24.2. Managing Certificates Issued by External CAs

24.2.1. Command Line: Adding and Removing Certificates Issued by External CAs

To add a certificate to a user, host, or service:
  • ipa user-add-cert
  • ipa host-add-cert
  • ipa service-add-cert
To remove a certificate from a user, host, or service:
  • ipa user-remove-cert
  • ipa host-remove-cert
  • ipa service-remove-cert
A certificate issued by an external CA is not revoked after you remove it from IdM. This is because the certificate does not exist in the IdM CA database. You can only revoke these certificates manually from the external CA side.
The commands require you to specify the following information:
  • the name of the user, host, or service
  • the Base64-encoded DER certificate
To run the commands interactively, execute them without adding any options.
To provide the required information directly with the command, use command-line arguments and options:
$ ipa user-add-cert user --certificate=MIQTPrajQAwg...

Note

Instead of copying and pasting the certificate contents into the command line, you can convert the certificate to the DER format and then re-encode it to base64. For example, to add the user_cert.pem certificate to user:
$ ipa user-add-cert user --certificate="$(openssl x509 -outform der -in user_cert.pem | base64 -w 0)"

24.2.2. Web UI: Adding and Removing Certificates Issued by External CAs

To add a certificate to a user, host, or service:
  1. Open the Identity tab, and select the Users, Hosts, or Services subtab.
  2. Click on the name of the user, host, or service to open its configuration page.
  3. Click Add, next to the Certificates entry.
    Adding a Certificate to a User Account

    Figure 24.4. Adding a Certificate to a User Account

  4. Paste the certificate in Base64 or PEM encoded format into the text field, and click Add.
  5. Click Save to store the changes.
To remove a certificate from a user, host, or service:
  1. Open the Identity tab, and select the Users, Hosts, or Services subtab.
  2. Click on the name of the user, host, or service to open its configuration page.
  3. Click the Actions next to the certificate to delete, and select Delete.
  4. Click Save to store the changes.