1ipa-cert-fix(1)                IPA Manual Pages                ipa-cert-fix(1)
2
3
4

NAME

6       ipa-cert-fix - Renew expired certificates
7

SYNOPSIS

9       ipa-cert-fix [options]
10

DESCRIPTION

12       ipa-cert-fix  is  a tool for recovery when expired certificates prevent
13       the normal operation of IPA.  It should ONLY be used in such scenarios,
14       and backup of the system, especially certificates and keys, is STRONGLY
15       RECOMMENDED.
16
17       Do not use this program unless expired certificates are inhibiting nor‐
18       mal operation and renewal procedures.
19
20       To renew the IPA CA certificate, use ipa-cacert-manage(1).
21
22       This tool cannot renew certificates signed by external CAs.  To install
23       new, externally-signed HTTP, LDAP or KDC certificates, use  ipa-server-
24       certinstall(1).
25
26       ipa-cert-fix  will  examine IPA and Certificate System certificates and
27       renew certificates that are expired, or close to expiry (less than  two
28       weeks).   If  any  "shared" certificates are renewed, ipa-cert-fix will
29       set the current server to be the CA renewal master,  and  add  the  new
30       shared  certificate(s)  to  LDAP  for  replication to other CA servers.
31       Shared certificates include all Dogtag system certificates  except  the
32       HTTPS certificate, and the IPA RA certificate.
33
34       To  repair  certificates  across multiple CA servers, first ensure that
35       LDAP replication is working across the topology.  Then run ipa-cert-fix
36       on  one  CA  server.  Before running ipa-cert-fix on another CA server,
37       trigger Certmonger renewals for shared certificates via  getcert-resub‐
38       mit(1)  (on the other CA server).  This is to avoid unnecessary renewal
39       of shared certificates.
40
41       Important note: the certmonger daemon does not immediately  notice  the
42       updated  certificates and may trigger a renewal after ipa-cert-fix com‐
43       pletes. As a consequence, getcert list output may display  that  a  re‐
44       newal  is  in progress even if ipa-cert-fix just finished. It is recom‐
45       mended to monitor the certmonger-initiated renewal  and  wait  for  its
46       completion before any other administrative task.
47
48

OPTIONS

50       --version
51              Show the program's version and exit.
52
53       -h, --help
54              Show the help for this program.
55
56       -v, --verbose
57              Print debugging information.
58
59       -q, --quiet
60              Output  only  errors  (output  from child processes may still be
61              shown).
62
63       --log-file=FILE
64              Log to the given file.
65

EXIT STATUS

67       0 if the command was successful
68
69       1 if an error occurred
70
71

SEE ALSO

73       ipa-cacert-manage(1) ipa-server-certinstall(1) getcert-resubmit(1)
74
75
76
77IPA                               Mar 25 2019                  ipa-cert-fix(1)
Impressum