Provided by: freeipa-server_4.8.3-1_amd64 bug

NAME
       ipa-ca-install - Install a CA on a server


SYNOPSIS
       ipa-ca-install [OPTION]...


DESCRIPTION
       Adds  a  CA  as  an  IPA-managed  service.  This  requires  that the IPA server is already
       installed and configured.

       ipa-ca-install can be used to upgrade from CA-less to CA-full or to install the CA service
       on a replica.

       Domain level 0 is not supported anymore.


OPTIONS
       -d, --debug Enable debug logging when more verbose output is needed

       -p DM_PASSWORD, --password=DM_PASSWORD
              Directory Manager (existing master) password

       -w ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              Admin user Kerberos password used for connection check

       --external-ca
              Generate a CSR for the IPA CA certificate to be signed by an external CA.

       --external-ca-type=TYPE
              Type  of  the external CA. Possible values are "generic", "ms-cs". Default value is
              "generic".  Use  "ms-cs"  to  include  the  template  name  required  by  Microsoft
              Certificate  Services  (MS  CS) in the generated CSR (see --external-ca-profile for
              full details).

       --external-ca-profile=PROFILE_SPEC
              Specify the certificate profile or template to use at the external CA.

              When --external-ca-type is "ms-cs" the following specifiers may be used:

              <oid>:<majorVersion>[:<minorVersion>]
                     Specify a certificate template by OID and  major  version,  optionally  also
                     specifying minor version.

              <name> Specify  a  certificate  template  by  name.   The name cannot contain any :
                     characters and cannot be an OID (otherwise the OID-based template  specifier
                     syntax takes precedence).

              default
                     If no template is specified, the template name "SubCA" is used.

       --external-cert-file=FILE
              File  containing  the IPA CA certificate and the external CA certificate chain. The
              file is accepted in PEM and DER certificate and PKCS#7 certificate  chain  formats.
              This option may be used multiple times.

       --ca-subject=SUBJECT
              The  CA  certificate  subject  DN  (default CN=Certificate Authority,O=REALM.NAME).
              RDNs are in LDAP order (most specific RDN first).

       --subject-base=SUBJECT
              The subject base for certificates issued by IPA (default O=REALM.NAME).   RDNs  are
              in LDAP order (most specific RDN first).

       --pki-config-override=FILE
              File containing overrides for CA installation.

       --ca-signing-algorithm=ALGORITHM
              Signing  algorithm  of  the  IPA  CA  certificate. Possible values are SHA1withRSA,
              SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option  with
              --external-ca if the external CA does not support the default signing algorithm.

       --no-host-dns
              Do not use DNS for hostname lookup during installation

       --skip-conncheck
              Skip connection check to remote master

       --skip-schema-check
              Skip check for updated CA DS schema on the remote master

       -U, --unattended
              An unattended installation that will never prompt for user input


EXIT STATUS
       0 if the command was successful

       1 if an error occurred