Provided by: freeipa-server_4.7.0~pre1+git20180411-2ubuntu2_amd64 bug


       ipa-cacert-manage - Manage CA certificates in IPA


       ipa-cacert-manage [OPTIONS...] renew
       ipa-cacert-manage [OPTIONS...] install CERTFILE


       ipa-cacert-manage can be used to manage CA certificates in IPA.


       renew  - Renew the IPA CA certificate

              This  command  can  be used to manually renew the CA certificate of the IPA CA (NSS
              database nickname: "caSigningCert cert-pki-ca"). To renew other  certificates,  use

              When  the  IPA  CA  is  the  root  CA (the default), it is not usually necessary to
              manually renew the CA certificate, as it will be renewed automatically when  it  is
              about to expire, but you can do so if you wish.

              When  the  IPA  CA  is  subordinate of an external CA, the renewal process involves
              submitting a CSR to the external CA and installing the newly issued certificate  in
              IPA,  which  cannot be done automatically. It is necessary to manually renew the CA
              certificate in this setup.

              When the IPA CA is not configured, this command is not available.

              - Install a CA certificate

              This command can be used to install the certificate contained  in  CERTFILE  as  an
              additional CA certificate to IPA.

              Important:  this  does  not  replace  IPA CA but adds the provided certificate as a
              known CA. This is useful for instance when using ipa-server-certinstall to  replace
              HTTP/LDAP certificates with third-party certificates signed by this additional CA.

              Please  do not forget to run ipa-certupdate on the master, all the replicas and all
              the clients after this command in order to update IPA certificates databases.


              Show the program's version and exit.

       -h, --help
              Show the help for this program.

       -p DM_PASSWORD, --password=DM_PASSWORD
              The Directory Manager password to use for authentication.

       -v, --verbose
              Print debugging information.

       -q, --quiet
              Output only errors.

              Log to the given file.


              Sign the renewed certificate by itself.

              Sign the renewed certificate by external CA.

              Type of the external CA. Possible values are "generic", "ms-cs". Default  value  is
              "generic".  Use  "ms-cs"  to  include  the  template  name  required  by  Microsoft
              Certificate Services (MS CS) in the generated CSR  (see  --external-ca-profile  for
              full details).

              Specify the certificate profile or template to use at the external CA.

              When --external-ca-type is "ms-cs" the following specifiers may be used:

                     Specify  a  certificate  template  by OID and major version, optionally also
                     specifying minor version.

              <name> Specify a certificate template by name.   The  name  cannot  contain  any  :
                     characters  and cannot be an OID (otherwise the OID-based template specifier
                     syntax takes precedence).

                     If no template is specified, the template name "SubCA" is used.

              File containing the IPA CA certificate and the external CA certificate  chain.  The
              file  is  accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
              This option may be used multiple times.


       -n NICKNAME, --nickname=NICKNAME
              Nickname for the certificate.

       -t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
              Trust flags for the certificate in certutil format. Trust flags  are  of  the  form
              "A,B,C"  or  "A,B,C,D"  where A is for SSL, B is for S/MIME, C is for code signing,
              and D is for PKINIT. Use ",," for no explicit trust.

              The supported trust flags are:

                     C - CA trusted to issue server certificates

                     T - CA trusted to issue client certificates

                     p - not trusted


       0 if the command was successful

       1 if an error occurred