Rework the way SSL certificates are imported from PKCS#12 files.

Add the ability to provide PKCS#12 files during initial installation
Add the ability to provide PKCS#12 files when preparing a replica
Correct some issues with ipa-server-certinstall

452402

3 files changed, 34 insertions, 3 deletions

diff --git a/ipa-server/man/ipa-replica-prepare.1 b/ipa-server/man/ipa-replica-prepare.1
index b04bb665f..8eb49444a 100644
--- a/ipa-server/man/ipa-replica-prepare.1
+++ b/ipa-server/man/ipa-replica-prepare.1
@@ -29,6 +29,19 @@ A replica can only be created on an IPA server installed with ipa\-server\-insta
 You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
 
 Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
+.SH "OPTIONS"
+.TP
+\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
+PKCS#12 file containing the Directory Server SSL Certificate
+.TP
+\fB\-\-http_pkcs12\fR=\fIFILE\fR
+PKCS#12 file containing the Apache Server SSL Certificate
+.TP
+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
+The password of the Directory Server PKCS#12 file
+.TP
+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
+The password of the Apache Server PKCS#12 file
 .SH "EXIT STATUS"
 0 if the command was successful
 
diff --git a/ipa-server/man/ipa-server-certinstall.1 b/ipa-server/man/ipa-server-certinstall.1
index 950676966..946ab9f80 100644
--- a/ipa-server/man/ipa-server-certinstall.1
+++ b/ipa-server/man/ipa-server-certinstall.1
@@ -26,8 +26,9 @@ Replace the current SSL Directory and/or Apache server certificate(s) with the c
 
 PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
 
-They may be generated and managed using the NSS pk12util command or the OpeNSSL pkcs12 command.
+They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
 
+The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers.
 .SH "OPTIONS"
 .TP 
 \fB\-d\fR, \fB\-\-dirsrv\fR
@@ -35,6 +36,12 @@ Install the certificate on the Directory Server
 .TP 
 \fB\-w\fR, \fB\-\-http\fR
 Install the certificate in the Apache Web Server
+.TP
+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
+The password of the Directory Server PKCS#12 file
+.TP
+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
+The password of the Apache Server PKCS#12 file
 .SH "EXIT STATUS"
 0 if the installation was successful
 
diff --git a/ipa-server/man/ipa-server-install.1 b/ipa-server/man/ipa-server-install.1
index 9fa06c77e..8854f4e56 100644
--- a/ipa-server/man/ipa-server-install.1
+++ b/ipa-server/man/ipa-server-install.1
@@ -60,10 +60,21 @@ Generate a DNS zone file that contains auto\-discovery records for this IPA serv
 .TP 
 \fB\-n\fR, \fB\-\-no\-ntp\fR
 Do not configure NTP
-<fb>\-U\fR, \fB\-\-uninstall\fR
+\fB\-U\fR, \fB\-\-uninstall\fR
 Uninstall an existing IPA installation
+.TP
+\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
+PKCS#12 file containing the Directory Server SSL Certificate
+.TP
+\fB\-\-http_pkcs12\fR=\fIFILE\fR
+PKCS#12 file containing the Apache Server SSL Certificate
+.TP
+\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
+The password of the Directory Server PKCS#12 file
+.TP
+\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
+The password of the Apache Server PKCS#12 file
 .PP 
-By default the full name, home Directory and login shell and username fields are displayed.
 .SH "EXIT STATUS"
 0 if the installation was successful