1ipa-cacert-manage(1) IPA Manual Pages ipa-cacert-manage(1)
2
6 ipa-cacert-manage - Manage CA certificates in IPA
7
9 ipa-cacert-manage [OPTIONS...] renew
10 ipa-cacert-manage [OPTIONS...] install CERTFILE...
11 ipa-cacert-manage [OPTIONS...] delete NICKNAME
12 ipa-cacert-manage [OPTIONS...] list
13 ipa-cacert-manage [OPTIONS...] prune
14
16 ipa-cacert-manage can be used to manage CA certificates in IPA.
17
19 renew - Renew the IPA CA certificate
20 This command can be used to manually renew the CA certificate of
22 the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca").
23 To renew other certificates, use getcert-resubmit(1).
24 When the IPA CA is the root CA (the default), it is not usually
26 necessary to manually renew the CA certificate, as it will be
27 renewed automatically when it is about to expire, but you can do
28 so if you wish.
29 When the IPA CA is subordinate of an external CA, the renewal
31 process involves submitting a CSR to the external CA and in‐
32 stalling the newly issued certificate in IPA, which cannot be
33 done automatically. It is necessary to manually renew the CA
34 certificate in this setup.
35 When the IPA CA is not configured, this command is not avail‐
37 able.
38 install
40 - Install one or more CA certificates
41 This command can be used to install the certificates contained
43 in CERTFILE as additional CA certificates to IPA.
44 Important: this does not replace IPA CA but adds the provided
46 certificate as a known CA. This is useful for instance when us‐
47 ing ipa-server-certinstall to replace HTTP/LDAP certificates
48 with third-party certificates signed by this additional CA.
49 Please do not forget to run ipa-certupdate on the master, all
51 the replicas and all the clients after this command in order to
52 update IPA certificates databases.
53 The supported formats for the certificate files are DER, PEM and
55 PKCS#7 format.
56 delete - Remove a CA certificate
58 Remove a CA from IPA. The nickname of a CA to be removed can be
60 found using the list command. The CA chain is validated before
61 allowing a CA to be removed so leaf certificates in a chain need
62 to be removed first.
63 Please do not forget to run ipa-certupdate on the master, all
65 the replicas and all the clients after this command in order to
66 update IPA certificates databases.
67 list - List the stored CA certificates
69 Display a list of the nicknames or subjects of the CA certifi‐
71 cates that have been installed.
72 prune - Prune the stored CA certificates
74 Removes installed CA certificates that are expired.
76
78 --version
79 Show the program's version and exit.
80 -h, --help
82 Show the help for this program.
83 -p DM_PASSWORD, --password=DM_PASSWORD
85 The Directory Manager password to use for authentication.
86 -v, --verbose
88 Print debugging information.
89 -q, --quiet
91 Output only errors.
92 --log-file=FILE
94 Log to the given file.
95
97 --self-signed
98 Sign the renewed certificate by itself.
99 --external-ca
101 Sign the renewed certificate by external CA.
102 --external-ca-type=TYPE
104 Type of the external CA. Possible values are "generic", "ms-cs".
105 Default value is "generic". Use "ms-cs" to include the template
106 name required by Microsoft Certificate Services (MS CS) in the
107 generated CSR (see --external-ca-profile for full details).
108 --external-ca-profile=PROFILE_SPEC
111 Specify the certificate profile or template to use at the exter‐
112 nal CA.
113 When --external-ca-type is "ms-cs" the following specifiers may
115 be used:
116 <oid>:<majorVersion>[:<minorVersion>]
119 Specify a certificate template by OID and major version,
120 optionally also specifying minor version.
121 <name> Specify a certificate template by name. The name cannot
123 contain any : characters and cannot be an OID (otherwise
124 the OID-based template specifier syntax takes prece‐
125 dence).
126 default
128 If no template is specified, the template name "SubCA" is
129 used.
130 --external-cert-file=FILE
133 File containing the IPA CA certificate and the external CA cer‐
134 tificate chain. The file is accepted in PEM and DER certificate
135 and PKCS#7 certificate chain formats. This option may be used
136 multiple times.
137
139 -n NICKNAME, --nickname=NICKNAME
140 Nickname for the certificate. Applicable only when a single cer‐
141 tificate is being installed.
142 -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
144 Trust flags for the certificate in certutil format. Trust flags
145 are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is
146 for S/MIME, C is for code signing, and D is for PKINIT. Use ",,"
147 for no explicit trust.
148 The supported trust flags are:
150 C - CA trusted to issue server certificates
152 T - CA trusted to issue client certificates
154 p - not trusted
156
158 -f, --force
159 Force a CA certificate to be removed even if chain validation
160 fails.
161
163 0 if the command was successful
164 1 if an error occurred
166
169 getcert-resubmit(1)
170IPA Aug 12 2013 ipa-cacert-manage(1)