Show Table of Contents
26.3. Installing a CA Certificate Manually
To install a new certificate to IdM, use the
ipa-cacert-manage install
command. For example, the command allows you to change the current certificate when it is nearing its expiration date.
- Run the
ipa-cacert-manage install
command, and specify the path to the file containing the certificate. The command accepts PEM-formatted certificate files:[root@server ~]# ipa-cacert-manage install /etc/group/cert.pem
The certificate is now present in the LDAP certificate store. - Run the
ipa-certupdate
utility on all servers and clients to update them with the information about the new certificate from LDAP. You must runipa-certupdate
on every server and client separately.Important
Always runipa-certupdate
after manually installing a certificate. If you do not, the certificate will not be distributed to the other machines.
The
ipa-cacert-manage install
command can take the following options:
- -n
- gives the nickname of the certificate; the default value is the subject name of the certificate
- -t
- specifies the trust flags for the certificate in the
certutil
format; the default value isC,,
. For information about the format in which to specify the trust flags, see the ipa-cacert-manage(1) man page.