certificates

Certificate Management

Manage X.509 certificates including issuance, renewal, revocation, and retrieval. Integrates with Dogtag Certificate Authority for certificate lifecycle management. Features include certificate requests with various profiles, certificate holds and releases, revocation with reason codes, certificate retrieval by serial number, and support for service and host certificates with automatic renewal via certmonger.

6 commands
certificates

Overview

FreeIPA provides integrated X.509 certificate management through its embedded Dogtag Certificate System certificate authority. This integration enables automated certificate issuance, renewal, and revocation for services, hosts, and users without requiring external PKI infrastructure or manual certificate handling. Certificates issued by IPA’s CA are automatically trusted by all IPA clients, simplifying TLS/SSL deployment and enabling strong authentication mechanisms.

Certificate management in IPA centers on service principals - certificates are associated with Kerberos principals representing services (HTTP/, LDAP/, etc.) or hosts (host/). This binding ensures certificates are issued only to authorized entities and enables automatic renewal through certmonger on IPA clients. The CA tracks certificate lifecycle including issuance dates, expiration dates, revocation status, and ownership relationships.

IPA’s certificate infrastructure supports both internal services (IPA web UI, LDAP servers, Kerberos KDC) and user-managed services requiring TLS certificates. Certificate profiles control what types of certificates can be issued, certificate access control lists (CA ACLs) determine who can request certificates, and sub-CAs enable isolation of certificate issuance for different purposes or security domains.

Certificate Request Prerequisites

Certificate requests require specific IPA objects to exist before submission. This prerequisite structure ensures certificates are associated with properly registered services and prevents unauthorized certificate issuance.

Host Entry: The host where the service runs must exist in IPA. For a certificate requested for HTTP/web.example.com, the host web.example.com must be enrolled or pre-created. Host entries establish ownership and enable delegation of certificate management.

Service Principal: The service principal must exist in IPA unless the --add option automatically creates it during the request. Service principals define which services are authorized to run on specific hosts and track certificate associations.

CA ACL Authorization: The requesting principal (user, host, or service) must be authorized by a CA ACL to request certificates from the specified CA using the specified profile. Default CA ACLs permit hosts to request certificates for their own service principals.

These prerequisites create an authorization chain: the requester must be authorized (CA ACL), the service must be registered (service principal), and the host must be legitimate (host entry). This multi-layer validation prevents unauthorized certificate issuance.

Certificate Signing Requests (CSRs)

Certificate requests are submitted as PEM-formatted Certificate Signing Requests generated by the requester’s key management system. The CSR contains the public key to be certified and subject information identifying the certificate holder. IPA’s CA validates the CSR and, if authorized, issues a signed certificate.

The Dogtag CA enforces IPA-configured subject formatting. While the CSR includes subject fields like CN (common name), O (organization), and OU (organizational unit), the CA overwrites most fields with values configured in the certificate profile. This ensures consistent subject formatting and prevents requesters from arbitrarily setting subject fields that might conflict with IPA policy.

The CN (common name) value from the CSR is preserved and typically matches the service principal. For example, a certificate for HTTP/web.example.com would have CN=web.example.com. Other subject fields are derived from the IPA domain configuration and certificate profile settings.

CSR generation typically occurs on the system requiring the certificate using tools like openssl req, ipa-getcert request (via certmonger), or application-specific certificate request mechanisms. The private key corresponding to the CSR’s public key never leaves the requesting system, maintaining key confidentiality.

Certificate Profiles

Certificate profiles define templates for certificate issuance, specifying certificate characteristics including key usage extensions, validity period, subject DN formatting, and certificate type. Different profiles support different use cases: services requiring server authentication, users needing client authentication, or specialized applications with specific certificate requirements.

IPA ships with default profiles for common scenarios:

  • caIPAserviceCert: Standard service certificates for TLS/SSL servers
  • IECUserRoles: User certificates with role information
  • caIPAserviceCert: Certificates for IPA infrastructure services

Custom profiles can be created for organizational-specific requirements, enabling certificate customization while maintaining CA policy control. Profile selection during certificate request (--profile-id) determines which template governs certificate issuance.

Certificate profiles integrate with CA ACLs to create authorization policies. A CA ACL specifies which principals can use which profiles from which CAs, enabling fine-grained control over certificate issuance capabilities.

Certificate Revocation

Certificate revocation invalidates certificates before their natural expiration, necessary when private keys are compromised, service principals are decommissioned, or certificates were issued in error. IPA supports standard RFC 5280 revocation reasons providing context for why certificates were revoked.

Revocation is immediate and permanent (except for reason code 6, certificateHold). Once revoked, the certificate’s serial number is added to the CA’s Certificate Revocation List (CRL) and marked revoked in OCSP (Online Certificate Status Protocol) responses. Clients checking revocation status will reject revoked certificates.

Common Revocation Reasons:

  • keyCompromise (1): Private key was exposed or stolen
  • superseded (4): Certificate replaced by a newer certificate
  • cessationOfOperation (5): Service no longer operational
  • certificateHold (6): Temporary revocation, reversible with cert-remove-hold
  • privilegeWithdrawn (9): Authorization to hold certificate removed

Reason code 6 (certificateHold) uniquely allows reversal. Certificates placed on hold can be removed from hold status if the security concern is resolved. All other revocation reasons are permanent.

Certificate Hold and Release

The certificate hold mechanism enables temporary suspension of certificate validity without permanent revocation. This is useful when investigating potential key compromise, temporarily suspending services, or responding to security incidents where permanent revocation may be premature.

Certificates on hold appear as revoked in CRL and OCSP responses. Clients validating these certificates will reject them as revoked. However, unlike permanent revocation, hold status can be reversed using cert-remove-hold, returning the certificate to valid status.

Use certificate hold judiciously - repeatedly placing certificates on and off hold can cause operational confusion and may not be supported consistently across all client implementations. For long-term service suspension, consider permanent revocation and reissuing a new certificate when service resumes.

Certificate Storage and Association

Certificates are stored in the Dogtag Certificate System database and associated with IPA principals (services, hosts, users) through LDAP entries. The IPA LDAP directory stores certificate metadata including serial number, subject, issuer, validity period, and principal association.

Service and host entries can store multiple certificates simultaneously, supporting certificate renewal transitions and certificate type diversity. For example, a web service might have both RSA and ECDSA certificates to support different client capabilities.

User entries can store certificates for smart card authentication, enabling passwordless login using certificates on smart cards or hardware tokens. These certificates are discovered by IPA clients during authentication, matching presented certificates against stored certificates.

Automatic Renewal with Certmonger

IPA clients use certmonger to automatically renew certificates before expiration. Certmonger tracks certificates, monitors expiration dates, and automatically requests renewals from the IPA CA when certificates approach expiration (typically 28 days before expiry).

Automatic renewal prevents certificate expiration outages and eliminates manual renewal processes. Services using certificates managed by certmonger receive renewed certificates transparently, with certmonger handling CSR generation, submission, retrieval, and local certificate file updates.

Certmonger integrates with service management to automatically reload services after certificate renewal. For example, after renewing an HTTP certificate, certmonger can trigger httpd reload to activate the new certificate without service interruption.

External Certificates

While IPA primarily manages certificates issued by its own CA, it can also track externally-issued certificates. External certificates (from public CAs, organizational PKI, or other sources) can be imported into service, host, or user entries for tracking and management purposes.

External certificate tracking enables IPA to serve as a centralized certificate inventory even when issuance occurs elsewhere. Administrators can search for certificates, view expiration dates, and track certificate-to-principal associations regardless of the issuing CA.

External certificates don’t receive automatic renewal through IPA’s certmonger integration (unless separately configured) and IPA cannot revoke them (revocation must occur at the issuing CA). However, tracking external certificates provides visibility and management consistency.

Certificate Search Capabilities

Certificates can be searched using multiple criteria enabling administrators to locate specific certificates, audit certificate issuance, track expirations, and investigate security incidents. Search parameters include certificate attributes, ownership, dates, and revocation status.

Subject Searching: Locate certificates by common name or subject DN components. The --subject parameter searches the CN field, while --exactly requires exact CN matching rather than substring matching.

Serial Number Ranges: Search for certificates by serial number ranges using --min-serial-number and --max-serial-number. Serial numbers can be specified in decimal or hexadecimal (prefix with 0x).

Date-Based Searches: Filter certificates by validity dates (notBefore, notAfter), issuance dates, or revocation dates. Date ranges use --*-from (>=) and --*-to (<=) parameters in YYYY-mm-dd format. All dates are interpreted as GMT matching certificate encoding.

Ownership Searches: Find certificates associated with specific users (--users), hosts (--hosts), or services (--services). This enables auditing what certificates are held by specific principals.

Revocation Status: Search for revoked certificates by revocation reason or revocation date range. This supports incident investigation and compliance auditing.

Certificate File Examination: The --file parameter accepts a certificate file (PEM format) and searches for it in the IPA database, returning metadata and ownership information.

Examples

Certificate Requests

Request a certificate for an existing service principal:

ipa cert-request --principal=HTTP/web.example.com web.csr

Request a certificate and automatically create the service principal:

ipa cert-request --add --principal=HTTP/web.example.com web.csr

Request a certificate using a specific profile:

ipa cert-request --principal=HTTP/web.example.com --profile-id=caIPAserviceCert web.csr

Request a certificate and retrieve the full chain:

ipa cert-request --principal=HTTP/web.example.com --chain web.csr

Request from a specific sub-CA:

ipa cert-request --principal=HTTP/web.example.com --ca=subca web.csr

Certificate Retrieval

Retrieve a certificate by serial number:

ipa cert-show 1032

Retrieve certificate and save to file:

ipa cert-show 1032 --out=cert.pem

Retrieve certificate with full chain:

ipa cert-show 1032 --chain

Retrieve certificate from specific CA:

ipa cert-show 1032 --ca=subca

Display all certificate attributes:

ipa cert-show 1032 --all

Certificate Revocation

Revoke a certificate (unspecified reason):

ipa cert-revoke 1032 --revocation-reason=0

Revoke due to key compromise:

ipa cert-revoke 1032 --revocation-reason=1

Revoke due to service cessation:

ipa cert-revoke 1032 --revocation-reason=5

Place certificate on hold (temporary revocation):

ipa cert-revoke 1032 --revocation-reason=6

Remove certificate from hold status (reactivate):

ipa cert-remove-hold 1032

Search by subject common name:

ipa cert-find --subject=web.example.com

Search with exact CN matching:

ipa cert-find --subject=web.example.com --exactly

Search for certificates owned by a specific user:

ipa cert-find --user=jsmith

Search for certificates for a specific host:

ipa cert-find --host=web.example.com

Search for certificates for a specific service:

ipa cert-find --service=HTTP/web.example.com

Search for certificates issued in a specific date range:

ipa cert-find --issuedon-from=2024-01-01 --issuedon-to=2024-12-31

Search for certificates expiring soon:

ipa cert-find --validnotafter-from=2024-01-01 --validnotafter-to=2024-03-31

Search for revoked certificates:

ipa cert-find --status=revoked

Search by revocation reason:

ipa cert-find --revocation-reason=1

Search for certificates revoked in a date range:

ipa cert-find --revokedon-from=2024-01-01 --revokedon-to=2024-01-31

Search by serial number range:

ipa cert-find --min-serial-number=1000 --max-serial-number=2000

Examine a certificate file to see if it’s in IPA:

ipa cert-find --file=cert.pem --all

Verify certificate ownership:

ipa cert-find --file=cert.pem --user=jsmith

Search certificates from specific CA:

ipa cert-find --ca=subca

Request Status Checking

Check status of a certificate request (rarely used - IPA issues immediately):

ipa cert-status 10

Revocation Reason Codes

The following RFC 5280 revocation reasons are supported:

  • 0 - unspecified: No specific reason provided
  • 1 - keyCompromise: Private key was compromised or stolen
  • 2 - cACompromise: CA’s private key was compromised
  • 3 - affiliationChanged: Certificate holder changed affiliation
  • 4 - superseded: Certificate replaced by a newer certificate
  • 5 - cessationOfOperation: Service or entity ceased operations
  • 6 - certificateHold: Temporary hold (reversible with cert-remove-hold)
  • 8 - removeFromCRL: Remove from CRL (administrative use)
  • 9 - privilegeWithdrawn: Privileges granted by certificate withdrawn
  • 10 - aACompromise: Attribute authority compromised

Note: Reason code 7 is unused in RFC 5280. Reason code 6 (certificateHold) is the only reversible revocation reason.

Use Cases

Web Application TLS Certificate with Automatic Renewal

Scenario: Apache web server needs TLS certificate with automated renewal.

Solution:

# Create service principal (if not exists)
ipa service-add HTTP/web.example.com

# Request certificate with certmonger tracking
ipa-getcert request -f /etc/httpd/certs/server.crt \
    -k /etc/httpd/certs/server.key \
    -N CN=web.example.com \
    -D web.example.com \
    -K HTTP/web.example.com@EXAMPLE.COM \
    -C "systemctl reload httpd"

# Certmonger automatically:
# - Generates private key
# - Creates CSR
# - Submits to IPA CA
# - Retrieves certificate
# - Monitors expiration
# - Renews automatically ~28 days before expiry
# - Reloads httpd after renewal

Multi-SAN Certificate for Load Balanced Services

Scenario: Load balancer with multiple backend servers needs certificate with SANs.

Solution:

# Request certificate with multiple Subject Alternative Names
ipa-getcert request -f /etc/haproxy/certs/lb.crt \
    -k /etc/haproxy/certs/lb.key \
    -N CN=lb.example.com \
    -D lb.example.com \
    -D www.example.com \
    -D api.example.com \
    -K HTTP/lb.example.com@EXAMPLE.COM

# Certificate valid for all three hostnames
# Clients can connect to any name without certificate warnings

Certificate Revocation After Key Compromise

Scenario: Private key compromised, immediate certificate revocation required.

Solution:

# Find certificate serial number
ipa cert-find --subject=web.example.com

# Revoke with keyCompromise reason
ipa cert-revoke 0x1234567890ABCDEF --revocation-reason=1

# Certificate immediately added to CRL
# OCSP responders mark as revoked
# Clients reject certificate

# Request new certificate with new key
ipa-getcert resubmit -i <tracking-id> -G
# -G generates new key pair

User Smart Card Certificate Issuance

Scenario: Issue smart card certificates for passwordless user authentication.

Solution:

# User generates key pair on smart card
# Export CSR from smart card

# Submit CSR for user certificate
ipa cert-request user-smartcard.csr \
    --principal=alice@EXAMPLE.COM \
    --profile-id=IECUserRoles

# Import certificate to smart card
# Certificate stored in user entry automatically

# User can now authenticate with smart card
kinit alice
# (prompted for smart card PIN instead of password)

Temporary Service Suspension with Certificate Hold

Scenario: Service under investigation, temporarily suspend certificate validity.

Solution:

# Place certificate on hold
ipa cert-revoke 0x1234567890ABCDEF --revocation-reason=6

# Certificate shows as revoked in CRL/OCSP
# Service authentication fails

# After investigation cleared, release hold
ipa cert-remove-hold 0x1234567890ABCDEF

# Certificate valid again
# No new certificate needed

Sub-CA Isolated Certificate Issuance

Scenario: Development environment needs isolated CA preventing cross-use with production.

Solution:

# Create sub-CA for development
ipa ca-add dev-ca --subject="CN=Dev CA,O=Example Corp" \
    --desc="Development environment CA"

# Create certificate profile for dev
ipa certprofile-import dev-service \
    --file=dev-service-profile.cfg \
    --desc="Development service certificates"

# Create CA ACL for dev certificates
ipa caacl-add dev-access --desc="Dev environment certificate access"
ipa caacl-add-ca dev-access --cas=dev-ca
ipa caacl-add-profile dev-access --certprofiles=dev-service
ipa caacl-add-host dev-access --hostgroups=dev-servers

# Dev servers can only request from dev-ca
# Production servers cannot request from dev-ca
# Certificate isolation enforced

Certificate Renewal Grace Period Management

Scenario: Critical service requires extended certificate overlap during renewal.

Solution:

# Request initial certificate
ipa-getcert request -f /etc/service/cert.pem \
    -k /etc/service/key.pem \
    -N CN=critical.example.com \
    -K HTTP/critical.example.com@EXAMPLE.COM

# Configure extended renewal time (60 days before expiry)
getcert start-tracking -f /etc/service/cert.pem \
    -k /etc/service/key.pem \
    -R 60

# Certmonger renews 60 days early
# Long overlap period for gradual rollout

Wildcard Certificate Limitation Alternative

Scenario: Need certificates for multiple subdomains without wildcard certificate.

Solution:

# IPA CA doesn't issue wildcard certificates by default
# Use multiple SANs instead

# Request certificate with all subdomains
ipa-getcert request -f /etc/certs/services.pem \
    -k /etc/certs/services.key \
    -N CN=services.example.com \
    -D api.example.com \
    -D www.example.com \
    -D cdn.example.com \
    -D mail.example.com \
    -K HTTP/services.example.com@EXAMPLE.COM

# Certificate valid for all listed subdomains
# More secure than wildcard (no unlimited subdomain coverage)

External Certificate Import for Public-Facing Service

Scenario: Public website requires certificate from public CA (Let’s Encrypt, etc.).

Solution:

# Obtain certificate from external CA (e.g., Let's Encrypt via certbot)
certbot certonly --standalone -d www.example.com

# Import external certificate to IPA for tracking
ipa service-add-cert HTTP/www.example.com \
    --certificate="$(cat /etc/letsencrypt/live/www.example.com/cert.pem)"

# Certificate tracked in IPA but not issued by IPA CA
# Renewal handled by external tooling (certbot)
# IPA tracks for inventory/compliance

Batch Certificate Issuance for Infrastructure

Scenario: Provision 100 new servers, each needs service certificate.

Solution:

# Create service principals in batch
for host in server{01..100}.example.com; do
    ipa service-add "HTTP/$host"
done

# On each server during provisioning (Ansible, etc.):
# ipa-getcert request -f /etc/httpd/certs/server.crt \
#     -k /etc/httpd/certs/server.key \
#     -N "CN=$(hostname)" \
#     -K "HTTP/$(hostname)@EXAMPLE.COM"

# Automated certificate request during server deployment
# All certificates tracked by certmonger for renewal

Security Considerations

Private key protection critical: Certificate security depends entirely on private key confidentiality. Private keys should never leave the system they’re generated on, have restrictive file permissions (0600), and be stored in hardware security modules for high-security environments.

Certificate revocation checking not universal: Not all clients check CRL/OCSP before accepting certificates. Revoked certificates may still be accepted by clients with disabled revocation checking. Don’t rely solely on revocation for security-critical scenarios.

Subject DN overwriting by profiles: Certificate profiles override CSR subject fields. Attackers cannot manipulate subject DNs via crafted CSRs, but administrators should understand actual subject values differ from CSR submissions.

CA ACL bypass via direct Dogtag access: CA ACLs enforced by IPA framework, not Dogtag itself. Direct access to Dogtag CA (port 8443) bypasses IPA ACLs. Restrict Dogtag port access to IPA servers only via firewall rules.

Certificate hold abuse potential: Certificate hold/release can be abused for service disruption. Repeated hold/release operations may indicate malicious activity. Monitor cert-revoke/cert-remove-hold operations for unusual patterns.

Serial number exposure: Certificate serial numbers are public information visible to all authenticated users. Avoid encoding sensitive data in serial numbers or certificate subjects.

Certmonger renewal windows: Default 28-day renewal window provides safety margin for renewal failures. Shorter renewal windows increase outage risk if CA unavailable. Longer windows extend exposure period for compromised certificates.

External certificate trust assumptions: Importing external certificates to IPA for tracking doesn’t validate them. Administrator must verify external certificate authenticity and chain of trust independently.

Sub-CA compromise scope: Compromised sub-CA can issue arbitrary certificates for its scope but cannot issue certificates claiming to be from IPA root CA. Sub-CAs limit blast radius of CA key compromise.

Certificate profiles enable policy bypass: Overly permissive certificate profiles can grant certificate types inconsistent with security policy. Review custom profiles carefully for unintended capabilities.

Expired certificate persistence: Expired certificates remain in directory and can be retrieved. Depending on client behavior, expired certificates might be cached and reused. Revoke certificates well before expiration for planned decommissioning.

OCSP responder availability: Certificate validation failures if OCSP responder unreachable and client requires OCSP. Ensure OCSP responder high availability for critical certificate-dependent services.

Certificate storage visibility: Certificates in service/host/user entries visible to authenticated users. Public keys and subject information disclosed. Don’t store private/sensitive data in certificate subjects.

Automatic renewal failures: Certmonger renewal failures may go unnoticed until certificate expires causing outage. Monitor certmonger status and renewal success rates actively.

Troubleshooting

Certificate request fails with “Insufficient access”:

# Check CA ACL authorization
ipa caacl-find --principal=HTTP/web.example.com

# If no matching CA ACL, create one
ipa caacl-add web-certs --desc="Web service certificates"
ipa caacl-add-principal web-certs --services=HTTP/web.example.com
ipa caacl-add-profile web-certs --certprofiles=caIPAserviceCert

# Or grant to host (common pattern)
ipa caacl-add web-certs
ipa caacl-add-host web-certs --hosts=web.example.com
ipa caacl-add-profile web-certs --certprofiles=caIPAserviceCert

Certificate request fails with “Service not found”:

# Service principal must exist first
ipa service-show HTTP/web.example.com

# If missing, create service principal
ipa service-add HTTP/web.example.com

# Retry certificate request
ipa cert-request web.csr --principal=HTTP/web.example.com

Certmonger renewal failing continuously:

# Check certmonger status
getcert list

# Look for error messages
getcert list -i <request-id>

# Common issues:
# 1. CA unreachable - check network connectivity
ping ipa.example.com

# 2. Kerberos authentication failure - check keytab
klist -kt /etc/krb5.keytab

# 3. CA ACL no longer permits renewal - check CA ACLs
ipa caacl-find --services=HTTP/hostname.example.com

# Force immediate renewal attempt
getcert resubmit -i <request-id>

# Check logs for details
journalctl -u certmonger -n 50

Certificate shows as expired but was renewed:

# Service may not have reloaded to use new certificate
systemctl status httpd

# Check certificate file modification time
ls -l /etc/httpd/certs/server.crt

# Reload/restart service to use new certificate
systemctl reload httpd

# Verify new certificate in use
openssl s_client -connect web.example.com:443 | openssl x509 -noout -dates

Cannot revoke certificate - serial number not found:

# Find certificate by subject or service
ipa cert-find --subject=web.example.com
ipa cert-find --service=HTTP/web.example.com

# Get serial number from output
# Revoke with correct serial (hex format with 0x prefix)
ipa cert-revoke 0x1234567890ABCDEF --revocation-reason=5

Certificate hold cannot be removed:

# Verify certificate is actually on hold (reason 6)
ipa cert-show 0x1234567890ABCDEF | grep "Revocation reason"

# If revocation reason is not 6, cannot remove hold
# Only certificateHold (reason 6) is reversible

# If trying to restore permanently revoked cert:
# Must request new certificate
ipa cert-request new.csr --principal=HTTP/web.example.com

CSR rejected with subject DN errors:

# Certificate profiles override subject DN
# CSR subject values mostly ignored

# Check which profile being used
ipa certprofile-show caIPAserviceCert

# Ensure CSR has correct CN matching service hostname
# Other fields (O, OU, C) will be overwritten by profile

# Regenerate CSR with correct CN
openssl req -new -key server.key -out server.csr \
    -subj "/CN=web.example.com"

Certificate not appearing in service entry after issuance:

# Verify certificate was issued
ipa cert-find --subject=web.example.com

# Certificate should be automatically associated
ipa service-show HTTP/web.example.com --all | grep -i certificate

# If missing, manually add
ipa service-add-cert HTTP/web.example.com \
    --certificate="$(cat server.crt)"

OCSP responder returning “unknown” status:

# Verify OCSP responder configuration
ipa-cacert-manage status

# Check if OCSP enabled for CA
# On IPA server:
pki-server ca-config-show ca.ocsp.enable

# Verify certificate serial in CA database
# If certificate very new, may need cache refresh time
# Wait a few minutes and retry

# Test OCSP manually
openssl ocsp -issuer /etc/ipa/ca.crt -cert server.crt \
    -url http://ipa.example.com/ca/ocsp \
    -CAfile /etc/ipa/ca.crt

Certificate request succeeds but certmonger shows “CA_REJECTED”:

# Check Dogtag CA logs
journalctl -u pki-tomcatd@pki-tomcat -n 100

# Common causes:
# 1. Invalid CSR format/parameters
# 2. Profile constraints violated
# 3. CA database issues

# Verify CSR is valid
openssl req -text -noout -verify -in server.csr

# Try different certificate profile
getcert resubmit -i <request-id> -T caIPAserviceCert

Multiple certificates exist, which one is active?:

# List all certificates for service
ipa cert-find --service=HTTP/web.example.com

# Check validity dates
ipa cert-show 0x<serial> | grep "Valid"

# Check revocation status
ipa cert-show 0x<serial> | grep "Revoked"

# Active certificate:
# - Not revoked
# - Current date within validity period
# - Typically newest non-revoked certificate

Certificate renewal created new key pair unexpectedly:

# Check certmonger tracking options
getcert list -i <request-id>

# If "Reuse existing key pair: no", new key generated
# Change to reuse existing key
getcert stop-tracking -i <request-id>
getcert start-tracking -f /etc/certs/cert.pem \
    -k /etc/certs/key.pem \
    -r  # Reuse key pair

# Future renewals will keep same key

Sub-CA certificate request failing:

# Verify sub-CA exists and is enabled
ipa ca-show sub-ca-name

# Verify CA ACL permits request to sub-CA
ipa caacl-find --cas=sub-ca-name

# Specify sub-CA in certificate request
ipa cert-request server.csr \
    --principal=HTTP/web.example.com \
    --ca=sub-ca-name \
    --profile-id=caIPAserviceCert

Certificate request timeout:

# CA may be overloaded or database locked
# Check CA status
systemctl status pki-tomcatd@pki-tomcat

# Check CA database
pki-server ca-db-status

# Increase timeout and retry
ipa cert-request server.csr --principal=HTTP/web.example.com \
    --timeout=120

External certificate import fails:

# Verify certificate format (PEM or DER)
openssl x509 -in external.crt -noout -text

# If DER format, convert to PEM
openssl x509 -inform der -in external.crt -out external.pem

# Ensure certificate is base64 encoded (no line breaks for --certificate)
ipa service-add-cert HTTP/web.example.com \
    --certificate="$(cat external.pem | grep -v BEGIN | grep -v END | tr -d '\n')"

Best Practices

Certificate Request Management

Pre-create service principals: Create service principals before requesting certificates rather than relying on --add. This enables proper access control configuration and principal attribute setting before certificate issuance.

Use appropriate certificate profiles: Select certificate profiles that match certificate purpose. Service certificates should use service-specific profiles, user certificates should use user profiles. Incorrect profile selection can result in certificates lacking necessary extensions.

Validate CSR content: Before submitting CSRs, verify they contain correct public keys and subject information. Incorrect CSRs result in certificates that don’t match private keys or have unexpected subject fields.

Document certificate purposes: Maintain records of why certificates were issued, which services use them, and expected lifecycle. This documentation aids troubleshooting and prevents accidental revocation of active certificates.

Renewal and Lifecycle

Leverage certmonger for automatic renewal: Configure all IPA-issued service certificates in certmonger for automatic renewal. This prevents expiration outages and eliminates manual renewal processes.

Monitor certificate expiration: Even with automatic renewal, monitor certificate expiration dates to detect renewal failures. Alert on certificates expiring within 14 days.

Test certificate renewal in non-production: Verify automatic renewal works correctly before deploying to production. Renewal failures often surface during the first renewal attempt.

Plan for certificate rollover: When renewing certificates, ensure both old and new certificates work during the transition period. Some services support multiple simultaneous certificates for smooth rollover.

Revocation Practices

Revoke promptly when compromise suspected: If private key compromise is suspected, revoke immediately. Delaying revocation extends the window for potential misuse.

Use appropriate revocation reasons: Select revocation reasons accurately. This information aids security audits and incident investigation. keyCompromise and cessationOfOperation are most commonly appropriate.

Consider certificateHold for investigations: When investigating potential compromise, use certificateHold rather than permanent revocation. If investigation clears the certificate, it can be removed from hold.

Communicate revocations: When revoking service certificates, ensure service owners are notified. Revocation causes immediate service disruption if not coordinated.

Security Considerations

Protect private keys: Never share private keys across systems. Each service should have its own private key and certificate. Shared keys multiply compromise impact.

Implement CRL/OCSP checking: Configure clients to check certificate revocation status via CRL or OCSP. Without revocation checking, revoked certificates remain usable by attackers.

Audit certificate issuance regularly: Review certificate issuance logs to detect unauthorized requests or unusual patterns. Regular audits help identify compromised credentials.

Use strong key algorithms: Generate CSRs with strong key algorithms (RSA 2048+ bits, ECDSA P-256+). Weak keys reduce certificate security regardless of CA strength.

Limit CA ACL scope: CA ACLs should grant minimal necessary certificate issuance privileges. Overly broad CA ACLs enable unauthorized certificate issuance.

Operational Practices

Maintain certificate inventory: Track all issued certificates, their purposes, and owners. IPA provides this inventory through cert-find, but supplement with organizational documentation.

Establish certificate naming conventions: Use consistent service principal naming conventions. This simplifies certificate searches and prevents naming conflicts.

Test certificate deployment before production: Verify new certificates work correctly in test environments before deploying to production services. Certificate errors can be difficult to diagnose in production.

Plan for CA migration: If migrating to new CAs or changing certificate hierarchies, plan transition carefully. Services may need dual certificates during migration periods.

Document emergency revocation procedures: Establish clear procedures for emergency certificate revocation including authorization, communication, and execution. Delayed revocation during incidents multiplies damage.

Integration with Other IPA Components

Service Principals

Every certificate is associated with a service principal. Service principal management (service-* commands) creates the principals that certificates are issued to. Service principals track all certificates issued to that principal.

Host Entries

Certificates for host principals (host/hostname) and services on hosts require the host to exist in IPA. Host management (host-* commands) creates the hosts that certificates are associated with.

Certificate Profiles

Certificate profiles (certprofile-* commands) define templates for certificate issuance. Profile selection during certificate requests determines certificate characteristics including validity period and extensions.

CA ACLs

Certificate Access Control Lists (caacl-* commands) determine who can request certificates using which profiles from which CAs. CA ACL evaluation occurs before certificate issuance.

Sub-CAs

Sub-CAs (ca-* commands) provide separate certificate issuance hierarchies within IPA. Certificates can be requested from specific sub-CAs using --ca parameter, enabling certificate issuance isolation.

Certmonger

Certmonger on IPA clients automates certificate renewal, monitoring expiration and requesting renewals from the IPA CA. Certmonger integration eliminates manual certificate lifecycle management.

Smart Card Authentication

User certificates enable smart card authentication. Certificates stored in user entries (user-add-cert) are matched against certificates presented from smart cards during authentication.

Commands

cert-find

Usage: ipa [global-options] cert-find [CRITERIA] [options]

Search for existing certificates.

For certificates not issued by IPA CA,
only --certificate option is supported.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--certificate CERTIFICATEBase-64 encoded certificate.
--issuer ISSUERIssuer DN
--revocation-reason REVOCATION-REASONReason for revoking the certificate (0-10). Type “ipa help cert” for revocation reason details.
--ca CAName of issuing CA
--subject SUBJECTMatch cn attribute in subject
--min-serial-number MIN-SERIAL-NUMBERminimum serial number
--max-serial-number MAX-SERIAL-NUMBERmaximum serial number
--exactlymatch the common name exactly
--validnotafter-from VALIDNOTAFTER-FROMValid not after from this date (YYYY-mm-dd)
--validnotafter-to VALIDNOTAFTER-TOValid not after to this date (YYYY-mm-dd)
--validnotbefore-from VALIDNOTBEFORE-FROMValid not before from this date (YYYY-mm-dd)
--validnotbefore-to VALIDNOTBEFORE-TOValid not before to this date (YYYY-mm-dd)
--issuedon-from ISSUEDON-FROMIssued on from this date (YYYY-mm-dd)
--issuedon-to ISSUEDON-TOIssued on to this date (YYYY-mm-dd)
--revokedon-from REVOKEDON-FROMRevoked on from this date (YYYY-mm-dd)
--revokedon-to REVOKEDON-TORevoked on to this date (YYYY-mm-dd)
--status STATUSStatus of the certificate
--pkey-onlyResults should contain primary key attribute only (“certificate”)
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--users USERSSearch for certificates with these owner users.
--no-users NO-USERSSearch for certificates without these owner users.
--hosts HOSTSSearch for certificates with these owner hosts.
--no-hosts NO-HOSTSSearch for certificates without these owner hosts.
--services SERVICESSearch for certificates with these owner services.
--no-services NO-SERVICESSearch for certificates without these owner services.

cert-remove-hold

Usage: ipa [global-options] cert-remove-hold SERIAL-NUMBER [options]

Take a revoked certificate off hold.

Arguments

ArgumentRequiredDescription
SERIAL-NUMBERyesSerial number in decimal or if prefixed with 0x
                           in hexadecimal

Options

OptionDescription
--ca CAName of issuing CA

cert-request

Usage: ipa [global-options] cert-request CSR-FILE [options]

Submit a certificate signing request.

Arguments

ArgumentRequiredDescription
CSR-FILEyesCSR

Options

OptionDescription
--profile-id PROFILE-IDCertificate Profile to use
--ca CAName of issuing CA
--principal PRINCIPALPrincipal for this certificate (e.g. HTTP/test.example.com)
--addautomatically add the principal if it doesn’t exist (service principals only)
--chainInclude certificate chain in output
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

cert-revoke

Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.

Arguments

ArgumentRequiredDescription
SERIAL-NUMBERyesSerial number in decimal or if prefixed with 0x
                           in hexadecimal

Options

OptionDescription
--revocation-reason REVOCATION-REASONReason for revoking the certificate (0-10). Type “ipa help cert” for revocation reason details.
--ca CAName of issuing CA

cert-show

Usage: ipa [global-options] cert-show SERIAL-NUMBER [options]

Retrieve an existing certificate.

Arguments

ArgumentRequiredDescription
SERIAL-NUMBERyesSerial number in decimal or if prefixed with 0x
                           in hexadecimal

Options

OptionDescription
--ca CAName of issuing CA
--out OUTFile to store the certificate in.
--chainInclude certificate chain in output
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

cert-status

Usage: ipa [global-options] cert-status REQUEST-ID [options]

Check the status of a certificate signing request.

Arguments

ArgumentRequiredDescription
REQUEST-IDyesRequest id

Options

OptionDescription
--ca CAName of issuing CA
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.