websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.8.10-2

Browse Source
This commit is contained in:
Timo Aaltonen
2020-11-23 20:48:56 +02:00
committed by Mario Fetka
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
install/tools/man/ipa-cert-fix.1 Normal file
View File

@@ -0,0 +1,66 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cert\-fix \- Renew expired certificates
.SH "SYNOPSIS"
ipa\-cert\-fix [options]
.SH "DESCRIPTION"
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
prevent the normal operation of FreeIPA. It should ONLY be used in
such scenarios, and backup of the system, especially certificates
and keys, is \fBSTRONGLY RECOMMENDED\fR.
Do not use this program unless expired certificates are inhibiting
normal operation and renewal procedures.
To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
This tool cannot renew certificates signed by external CAs. To
install new, externally-signed HTTP, LDAP or KDC certificates, use
\fIipa-server-certinstall(1)\fR.
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
certificates and renew certificates that are expired, or close to
expiry (less than two weeks). If any "shared" certificates are
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
renewal master, and add the new shared certificate(s) to LDAP for
replication to other CA servers. Shared certificates include all
Dogtag system certificates except the HTTPS certificate, and the IPA
RA certificate.
To repair certificates across multiple CA servers, first ensure that
LDAP replication is working across the topology. Then run
\fIipa-cert-fix\fR on one CA server. Before running
\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
CA server). This is to avoid unnecessary renewal of shared
certificates.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors (output from child processes may still be shown).
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa-cacert-manage(1)
.BR ipa-server-certinstall(1)
.BR getcert-resubmit(1)