     optionally also specifying minor version.
103
104              <name> Specify  a certificate template by name.  The name cannot
105                     contain any : characters and cannot be an OID  (otherwise
106                     the  OID-based  template  specifier  syntax  takes prece‐
107                     dence).
108
109              default
110                     If no template is specified, the template name "SubCA" is
111                     used.
112
113
114       --external-cert-file=FILE
115              File  containing the IPA CA certificate and the external CA cer‐
116              tificate chain. The file is accepted in PEM and DER  certificate
117              and  PKCS#7  certificate  chain formats. This option may be used
118              multiple times.
119

INSTALL OPTIONS
121       -n NICKNAME, --nickname=NICKNAME
122              Nickname for the certificate. Applicable only when a single cer‐
123              tificate is being installed.
124
125       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
126              Trust  flags for the certificate in certutil format. Trust flags
127              are of the form "A,B,C" or "A,B,C,D" where A is for  SSL,  B  is
128              for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
129              for no explicit trust.
130
131              The supported trust flags are:
132
133                     C - CA trusted to issue server certificates
134
135                     T - CA trusted to issue client certificates
136
137                     p - not trusted
138

EXIT STATUS
140       0 if the command was successful
141
142       1 if an error occurred
143
144

SEE ALSO
146       getcert-resubmit(1)
147
148
149
150FreeIPA                           Aug 12 2013             ipa-cacert-manage(1)



        

    


            
        

        

            Impressum