1ipa-ca-install(1) IPA Manual Pages ipa-ca-install(1)
2
6 ipa-ca-install - Install a CA on a server
7
9 ipa-ca-install [OPTION]...
10
12 Adds a CA as an IPA-managed service. This requires that the IPA server
13 is already installed and configured.
14 ipa-ca-install can be used to upgrade from CA-less to CA-full or to in‐
16 stall the CA service on a replica.
17 Domain level 0 is not supported anymore.
19
22 -d, --debug Enable debug logging when more verbose output is needed
23 -p DM_PASSWORD, --password=DM_PASSWORD
25 Directory Manager (existing master) password
26 -w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
28 Admin user Kerberos password used for connection check
29 --external-ca
31 Generate a CSR for the IPA CA certificate to be signed by an ex‐
32 ternal CA.
33 --external-ca-type=TYPE
35 Type of the external CA. Possible values are "generic", "ms-cs".
36 Default value is "generic". Use "ms-cs" to include the template
37 name required by Microsoft Certificate Services (MS CS) in the
38 generated CSR (see --external-ca-profile for full details).
39 --external-ca-profile=PROFILE_SPEC
42 Specify the certificate profile or template to use at the exter‐
43 nal CA.
44 When --external-ca-type is "ms-cs" the following specifiers may
46 be used:
47 <oid>:<majorVersion>[:<minorVersion>]
50 Specify a certificate template by OID and major version,
51 optionally also specifying minor version.
52 <name> Specify a certificate template by name. The name cannot
54 contain any : characters and cannot be an OID (otherwise
55 the OID-based template specifier syntax takes prece‐
56 dence).
57 default
59 If no template is specified, the template name "SubCA" is
60 used.
61 --external-cert-file=FILE
64 File containing the IPA CA certificate and the external CA cer‐
65 tificate chain. The file is accepted in PEM and DER certificate
66 and PKCS#7 certificate chain formats. This option may be used
67 multiple times.
68 --ca-subject=SUBJECT
70 The CA certificate subject DN (default CN=Certificate Author‐
71 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
72 first).
73 --subject-base=SUBJECT
75 The subject base for certificates issued by IPA (default
76 O=REALM.NAME). RDNs are in LDAP order (most specific RDN
77 first).
78 --pki-config-override=FILE
80 File containing overrides for CA installation.
81 --ca-signing-algorithm=ALGORITHM
83 Signing algorithm of the IPA CA certificate. Possible values are
84 SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. De‐
85 fault value is SHA256withRSA. Use this option with --external-ca
86 if the external CA does not support the default signing algo‐
87 rithm.
88 --no-host-dns
90 Do not use DNS for hostname lookup during installation
91 --random-serial-numbers
93 Enable Random Serial Numbers. Random serial numbers cannot be
94 used in a mixed environment. Either all CA's have it enabled or
95 none do.
96 --skip-conncheck
98 Skip connection check to remote master
99 --skip-schema-check
101 Skip check for updated CA DS schema on the remote master
102 -U, --unattended
104 An unattended installation that will never prompt for user input
105
107 0 if the command was successful
108 1 if an error occurred
110IPA Mar 30 2017 ipa-ca-install(1)