Overview

This page describes the PKI certificates used by IPA.

Certificate Profiles

IPA uses the following certificate profiles:

• caCACert

• caOCSPCert

• caSignedLogCert

• caSubsystemCert

• caServerCert

• AdminCert

• caIPAServiceCert

DS Certificates

See DS Certificates.

PKI Certificates

See PKI Certificates.

PKI Admin Certificate

PKI admin certificate is stored in several locations:

• /root/ca-agent.p12 with nickname ipa-ca-agent (misleading nickname).

• /root/.dogtag/pki-tomcat/ca_admin.cert

• /root/.dogtag/pki-tomcat/ca_admin.cert.der

• /root/.dogtag/pki-tomcat/ca_admin_cert.p12 (moved to /root/ca-agent.p12)

PKI Agent Certificate

PKI agent certificate is stored in /etc/httpd/alias and tracked by IPA:

• ipaCert (CN=IPA RA)

For IPA Password Vault the certificate is exported and cached into /etc/httpd/alias/kra-agent.pem since python-requests does not support NSS. The cache is invalidated if the KRA authentication fails.

IPA Certificates

IPA certificates are stored in /etc/httpd/alias:

• IPA CA (CN=Certificate Authority)

• ipa-ca-agent (CN=ipa-ca-agent)

• ipaCert (CN=IPA RA)

• Signing-Cert (CN=Object Signing Cert)

See HTTPD Certificates.

References

• IPA

• IPA Certificate Management