1ipa-cacert-manage(1)           IPA Manual Pages           ipa-cacert-manage(1)
2
3
4

NAME

6       ipa-cacert-manage - Manage CA certificates in IPA
7

SYNOPSIS

9       ipa-cacert-manage [OPTIONS...] renew
10       ipa-cacert-manage [OPTIONS...] install CERTFILE...
11       ipa-cacert-manage [OPTIONS...] delete NICKNAME
12       ipa-cacert-manage [OPTIONS...] list
13

DESCRIPTION

15       ipa-cacert-manage can be used to manage CA certificates in IPA.
16

COMMANDS

18       renew  - Renew the IPA CA certificate
19
20              This command can be used to manually renew the CA certificate of
21              the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
22              To renew other certificates, use getcert-resubmit(1).
23
24              When  the IPA CA is the root CA (the default), it is not usually
25              necessary to manually renew the CA certificate, as  it  will  be
26              renewed automatically when it is about to expire, but you can do
27              so if you wish.
28
29              When the IPA CA is subordinate of an external  CA,  the  renewal
30              process  involves  submitting  a  CSR  to  the  external  CA and
31              installing the newly issued certificate in IPA, which cannot  be
32              done  automatically.  It  is  necessary to manually renew the CA
33              certificate in this setup.
34
35              When the IPA CA is not configured, this command  is  not  avail‐
36              able.
37
38       install
39              - Install one or more CA certificates
40
41              This  command  can be used to install the certificates contained
42              in CERTFILE as additional CA certificates to IPA.
43
44              Important: this does not replace IPA CA but  adds  the  provided
45              certificate  as  a  known  CA.  This is useful for instance when
46              using ipa-server-certinstall to replace  HTTP/LDAP  certificates
47              with third-party certificates signed by this additional CA.
48
49              Please  do  not  forget to run ipa-certupdate on the master, all
50              the replicas and all the clients after this command in order  to
51              update IPA certificates databases.
52
53              The supported formats for the certificate files are DER, PEM and
54              PKCS#7 format.
55
56       delete - Remove a CA certificate
57
58              Remove a CA from IPA. The nickname of a CA to be removed can  be
59              found  using  the list command. The CA chain is validated before
60              allowing a CA to be removed so leaf certificates in a chain need
61              to be removed first.
62
63              Please  do  not  forget to run ipa-certupdate on the master, all
64              the replicas and all the clients after this command in order  to
65              update IPA certificates databases.
66
67       list   - List the stored CA certificates
68
69              Display  a  list of the nicknames or subjects of the CA certifi‐
70              cates that have been installed.
71

COMMON OPTIONS

73       --version
74              Show the program's version and exit.
75
76       -h, --help
77              Show the help for this program.
78
79       -p DM_PASSWORD, --password=DM_PASSWORD
80              The Directory Manager password to use for authentication.
81
82       -v, --verbose
83              Print debugging information.
84
85       -q, --quiet
86              Output only errors.
87
88       --log-file=FILE
89              Log to the given file.
90

RENEW OPTIONS

92       --self-signed
93              Sign the renewed certificate by itself.
94
95       --external-ca
96              Sign the renewed certificate by external CA.
97
98       --external-ca-type=TYPE
99              Type of the external CA. Possible values are "generic", "ms-cs".
100              Default  value is "generic". Use "ms-cs" to include the template
101              name required by Microsoft Certificate Services (MS CS)  in  the
102              generated CSR (see --external-ca-profile for full details).
103
104
105       --external-ca-profile=PROFILE_SPEC
106              Specify the certificate profile or template to use at the exter‐
107              nal CA.
108
109              When --external-ca-type is "ms-cs" the following specifiers  may
110              be used:
111
112
113              <oid>:<majorVersion>[:<minorVersion>]
114                     Specify  a certificate template by OID and major version,
115                     optionally also specifying minor version.
116
117              <name> Specify a certificate template by name.  The name  cannot
118                     contain  any : characters and cannot be an OID (otherwise
119                     the OID-based  template  specifier  syntax  takes  prece‐
120                     dence).
121
122              default
123                     If no template is specified, the template name "SubCA" is
124                     used.
125
126
127       --external-cert-file=FILE
128              File containing the IPA CA certificate and the external CA  cer‐
129              tificate  chain. The file is accepted in PEM and DER certificate
130              and PKCS#7 certificate chain formats. This option  may  be  used
131              multiple times.
132

INSTALL OPTIONS

134       -n NICKNAME, --nickname=NICKNAME
135              Nickname for the certificate. Applicable only when a single cer‐
136              tificate is being installed.
137
138       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
139              Trust flags for the certificate in certutil format. Trust  flags
140              are  of  the  form "A,B,C" or "A,B,C,D" where A is for SSL, B is
141              for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
142              for no explicit trust.
143
144              The supported trust flags are:
145
146                     C - CA trusted to issue server certificates
147
148                     T - CA trusted to issue client certificates
149
150                     p - not trusted
151

DELETE OPTIONS

153       -f, --force
154              Force  a  CA  certificate to be removed even if chain validation
155              fails.
156

EXIT STATUS

158       0 if the command was successful
159
160       1 if an error occurred
161
162

SEE ALSO

164       getcert-resubmit(1)
165
166
167
168IPA                               Aug 12 2013             ipa-cacert-manage(1)
Impressum