1ipa-cert-fix(1)                IPA Manual Pages                ipa-cert-fix(1)
2
3
4

NAME

6       ipa-cert-fix - Renew expired certificates
7

SYNOPSIS

9       ipa-cert-fix [options]
10

DESCRIPTION

12       ipa-cert-fix  is  a tool for recovery when expired certificates prevent
13       the normal operation of IPA.  It should ONLY be used in such scenarios,
14       and backup of the system, especially certificates and keys, is STRONGLY
15       RECOMMENDED.
16
17       Do not use this program unless expired certificates are inhibiting nor‐
18       mal operation and renewal procedures.
19
20       To renew the IPA CA certificate, use ipa-cacert-manage(1).
21
22       This tool cannot renew certificates signed by external CAs.  To install
23       new, externally-signed HTTP, LDAP or KDC certificates, use  ipa-server-
24       certinstall(1).
25
26       ipa-cert-fix  will  examine IPA and Certificate System certificates and
27       renew certificates that are expired, or close to expiry (less than  two
28       weeks).   If  any  "shared" certificates are renewed, ipa-cert-fix will
29       set the current server to be the CA renewal master,  and  add  the  new
30       shared  certificate(s)  to  LDAP  for  replication to other CA servers.
31       Shared certificates include all Dogtag system certificates  except  the
32       HTTPS certificate, and the IPA RA certificate.
33
34       To  repair  certificates  across multiple CA servers, first ensure that
35       LDAP replication is working across the topology.  Then run ipa-cert-fix
36       on  one  CA  server.  Before running ipa-cert-fix on another CA server,
37       trigger Certmonger renewals for shared certificates via  getcert-resub‐
38       mit(1)  (on the other CA server).  This is to avoid unnecessary renewal
39       of shared certificates.
40
41

OPTIONS

43       --version
44              Show the program's version and exit.
45
46       -h, --help
47              Show the help for this program.
48
49       -v, --verbose
50              Print debugging information.
51
52       -q, --quiet
53              Output only errors (output from child  processes  may  still  be
54              shown).
55
56       --log-file=FILE
57              Log to the given file.
58

EXIT STATUS

60       0 if the command was successful
61
62       1 if an error occurred
63
64

SEE ALSO

66       ipa-cacert-manage(1) ipa-server-certinstall(1) getcert-resubmit(1)
67
68
69
70IPA                               Mar 25 2019                  ipa-cert-fix(1)
Impressum