Initializing Client Certificate Database#

Prepare a client certificate database:

$ pki -c Secret.123 client-init

Submitting User Certificate Request#

Generate a client certificate request and send it to the server:

$ pki -c Secret.123 client-cert-request uid=testuser

Submitting Server Certificate Request#

This command requires CA agent authentication. To generate a server certificate request:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 client-cert-request --profile caIPAserviceCert cn=`hostname`

Listing Certificate Requests#

This command requires CA agent authentication. To list certificate requests:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 ca-cert-request-find

Approving Certificate Requests#

This command requires CA agent authentication. To approve a certificate request:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 ca-cert-request-review <request ID> --action approve

Tracking#

$ getcert start-tracking

Renewal#

Renewing CA Certificate#

$ ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

Renewing IPA Certificate#

$ getcert resubmit -d /etc/httpd/alias -n ipaCert

Renewing Web Server Certificate#

$ getcert resubmit -d /etc/httpd/alias -n Server-Cert

References#