table of contents
ipa-acme-manage(1) | IPA Manual Pages | ipa-acme-manage(1) |
NAME¶
ipa-acme-manage - Manage the IPA ACME service
SYNOPSIS¶
ipa-acme-manage enable|disable|status
DESCRIPTION¶
Use the ipa-acme-manage command to enable, disable or retrieve the status of the ACME service on a IPA CA server.
In a IPA topology all CA servers capable of ACME will have the ACME service deployed. The service is not enabled by default. It is expected that the ACME service will either be enabled on all CA servers, or disabled on all CA servers. However it must be enabled or disabled on each individual server.
COMMANDS¶
PRUNING¶
Pruning is a job that runs in the CA that can remove expired certificates and certificate requests which have not been issued. This is particularly important when using short-lived certificates like those issued with the ACME protocol. Pruning requires that the IPA server be installed with random serial numbers enabled.
The CA needs to be restarted after modifying the pruning configuration.
The job is a cron-like task within the CA that is controlled by a number of options which dictate how long after the certificate or request is considered no longer valid and removed from the LDAP database.
The cron time and date fields are:
- field allowed values
----- --------------
minute 0-59
hour 0-23
day of month 1-31
month 1-12
day of week 0-6 (0 is Sunday)
The cron syntax is limited to * or specific numbers. Ranges are not supported.
- --enable
- Enable certificate pruning.
- --disable
- Disable certificate pruning.
- --cron=CRON
- Configure the pruning cron job. The syntax is similar to crontab(5) syntax. For example, "0 0 1 * *" schedules the job to run at 12:00am on the first day of each month.
- --certretention=CERTRETENTION
- Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.
- --certretentionunit=CERTRETENTIONUNIT
- Certificate retention units. Valid units are: minute, hour, day, year. The default is days.
- --certsearchsizelimit=CERTSEARCHSIZELIMIT
- LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.
- --certsearchtimelimit=CERTSEARCHTIMELIMIT
- LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.
- --requestretention=REQUESTRETENTION
- Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.
- --requestretentionunit=REQUESTRETENTIONUNIT
- Request retention units. Valid units are: minute, hour, day, year. The default is days.
- --requestsearchsizelimit=REQUESTSEARCHSIZELIMIT
- LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.
- --requestsearchtimelimit=REQUESTSEARCHTIMELIMIT
- LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.
- --config-show
- Show the current pruning configuration
- --run
- Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.
EXIT STATUS¶
0 if the command was successful
1 if an error occurred
2 if the host is not a IPA server
3 if the host is not a CA server
Jun 2 2020 | IPA |