1ipa-cert-fix(1)              FreeIPA Manual Pages              ipa-cert-fix(1)
2
3
4

NAME

6       ipa-cert-fix - Renew expired certificates
7

SYNOPSIS

9       ipa-cert-fix [options]
10

DESCRIPTION

12       ipa-cert-fix  is  a tool for recovery when expired certificates prevent
13       the normal operation of FreeIPA.  It should ONLY be used in  such  sce‐
14       narios,  and backup of the system, especially certificates and keys, is
15       STRONGLY RECOMMENDED.
16
17       Do not use this program unless expired certificates are inhibiting nor‐
18       mal operation and renewal procedures.
19
20       To renew the IPA CA certificate, use ipa-cacert-manage(1).
21
22       This tool cannot renew certificates signed by external CAs.  To install
23       new, externally-signed HTTP, LDAP or KDC certificates, use  ipa-server-
24       certinstall(1).
25
26       ipa-cert-fix  will  examine FreeIPA and Certificate System certificates
27       and renew certificates that are expired, or close to expiry (less  than
28       two  weeks).   If  any  "shared" certificates are renewed, ipa-cert-fix
29       will set the current server to be the CA renewal master,  and  add  the
30       new  shared certificate(s) to LDAP for replication to other CA servers.
31       Shared certificates include all Dogtag system certificates  except  the
32       HTTPS certificate, and the IPA RA certificate.
33
34       To  repair  certificates  across multiple CA servers, first ensure that
35       LDAP replication is working across the topology.  Then run ipa-cert-fix
36       on  one  CA  server.  Before running ipa-cert-fix on another CA server,
37       trigger Certmonger renewals for shared certificates via  getcert-resub‐
38       mit(1)  (on the other CA server).  This is to avoid unnecessary renewal
39       of shared certificates.
40
41

OPTIONS

43       --version
44              Show the program's version and exit.
45
46       -h, --help
47              Show the help for this program.
48
49       -v, --verbose
50              Print debugging information.
51
52       -q, --quiet
53              Output only errors (output from child  processes  may  still  be
54              shown).
55
56       --log-file=FILE
57              Log to the given file.
58

EXIT STATUS

60       0 if the command was successful
61
62       1 if an error occurred
63
64

SEE ALSO

66       ipa-cacert-manage(1) ipa-server-certinstall(1) getcert-resubmit(1)
67
68
69
70FreeIPA                           Mar 25 2019                  ipa-cert-fix(1)
Impressum