1ipa-acme-manage(1) IPA Manual Pages ipa-acme-manage(1)
2
6 ipa-acme-manage - Manage the IPA ACME service
7
9 ipa-acme-manage enable|disable|status
10
12 Use the ipa-acme-manage command to enable, disable or retrieve the sta‐
13 tus of the ACME service on a IPA CA server.
14 In a IPA topology all CA servers capable of ACME will have the ACME
16 service deployed. The service is not enabled by default. It is ex‐
17 pected that the ACME service will either be enabled on all CA servers,
18 or disabled on all CA servers. However it must be enabled or disabled
19 on each individual server.
20
23 enable Enable the ACME service on this host.
24 disable
26 Disable the ACME service on this host.
27 status Display the status of the ACME service.
29 pruning
31 Configure certificate and request pruning.
32
35 Pruning is a job that runs in the CA that can remove expired certifi‐
36 cates and certificate requests which have not been issued. This is
37 particularly important when using short-lived certificates like those
38 issued with the ACME protocol. Pruning requires that the IPA server be
39 installed with random serial numbers enabled.
40 The CA needs to be restarted after modifying the pruning configuration.
42 The job is a cron-like task within the CA that is controlled by a num‐
44 ber of options which dictate how long after the certificate or request
45 is considered no longer valid and removed from the LDAP database.
46 The cron time and date fields are:
48 field allowed values
50 ----- --------------
51 minute 0-59
52 hour 0-23
53 day of month 1-31
54 month 1-12
55 day of week 0-6 (0 is Sunday)
56 The cron syntax is limited to * or specific numbers. Ranges are not
58 supported.
59 --enable
62 Enable certificate pruning.
63 --disable
65 Disable certificate pruning.
66 --cron=CRON
68 Configure the pruning cron job. The syntax is similar to
69 crontab(5) syntax. For example, "0 0 1 * *" schedules the job
70 to run at 12:00am on the first day of each month.
71 --certretention=CERTRETENTION
73 Certificate retention time. The default is 30. A value of 0 will
74 remove expired certificates with no delay.
75 --certretentionunit=CERTRETENTIONUNIT
77 Certificate retention units. Valid units are: minute, hour, day,
78 year. The default is days.
79 --certsearchsizelimit=CERTSEARCHSIZELIMIT
81 LDAP search size limit searching for expired certificates. The
82 default is 1000. This is a client-side limit. There may be addi‐
83 tional server-side limitations.
84 --certsearchtimelimit=CERTSEARCHTIMELIMIT
86 LDAP search time limit (seconds) searching for expired certifi‐
87 cates. The default is 0, no limit. This is a client-side limit.
88 There may be additional server-side limitations.
89 --requestretention=REQUESTRETENTION
91 Request retention time. The default is 30. A value of 0 will re‐
92 move expired requests with no delay.
93 --requestretentionunit=REQUESTRETENTIONUNIT
95 Request retention units. Valid units are: minute, hour, day,
96 year. The default is days.
97 --requestsearchsizelimit=REQUESTSEARCHSIZELIMIT
99 LDAP search size limit searching for unfulfilled requests. The
100 default is 1000. There may be additional server-side limita‐
101 tions.
102 --requestsearchtimelimit=REQUESTSEARCHTIMELIMIT
104 LDAP search time limit (seconds) searching for unfulfilled re‐
105 quests. The default is 0, no limit. There may be additional
106 server-side limitations.
107 --config-show
109 Show the current pruning configuration
110 --run Run the pruning job now. The IPA RA certificate is used to au‐
112 thenticate to the PKI REST backend.
113
117 0 if the command was successful
118 1 if an error occurred
120 2 if the host is not a IPA server
122 3 if the host is not a CA server
124IPA Jun 2 2020 ipa-acme-manage(1)