ipa-ca-install(1)

1ipa-ca-install(1)              IPA Manual Pages              ipa-ca-install(1)
2
3
4

NAME

6       ipa-ca-install - Install a CA on a server
7

SYNOPSIS

9       ipa-ca-install [OPTION]...
10

DESCRIPTION

12       Adds  a CA as an IPA-managed service. This requires that the IPA server
13       is already installed and configured.
14
15       ipa-ca-install can be used to upgrade from CA-less  to  CA-full  or  to
16       install the CA service on a replica.
17
18       Domain level 0 is not supported anymore.
19
20

OPTIONS

22       -d, --debug Enable debug logging when more verbose output is needed
23
24       -p DM_PASSWORD, --password=DM_PASSWORD
25              Directory Manager (existing master) password
26
27       -w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
28              Admin user Kerberos password used for connection check
29
30       --external-ca
31              Generate  a  CSR  for  the IPA CA certificate to be signed by an
32              external CA.
33
34       --external-ca-type=TYPE
35              Type of the external CA. Possible values are "generic", "ms-cs".
36              Default  value is "generic". Use "ms-cs" to include the template
37              name required by Microsoft Certificate Services (MS CS)  in  the
38              generated CSR (see --external-ca-profile for full details).
39
40
41       --external-ca-profile=PROFILE_SPEC
42              Specify the certificate profile or template to use at the exter‐
43              nal CA.
44
45              When --external-ca-type is "ms-cs" the following specifiers  may
46              be used:
47
48
49              <oid>:<majorVersion>[:<minorVersion>]
50                     Specify  a certificate template by OID and major version,
51                     optionally also specifying minor version.
52
53              <name> Specify a certificate template by name.  The name  cannot
54                     contain  any : characters and cannot be an OID (otherwise
55                     the OID-based  template  specifier  syntax  takes  prece‐
56                     dence).
57
58              default
59                     If no template is specified, the template name "SubCA" is
60                     used.
61
62
63       --external-cert-file=FILE
64              File containing the IPA CA certificate and the external CA  cer‐
65              tificate  chain. The file is accepted in PEM and DER certificate
66              and PKCS#7 certificate chain formats. This option  may  be  used
67              multiple times.
68
69       --ca-subject=SUBJECT
70              The  CA  certificate  subject DN (default CN=Certificate Author‐
71              ity,O=REALM.NAME).  RDNs are in LDAP order  (most  specific  RDN
72              first).
73
74       --subject-base=SUBJECT
75              The  subject  base  for  certificates  issued  by  IPA  (default
76              O=REALM.NAME).  RDNs  are  in  LDAP  order  (most  specific  RDN
77              first).
78
79       --pki-config-override=FILE
80              File containing overrides for CA installation.
81
82       --ca-signing-algorithm=ALGORITHM
83              Signing algorithm of the IPA CA certificate. Possible values are
84              SHA1withRSA,  SHA256withRSA,  SHA512withRSA.  Default  value  is
85              SHA256withRSA.  Use this option with --external-ca if the exter‐
86              nal CA does not support the default signing algorithm.
87
88       --no-host-dns
89              Do not use DNS for hostname lookup during installation
90
91       --skip-conncheck
92              Skip connection check to remote master
93
94       --skip-schema-check
95              Skip check for updated CA DS schema on the remote master
96
97       -U, --unattended
98              An unattended installation that will never prompt for user input
99

EXIT STATUS

101       0 if the command was successful
102
103       1 if an error occurred
104
105
106
107IPA                               Mar 30 2017                ipa-ca-install(1)