Overview#
This page describes the PKI certificates used by IPA.
Certificate Profiles#
IPA uses the following certificate profiles:
caCACert
caOCSPCert
caSignedLogCert
caSubsystemCert
caServerCert
AdminCert
caIPAServiceCert
DS Certificates#
See DS Certificates.
PKI Certificates#
See PKI Certificates.
PKI Admin Certificate#
PKI admin certificate is stored in several locations:
/root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).
/root/.dogtag/pki-tomcat/ca_admin.cert
/root/.dogtag/pki-tomcat/ca_admin.cert.der
/root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to /root/ca-agent.p12)
PKI Agent Certificate#
PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:
ipaCert (CN=IPA RA)
For IPA Password Vault the certificate is exported and cached into /etc/httpd/alias/kra-agent.pem since python-requests does not support NSS. The cache is invalidated if the KRA authentication fails.
IPA Certificates#
IPA certificates are stored in /etc/httpd/alias:
IPA CA (CN=Certificate Authority)
ipa-ca-agent (CN=ipa-ca-agent)
ipaCert (CN=IPA RA)
Signing-Cert (CN=Object Signing Cert)
See HTTPD Certificates.