1ipa-cacert-manage(1) IPA Manual Pages ipa-cacert-manage(1)
2
3
4
6 ipa-cacert-manage - Manage CA certificates in IPA
7
9 ipa-cacert-manage [OPTIONS...] renew
10 ipa-cacert-manage [OPTIONS...] install CERTFILE...
11 ipa-cacert-manage [OPTIONS...] delete NICKNAME
12 ipa-cacert-manage [OPTIONS...] list
13
15 ipa-cacert-manage can be used to manage CA certificates in IPA.
16
18 renew - Renew the IPA CA certificate
19
20 This command can be used to manually renew the CA certificate of
21 the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
22 To renew other certificates, use getcert-resubmit(1).
23
24 When the IPA CA is the root CA (the default), it is not usually
25 necessary to manually renew the CA certificate, as it will be
26 renewed automatically when it is about to expire, but you can do
27 so if you wish.
28
29 When the IPA CA is subordinate of an external CA, the renewal
30 process involves submitting a CSR to the external CA and
31 installing the newly issued certificate in IPA, which cannot be
32 done automatically. It is necessary to manually renew the CA
33 certificate in this setup.
34
35 When the IPA CA is not configured, this command is not avail‐
36 able.
37
38 install
39 - Install one or more CA certificates
40
41 This command can be used to install the certificates contained
42 in CERTFILE as additional CA certificates to IPA.
43
44 Important: this does not replace IPA CA but adds the provided
45 certificate as a known CA. This is useful for instance when
46 using ipa-server-certinstall to replace HTTP/LDAP certificates
47 with third-party certificates signed by this additional CA.
48
49 Please do not forget to run ipa-certupdate on the master, all
50 the replicas and all the clients after this command in order to
51 update IPA certificates databases.
52
53 The supported formats for the certificate files are DER, PEM and
54 PKCS#7 format.
55
56 delete - Remove a CA certificate
57
58 Remove a CA from IPA. The nickname of a CA to be removed can be
59 found using the list command. The CA chain is validated before
60 allowing a CA to be removed so leaf certificates in a chain need
61 to be removed first.
62
63 Please do not forget to run ipa-certupdate on the master, all
64 the replicas and all the clients after this command in order to
65 update IPA certificates databases.
66
67 list - List the stored CA certificates
68
69 Display a list of the nicknames or subjects of the CA certifi‐
70 cates that have been installed.
71
73 --version
74 Show the program's version and exit.
75
76 -h, --help
77 Show the help for this program.
78
79 -p DM_PASSWORD, --password=DM_PASSWORD
80 The Directory Manager password to use for authentication.
81
82 -v, --verbose
83 Print debugging information.
84
85 -q, --quiet
86 Output only errors.
87
88 --log-file=FILE
89 Log to the given file.
90
92 --self-signed
93 Sign the renewed certificate by itself.
94
95 --external-ca
96 Sign the renewed certificate by external CA.
97
98 --external-ca-type=TYPE
99 Type of the external CA. Possible values are "generic", "ms-cs".
100 Default value is "generic". Use "ms-cs" to include the template
101 name required by Microsoft Certificate Services (MS CS) in the
102 generated CSR (see --external-ca-profile for full details).
103
104
105 --external-ca-profile=PROFILE_SPEC
106 Specify the certificate profile or template to use at the exter‐
107 nal CA.
108
109 When --external-ca-type is "ms-cs" the following specifiers may
110 be used:
111
112
113 <oid>:<majorVersion>[:<minorVersion>]
114 Specify a certificate template by OID and major version,
115 optionally also specifying minor version.
116
117 <name> Specify a certificate template by name. The name cannot
118 contain any : characters and cannot be an OID (otherwise
119 the OID-based template specifier syntax takes prece‐
120 dence).
121
122 default
123 If no template is specified, the template name "SubCA" is
124 used.
125
126
127 --external-cert-file=FILE
128 File containing the IPA CA certificate and the external CA cer‐
129 tificate chain. The file is accepted in PEM and DER certificate
130 and PKCS#7 certificate chain formats. This option may be used
131 multiple times.
132
134 -n NICKNAME, --nickname=NICKNAME
135 Nickname for the certificate. Applicable only when a single cer‐
136 tificate is being installed.
137
138 -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
139 Trust flags for the certificate in certutil format. Trust flags
140 are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is
141 for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
142 for no explicit trust.
143
144 The supported trust flags are:
145
146 C - CA trusted to issue server certificates
147
148 T - CA trusted to issue client certificates
149
150 p - not trusted
151
153 -f, --force
154 Force a CA certificate to be removed even if chain validation
155 fails.
156
158 0 if the command was successful
159
160 1 if an error occurred
161
162
164 getcert-resubmit(1)
165
166
167
168IPA Aug 12 2013 ipa-cacert-manage(1)