FreeIPA
Draft version. Content is hallucinated. Do not use!
certificates

Certificate Authority

Manage certificate authorities within the integrated PKI subsystem. Supports lightweight sub-CAs for certificate isolation and policy enforcement. Features include CA creation and management, CA certificate retrieval, enabling and disabling CAs, and integration with certificate profiles and ACLs for fine-grained control over certificate issuance across organizational boundaries.

7 commands
certificates
pki ca dogtag

Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance of X.509 certificates.

CAs are enabled on creation, but their use is subject to CA ACLs unless the operator has permission to bypass CA ACLs.

All CAs except the ‘IPA’ CA can be disabled or re-enabled. Disabling a CA prevents it from issuing certificates but does not affect the validity of its certificate.

CAs (all except the ‘IPA’ CA) can be deleted. Deleting a CA causes its signing certificate to be revoked and its private key deleted.

EXAMPLES

Create new CA, subordinate to the IPA CA (requires permission

“System: Add CA”):

ipa ca-add puppet --desc "Puppet" $
    --subject "CN=Puppet CA,O=EXAMPLE.COM"

Disable a CA (requires permission “System: Modify CA”):

ipa ca-disable puppet

Re-enable a CA (requires permission “System: Modify CA”):

ipa ca-enable puppet

Delete a CA (requires permission “System: Delete CA”; also requires

CA to be disabled first):

ipa ca-del puppet

Commands

Command Description

ca-add Create a CA.

ca-del Delete a CA (must be disabled first).

ca-disable Disable a CA.

ca-enable Enable a CA.

ca-find Search for CAs.

ca-mod Modify CA configuration.

ca-show Display the properties of a CA.

ca-add

Usage: ipa [global-options] ca-add NAME [options]

Create a CA.

Arguments

Argument Required Description

NAME yes Name for referencing the CA

Options

Option Description

--desc DESC Description of the purpose of the CA

--subject SUBJECT Subject Distinguished Name

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--chain Include certificate chain in output

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

ca-del

Usage: ipa [global-options] ca-del NAME [options]

Delete a CA (must be disabled first).

Arguments

Argument Required Description

NAME yes Name for referencing the CA

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

ca-disable

Usage: ipa [global-options] ca-disable NAME [options]

Disable a CA.

Arguments

Argument Required Description

NAME yes Name for referencing the CA

ca-enable

Usage: ipa [global-options] ca-enable NAME [options]

Enable a CA.

Arguments

Argument Required Description

NAME yes Name for referencing the CA

ca-find

Usage: ipa [global-options] ca-find [CRITERIA] [options]

Search for CAs.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--name NAME Name for referencing the CA

--desc DESC Description of the purpose of the CA

--id ID Dogtag Authority ID

--subject SUBJECT Subject Distinguished Name

--issuer ISSUER Issuer Distinguished Name

--randomserialnumberversion RANDOMSERIALNUMBERVERSION Random Serial Number Version

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“name”)

ca-mod

Usage: ipa [global-options] ca-mod NAME [options]

Modify CA configuration.

Arguments

Argument Required Description

NAME yes Name for referencing the CA

Options

Option Description

--desc DESC Description of the purpose of the CA

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--rename RENAME Rename the Certificate Authority object

ca-show

Usage: ipa [global-options] ca-show NAME [options]

Display the properties of a CA.

Arguments

Argument Required Description

NAME yes Name for referencing the CA

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--chain Include certificate chain in output

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Related Topics

cert certprofile caacl