Overview#

This page describes the PKI certificates used by IPA.

Certificate Profiles#

IPA uses the following certificate profiles:

  • caCACert

  • caOCSPCert

  • caSignedLogCert

  • caSubsystemCert

  • caServerCert

  • AdminCert

  • caIPAServiceCert

DS Certificates#

See DS Certificates.

PKI Certificates#

See PKI Certificates.

PKI Admin Certificate#

PKI admin certificate is stored in several locations:

  • /root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).

  • /root/.dogtag/pki-tomcat/ca_admin.cert

  • /root/.dogtag/pki-tomcat/ca_admin.cert.der

  • /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to /root/ca-agent.p12)

PKI Agent Certificate#

PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:

  • ipaCert (CN=IPA RA)

For IPA Password Vault the certificate is exported and cached into /etc/httpd/alias/kra-agent.pem since python-requests does not support NSS. The cache is invalidated if the KRA authentication fails.

IPA Certificates#

IPA certificates are stored in /etc/httpd/alias:

  • IPA CA (CN=Certificate Authority)

  • ipa-ca-agent (CN=ipa-ca-agent)

  • ipaCert (CN=IPA RA)

  • Signing-Cert (CN=Object Signing Cert)

See HTTPD Certificates.

References#