diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-06-02 14:08:50 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-06-22 13:58:04 -0400 |
commit | 901ccc1393a7e494f7b1b64eaeb2f7809056aafa (patch) | |
tree | b9523a814ed72e08ac286134bb45cf07e6e053f4 /ipalib/plugins/cert.py | |
parent | 8c6c93125f344ca117cc24b2e96c55b1d9ae31bd (diff) | |
download | freeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.gz freeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.xz freeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.zip |
First pass at per-command documentation
Diffstat (limited to 'ipalib/plugins/cert.py')
-rw-r--r-- | ipalib/plugins/cert.py | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index a2ecce421..17e4c46b0 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -20,7 +20,42 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA """ -Command plugins for IPA-RA certificate operations. +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate request come in the form of a Certificate Signing Request (CSR) +in PEM format. + +If using the selfsign backend then the subject in the CSR needs to match +the subject configured in the server. The dogtag CA uses just the CN +value of the CSR and forces the rest of the subject. + +A certificate is stored with a service principal and a service principal +needs a host. So in order to request a certificate the following conditions +must be met: + +* The host exists +* The service exists (or you use the --add option to automatically add it) + +EXAMPLES: + + Request a new certificate, add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-request 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + +IPA currently immediately issues (or declines) all certificate requests. """ from ipalib import api, SkipPluginModule |