summaryrefslogtreecommitdiffstats
path: root/ipalib/plugins/cert.py
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-06-02 14:08:50 -0400
committerRob Crittenden <rcritten@redhat.com>2010-06-22 13:58:04 -0400
commit901ccc1393a7e494f7b1b64eaeb2f7809056aafa (patch)
treeb9523a814ed72e08ac286134bb45cf07e6e053f4 /ipalib/plugins/cert.py
parent8c6c93125f344ca117cc24b2e96c55b1d9ae31bd (diff)
downloadfreeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.gz
freeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.tar.xz
freeipa-901ccc1393a7e494f7b1b64eaeb2f7809056aafa.zip
First pass at per-command documentation
Diffstat (limited to 'ipalib/plugins/cert.py')
-rw-r--r--ipalib/plugins/cert.py37
1 files changed, 36 insertions, 1 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index a2ecce421..17e4c46b0 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -20,7 +20,42 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
-Command plugins for IPA-RA certificate operations.
+IPA certificate operations
+
+Implements a set of commands for managing server SSL certificates.
+
+Certificate request come in the form of a Certificate Signing Request (CSR)
+in PEM format.
+
+If using the selfsign backend then the subject in the CSR needs to match
+the subject configured in the server. The dogtag CA uses just the CN
+value of the CSR and forces the rest of the subject.
+
+A certificate is stored with a service principal and a service principal
+needs a host. So in order to request a certificate the following conditions
+must be met:
+
+* The host exists
+* The service exists (or you use the --add option to automatically add it)
+
+EXAMPLES:
+
+ Request a new certificate, add the principal:
+ ipa cert-request --add --principal=HTTP/lion.example.com example.csr
+
+ Retrieve an existing certificate:
+ ipa cert-request 1032
+
+ Revoke a certificate (see RFC 5280 for reason details):
+ ipa cert-revoke --revocation-reason=6 1032
+
+ Remove a certificate from revocation hold status:
+ ipa cert-remove-hold 1032
+
+ Check the status of a signing request:
+ ipa cert-status 10
+
+IPA currently immediately issues (or declines) all certificate requests.
"""
from ipalib import api, SkipPluginModule