mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
a9f09fee56
Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
67 lines
2.2 KiB
Groff
67 lines
2.2 KiB
Groff
.\"
|
|
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
.\"
|
|
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
|
|
.SH "NAME"
|
|
ipa\-cert\-fix \- Renew expired certificates
|
|
.SH "SYNOPSIS"
|
|
ipa\-cert\-fix [options]
|
|
.SH "DESCRIPTION"
|
|
|
|
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
|
|
prevent the normal operation of FreeIPA. It should ONLY be used in
|
|
such scenarios, and backup of the system, especially certificates
|
|
and keys, is \fBSTRONGLY RECOMMENDED\fR.
|
|
|
|
Do not use this program unless expired certificates are inhibiting
|
|
normal operation and renewal procedures.
|
|
|
|
To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
|
|
|
|
This tool cannot renew certificates signed by external CAs. To
|
|
install new, externally-signed HTTP, LDAP or KDC certificates, use
|
|
\fIipa-server-certinstall(1)\fR.
|
|
|
|
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
|
|
certificates and renew certificates that are expired, or close to
|
|
expiry (less than two weeks). If any "shared" certificates are
|
|
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
|
|
renewal master, and add the new shared certificate(s) to LDAP for
|
|
replication to other CA servers. Shared certificates include all
|
|
Dogtag system certificates except the HTTPS certificate, and the IPA
|
|
RA certificate.
|
|
|
|
To repair certificates across multiple CA servers, first ensure that
|
|
LDAP replication is working across the topology. Then run
|
|
\fIipa-cert-fix\fR on one CA server. Before running
|
|
\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
|
|
for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
|
|
CA server). This is to avoid unnecessary renewal of shared
|
|
certificates.
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
\fB\-\-version\fR
|
|
Show the program's version and exit.
|
|
.TP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
Show the help for this program.
|
|
.TP
|
|
\fB\-v\fR, \fB\-\-verbose\fR
|
|
Print debugging information.
|
|
.TP
|
|
\fB\-q\fR, \fB\-\-quiet\fR
|
|
Output only errors (output from child processes may still be shown).
|
|
.TP
|
|
\fB\-\-log\-file\fR=\fIFILE\fR
|
|
Log to the given file.
|
|
.SH "EXIT STATUS"
|
|
0 if the command was successful
|
|
|
|
1 if an error occurred
|
|
|
|
.SH "SEE ALSO"
|
|
.BR ipa-cacert-manage(1)
|
|
.BR ipa-server-certinstall(1)
|
|
.BR getcert-resubmit(1)
|