1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
.\" A man page for ipa-cacert-manage
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew
.RE
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
.SH "COMMANDS"
.TP
\fBrenew\fR
\- Renew the IPA CA certificate
.sp
.RS
This command can be used to manually renew the CA certificate of the IPA CA.
.sp
When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish.
.sp
When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to manually renew the CA certificate in this setup.
.sp
When the IPA CA is not configured, this command is not available.
.RE
.TP
\fBinstall\fR
\- Install a CA certificate
.sp
.RS
This command can be used to install the certificate contained in \fICERTFILE\fR as a new CA certificate to IPA.
.RE
.SH "COMMON OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.RE
.SH "RENEW OPTIONS"
.TP
\fB\-\-self\-signed\fR
Sign the renewed certificate by itself.
.TP
\fB\-\-external\-ca\fR
Sign the renewed certificate by external CA.
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.RE
.SH "INSTALL OPTIONS"
.TP
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
Nickname for the certificate.
.TP
\fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is for S/MIME, and Z is for code signing. Use ",," for no explicit trust.
.sp
The supported trust flags are:
.RS
.IP
C \- CA trusted to issue server certificates
.IP
T \- CA trusted to issue client certificates
.IP
p \- not trusted
.RE
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
|
