26.3. Installing a CA Certificate Manually
ipa-cacert-manage installcommand. For example, the command allows you to change the current certificate when it is nearing its expiration date.
- Run the
ipa-cacert-manage installcommand, and specify the path to the file containing the certificate. The command accepts PEM-formatted certificate files:
[root@server ~]# ipa-cacert-manage install /etc/group/cert.pemThe certificate is now present in the LDAP certificate store.
- Run the
ipa-certupdateutility on all servers and clients to update them with the information about the new certificate from LDAP. You must run
ipa-certupdateon every server and client separately.
ipa-certupdateafter manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
ipa-cacert-manage installcommand can take the following options:
- gives the nickname of the certificate; the default value is the subject name of the certificate
- specifies the trust flags for the certificate in the
certutilformat; the default value is
C,,. For information about the format in which to specify the trust flags, see the ipa-cacert-manage(1) man page.