FreeIPA
Draft version. Content is hallucinated. Do not use!
certificates

CA ACL Rules

Manage certificate authority access control lists to restrict which certificate profiles can be used by which users, hosts, or services. CA ACLs enforce policy by controlling profile usage, target principals, and issuing CAs. Features include rule-based access control, profile and CA filtering, user and host category support, and enable/disable capabilities for flexible certificate issuance governance.

17 commands
certificates
pki access-control profiles

This plugin is used to define rules governing which CAs and profiles may be used to issue certificates to particular principals or groups of principals.

SUBJECT PRINCIPAL SCOPE

For a certificate request to be allowed, the principal(s) that are the subject of a certificate request (not necessarily the principal actually requesting the certificate) must be included in the scope of a CA ACL that also includes the target CA and profile.

Users can be included by name, group or the “all users” category. Hosts can be included by name, hostgroup or the “all hosts” category. Services can be included by service name or the “all services” category. CA ACLs may be associated with a single type of principal, or multiple types.

CERTIFICATE AUTHORITY SCOPE

A CA ACL can be associated with one or more CAs by name, or by the “all CAs” category. For compatibility reasons, a CA ACL with no CA association implies an association with the ‘ipa’ CA (and only this CA).

PROFILE SCOPE

A CA ACL can be associated with one or more profiles by Profile ID. The Profile ID is a string without spaces or punctuation starting with a letter and followed by a sequence of letters, digits or underscore (”_”).

EXAMPLES

Create a CA ACL “test” that grants all users access to the

“UserCert” profile on all CAs:

ipa caacl-add test --usercat=all --cacat=all
ipa caacl-add-profile test --certprofiles UserCert

Display the properties of a named CA ACL:

ipa caacl-show test

Create a CA ACL to let user “alice” use the “DNP3” profile on “DNP3-CA”:

ipa caacl-add alice_dnp3
ipa caacl-add-ca alice_dnp3 --cas DNP3-CA
ipa caacl-add-profile alice_dnp3 --certprofiles DNP3
ipa caacl-add-user alice_dnp3 --user=alice

Disable a CA ACL:

ipa caacl-disable test

Remove a CA ACL:

ipa caacl-del test

Commands

Command Description

caacl-add Create a new CA ACL.

caacl-add-ca Add CAs to a CA ACL.

caacl-add-host Add target hosts and hostgroups to a CA ACL.

caacl-add-profile Add profiles to a CA ACL.

caacl-add-service Add services to a CA ACL.

caacl-add-user Add users and groups to a CA ACL.

caacl-del Delete a CA ACL.

caacl-disable Disable a CA ACL.

caacl-enable Enable a CA ACL.

caacl-find Search for CA ACLs.

caacl-mod Modify a CA ACL.

caacl-remove-ca Remove CAs from a CA ACL.

caacl-remove-host Remove target hosts and hostgroups from a CA ACL.

caacl-remove-profile Remove profiles from a CA ACL.

caacl-remove-service Remove services from a CA ACL.

caacl-remove-user Remove users and groups from a CA ACL.

caacl-show Display the properties of a CA ACL.

caacl-add

Usage: ipa [global-options] caacl-add NAME [options]

Create a new CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--desc DESC Description

--cacat CACAT CA category the ACL applies to

--profilecat PROFILECAT Profile category the ACL applies to

--usercat USERCAT User category the ACL applies to

--hostcat HOSTCAT Host category the ACL applies to

--servicecat SERVICECAT Service category the ACL applies to

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

caacl-add-ca

Usage: ipa [global-options] caacl-add-ca NAME [options]

Add CAs to a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--cas CAS Certificate Authorities to add

caacl-add-host

Usage: ipa [global-options] caacl-add-host NAME [options]

Add target hosts and hostgroups to a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hosts HOSTS hosts to add

--hostgroups HOSTGROUPS host groups to add

caacl-add-profile

Usage: ipa [global-options] caacl-add-profile NAME [options]

Add profiles to a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--certprofiles CERTPROFILES Certificate Profiles to add

caacl-add-service

Usage: ipa [global-options] caacl-add-service NAME [options]

Add services to a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--services SERVICES services to add

caacl-add-user

Usage: ipa [global-options] caacl-add-user NAME [options]

Add users and groups to a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

caacl-del

Usage: ipa [global-options] caacl-del NAME [options]

Delete a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

caacl-disable

Usage: ipa [global-options] caacl-disable NAME [options]

Disable a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

caacl-enable

Usage: ipa [global-options] caacl-enable NAME [options]

Enable a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

caacl-find

Usage: ipa [global-options] caacl-find [CRITERIA] [options]

Search for CA ACLs.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--name NAME ACL name

--desc DESC Description

--cacat CACAT CA category the ACL applies to

--profilecat PROFILECAT Profile category the ACL applies to

--usercat USERCAT User category the ACL applies to

--hostcat HOSTCAT Host category the ACL applies to

--servicecat SERVICECAT Service category the ACL applies to

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“name”)

caacl-mod

Usage: ipa [global-options] caacl-mod NAME [options]

Modify a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--desc DESC Description

--cacat CACAT CA category the ACL applies to

--profilecat PROFILECAT Profile category the ACL applies to

--usercat USERCAT User category the ACL applies to

--hostcat HOSTCAT Host category the ACL applies to

--servicecat SERVICECAT Service category the ACL applies to

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

caacl-remove-ca

Usage: ipa [global-options] caacl-remove-ca NAME [options]

Remove CAs from a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--cas CAS Certificate Authorities to remove

caacl-remove-host

Usage: ipa [global-options] caacl-remove-host NAME [options]

Remove target hosts and hostgroups from a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--hosts HOSTS hosts to remove

--hostgroups HOSTGROUPS host groups to remove

caacl-remove-profile

Usage: ipa [global-options] caacl-remove-profile NAME [options]

Remove profiles from a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--certprofiles CERTPROFILES Certificate Profiles to remove

caacl-remove-service

Usage: ipa [global-options] caacl-remove-service NAME [options]

Remove services from a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--services SERVICES services to remove

caacl-remove-user

Usage: ipa [global-options] caacl-remove-user NAME [options]

Remove users and groups from a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

caacl-show

Usage: ipa [global-options] caacl-show NAME [options]

Display the properties of a CA ACL.

Arguments

Argument Required Description

NAME yes ACL name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

Related Topics

ca certprofile cert