Initializing Client Certificate Database

Prepare a client certificate database:

$ pki -c Secret.123 client-init

Submitting User Certificate Request

Generate a client certificate request and send it to the server:

$ pki -c Secret.123 client-cert-request uid=testuser

Submitting Server Certificate Request

This command requires CA agent authentication. To generate a server certificate request:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 client-cert-request --profile caIPAserviceCert cn=`hostname`

Listing Certificate Requests

This command requires CA agent authentication. To list certificate requests:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 ca-cert-request-find

Approving Certificate Requests

This command requires CA agent authentication. To approve a certificate request:

$ pki -U https://`hostname`:8443 -d /etc/httpd/alias/ -n ipaCert -C /etc/httpd/alias/pwdfile.txt \
 ca-cert-request-review <request ID> --action approve

Tracking

$ getcert start-tracking

Renewal

Renewing CA Certificate

$ ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful

Renewing IPA Certificate

$ getcert resubmit -d /etc/httpd/alias -n ipaCert

Renewing Web Server Certificate

$ getcert resubmit -d /etc/httpd/alias -n Server-Cert

References

• IPA

• IPA Certificates

• Certificate Profiles

• PKI CA Certificate CLI

• IPA 4 CA certificate renewal

• RHEL 7 Renewing Certificates

• Certmonger Notes