1ipa-cacert-manage(1) IPA Manual Pages ipa-cacert-manage(1)
2
6 ipa-cacert-manage - Manage CA certificates in IPA
7
9 ipa-cacert-manage [OPTIONS...] renew
11
13 ipa-cacert-manage can be used to manage CA certificates in IPA.
14
16 renew - Renew the IPA CA certificate
17 This command can be used to manually renew the CA certificate of
19 the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
20 To renew other certificates, use getcert-resubmit(1).
21 When the IPA CA is the root CA (the default), it is not usually
23 necessary to manually renew the CA certificate, as it will be
24 renewed automatically when it is about to expire, but you can do
25 so if you wish.
26 When the IPA CA is subordinate of an external CA, the renewal
28 process involves submitting a CSR to the external CA and
29 installing the newly issued certificate in IPA, which cannot be
30 done automatically. It is necessary to manually renew the CA
31 certificate in this setup.
32 When the IPA CA is not configured, this command is not avail‐
34 able.
35 install
37 - Install a CA certificate
38 This command can be used to install the certificate contained in
40 CERTFILE as an additional CA certificate to IPA.
41 Important: this does not replace IPA CA but adds the provided
43 certificate as a known CA. This is useful for instance when
44 using ipa-server-certinstall to replace HTTP/LDAP certificates
45 with third-party certificates signed by this additional CA.
46 Please do not forget to run ipa-certupdate on the master, all
48 the replicas and all the clients after this command in order to
49 update IPA certificates databases.
50
52 --version
53 Show the program's version and exit.
54 -h, --help
56 Show the help for this program.
57 -p DM_PASSWORD, --password=DM_PASSWORD
59 The Directory Manager password to use for authentication.
60 -v, --verbose
62 Print debugging information.
63 -q, --quiet
65 Output only errors.
66 --log-file=FILE
68 Log to the given file.
69
71 --self-signed
72 Sign the renewed certificate by itself.
73 --external-ca
75 Sign the renewed certificate by external CA.
76 --external-ca-type=TYPE
78 Type of the external CA. Possible values are "generic", "ms-cs".
79 Default value is "generic". Use "ms-cs" to include the template
80 name required by Microsoft Certificate Services (MS CS) in the
81 generated CSR (see --external-ca-profile for full details).
82 --external-ca-profile=PROFILE_SPEC
85 Specify the certificate profile or template to use at the exter‐
86 nal CA.
87 When --external-ca-type is "ms-cs" the following specifiers may
89 be used:
90 <oid>:<majorVersion>[:<minorVersion>]
93 Specify a certificate template by OID and major version,
94 optionally also specifying minor version.
95 <name> Specify a certificate template by name. The name cannot
97 contain any : characters and cannot be an OID (otherwise
98 the OID-based template specifier syntax takes prece‐
99 dence).
100 default
102 If no template is specified, the template name "SubCA" is
103 used.
104 --external-cert-file=FILE
107 File containing the IPA CA certificate and the external CA cer‐
108 tificate chain. The file is accepted in PEM and DER certificate
109 and PKCS#7 certificate chain formats. This option may be used
110 multiple times.
111
113 -n NICKNAME, --nickname=NICKNAME
114 Nickname for the certificate.
115 -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
117 Trust flags for the certificate in certutil format. Trust flags
118 are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is
119 for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
120 for no explicit trust.
121 The supported trust flags are:
123 C - CA trusted to issue server certificates
125 T - CA trusted to issue client certificates
127 p - not trusted
129
131 0 if the command was successful
132 1 if an error occurred
134
137 getcert-resubmit(1)
138IPA Aug 12 2013 ipa-cacert-manage(1)