Imported Debian patch 4.7.2-3
This commit is contained in:
Timo Aaltonen
committed by
Mario Fetka
Mario Fetka
parent
27edeba051
commit
8bc559c5a1
@@ -27,8 +27,6 @@ dist_man1_MANS = \
|
||||
ipa-cacert-manage.1 \
|
||||
ipa-winsync-migrate.1 \
|
||||
ipa-pkinit-manage.1 \
|
||||
ipa-crlgen-manage.1 \
|
||||
ipa-cert-fix.1 \
|
||||
$(NULL)
|
||||
|
||||
dist_man8_MANS = \
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
# Makefile.in generated by automake 1.16.2 from Makefile.am.
|
||||
# Makefile.in generated by automake 1.16.1 from Makefile.am.
|
||||
# @configure_input@
|
||||
|
||||
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
|
||||
# Copyright (C) 1994-2018 Free Software Foundation, Inc.
|
||||
|
||||
# This Makefile.in is free software; the Free Software Foundation
|
||||
# gives unlimited permission to copy and/or distribute it,
|
||||
@@ -219,8 +219,6 @@ JSLINT = @JSLINT@
|
||||
KRAD_LIBS = @KRAD_LIBS@
|
||||
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
|
||||
KRB5_CFLAGS = @KRB5_CFLAGS@
|
||||
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
|
||||
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
|
||||
KRB5_LIBS = @KRB5_LIBS@
|
||||
LD = @LD@
|
||||
LDAP_CFLAGS = @LDAP_CFLAGS@
|
||||
@@ -263,10 +261,11 @@ NM = @NM@
|
||||
NMEDIT = @NMEDIT@
|
||||
NSPR_CFLAGS = @NSPR_CFLAGS@
|
||||
NSPR_LIBS = @NSPR_LIBS@
|
||||
NSS_CFLAGS = @NSS_CFLAGS@
|
||||
NSS_LIBS = @NSS_LIBS@
|
||||
NUM_VERSION = @NUM_VERSION@
|
||||
OBJDUMP = @OBJDUMP@
|
||||
OBJEXT = @OBJEXT@
|
||||
ODS_GROUP = @ODS_GROUP@
|
||||
ODS_USER = @ODS_USER@
|
||||
OTOOL = @OTOOL@
|
||||
OTOOL64 = @OTOOL64@
|
||||
@@ -287,6 +286,8 @@ POPT_LIBS = @POPT_LIBS@
|
||||
POSUB = @POSUB@
|
||||
PYLINT = @PYLINT@
|
||||
PYTHON = @PYTHON@
|
||||
PYTHON2 = @PYTHON2@
|
||||
PYTHON3 = @PYTHON3@
|
||||
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
|
||||
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
|
||||
PYTHON_PLATFORM = @PYTHON_PLATFORM@
|
||||
@@ -374,9 +375,7 @@ program_transform_name = @program_transform_name@
|
||||
psdir = @psdir@
|
||||
pyexecdir = @pyexecdir@
|
||||
pythondir = @pythondir@
|
||||
runstatedir = @runstatedir@
|
||||
sbindir = @sbindir@
|
||||
selinux_makefile = @selinux_makefile@
|
||||
sharedstatedir = @sharedstatedir@
|
||||
srcdir = @srcdir@
|
||||
sysconfdir = @sysconfdir@
|
||||
@@ -412,8 +411,6 @@ dist_man1_MANS = \
|
||||
ipa-cacert-manage.1 \
|
||||
ipa-winsync-migrate.1 \
|
||||
ipa-pkinit-manage.1 \
|
||||
ipa-crlgen-manage.1 \
|
||||
ipa-cert-fix.1 \
|
||||
$(NULL)
|
||||
|
||||
dist_man8_MANS = \
|
||||
|
||||
@@ -51,9 +51,6 @@ Include the IPA service log files in the backup.
|
||||
\fB\-\-online\fR
|
||||
Perform the backup on\-line. Requires the \-\-data option.
|
||||
.TP
|
||||
\fB\-\-disable\-role\-check\fR
|
||||
Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
|
||||
.TP
|
||||
\fB\-\-v\fR, \fB\-\-verbose\fR
|
||||
Print debugging information
|
||||
.TP
|
||||
@@ -88,4 +85,4 @@ The log file for backups
|
||||
.PP
|
||||
.SH "SEE ALSO"
|
||||
.BR ipa\-restore(1)
|
||||
.BR gpg2(1)
|
||||
.BR gpg2(1)
|
||||
@@ -73,9 +73,6 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME).
|
||||
\fB\-\-subject\-base\fR=\fISUBJECT\fR
|
||||
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
|
||||
.TP
|
||||
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
|
||||
File containing overrides for CA installation.
|
||||
.TP
|
||||
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
|
||||
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
|
||||
.TP
|
||||
|
||||
@@ -21,11 +21,9 @@
|
||||
ipa\-cacert\-manage \- Manage CA certificates in IPA
|
||||
.SH "SYNOPSIS"
|
||||
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew
|
||||
.br
|
||||
.RE
|
||||
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR...
|
||||
.br
|
||||
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
|
||||
.br
|
||||
.RE
|
||||
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
|
||||
.SH "DESCRIPTION"
|
||||
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
|
||||
@@ -56,16 +54,6 @@ Please do not forget to run ipa-certupdate on the master, all the replicas and a
|
||||
.sp
|
||||
The supported formats for the certificate files are DER, PEM and PKCS#7 format.
|
||||
.RE
|
||||
.TP
|
||||
\fBdelete\fR
|
||||
\- Remove a CA certificate
|
||||
.sp
|
||||
.RS
|
||||
Remove a CA from IPA. The nickname of a CA to be removed can be found using the list command. The CA chain is validated before allowing a CA to be removed so leaf certificates in a chain need to be removed first.
|
||||
.sp
|
||||
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
|
||||
.RE
|
||||
.TP
|
||||
\fBlist\fR
|
||||
\- List the stored CA certificates
|
||||
.sp
|
||||
@@ -91,6 +79,7 @@ Output only errors.
|
||||
.TP
|
||||
\fB\-\-log\-file\fR=\fIFILE\fR
|
||||
Log to the given file.
|
||||
.RE
|
||||
.SH "RENEW OPTIONS"
|
||||
.TP
|
||||
\fB\-\-self\-signed\fR
|
||||
@@ -123,6 +112,7 @@ If no template is specified, the template name "SubCA" is used.
|
||||
.TP
|
||||
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
|
||||
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
|
||||
.RE
|
||||
.SH "INSTALL OPTIONS"
|
||||
.TP
|
||||
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
|
||||
@@ -140,10 +130,6 @@ T \- CA trusted to issue client certificates
|
||||
.IP
|
||||
p \- not trusted
|
||||
.RE
|
||||
.SH "DELETE OPTIONS"
|
||||
.TP
|
||||
\fB\-f\fR, \fB\-\-force\fR
|
||||
Force a CA certificate to be removed even if chain validation fails.
|
||||
.SH "EXIT STATUS"
|
||||
0 if the command was successful
|
||||
|
||||
|
||||
@@ -1,66 +0,0 @@
|
||||
.\"
|
||||
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
||||
.\"
|
||||
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
|
||||
.SH "NAME"
|
||||
ipa\-cert\-fix \- Renew expired certificates
|
||||
.SH "SYNOPSIS"
|
||||
ipa\-cert\-fix [options]
|
||||
.SH "DESCRIPTION"
|
||||
|
||||
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
|
||||
prevent the normal operation of FreeIPA. It should ONLY be used in
|
||||
such scenarios, and backup of the system, especially certificates
|
||||
and keys, is \fBSTRONGLY RECOMMENDED\fR.
|
||||
|
||||
Do not use this program unless expired certificates are inhibiting
|
||||
normal operation and renewal procedures.
|
||||
|
||||
To renew the IPA CA certificate, use \fIipa-cacert-manage(1)\fR.
|
||||
|
||||
This tool cannot renew certificates signed by external CAs. To
|
||||
install new, externally-signed HTTP, LDAP or KDC certificates, use
|
||||
\fIipa-server-certinstall(1)\fR.
|
||||
|
||||
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
|
||||
certificates and renew certificates that are expired, or close to
|
||||
expiry (less than two weeks). If any "shared" certificates are
|
||||
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
|
||||
renewal master, and add the new shared certificate(s) to LDAP for
|
||||
replication to other CA servers. Shared certificates include all
|
||||
Dogtag system certificates except the HTTPS certificate, and the IPA
|
||||
RA certificate.
|
||||
|
||||
To repair certificates across multiple CA servers, first ensure that
|
||||
LDAP replication is working across the topology. Then run
|
||||
\fIipa-cert-fix\fR on one CA server. Before running
|
||||
\fIipa-cert-fix\fR on another CA server, trigger Certmonger renewals
|
||||
for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
|
||||
CA server). This is to avoid unnecessary renewal of shared
|
||||
certificates.
|
||||
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
\fB\-\-version\fR
|
||||
Show the program's version and exit.
|
||||
.TP
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
Show the help for this program.
|
||||
.TP
|
||||
\fB\-v\fR, \fB\-\-verbose\fR
|
||||
Print debugging information.
|
||||
.TP
|
||||
\fB\-q\fR, \fB\-\-quiet\fR
|
||||
Output only errors (output from child processes may still be shown).
|
||||
.TP
|
||||
\fB\-\-log\-file\fR=\fIFILE\fR
|
||||
Log to the given file.
|
||||
.SH "EXIT STATUS"
|
||||
0 if the command was successful
|
||||
|
||||
1 if an error occurred
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.BR ipa-cacert-manage(1)
|
||||
.BR ipa-server-certinstall(1)
|
||||
.BR getcert-resubmit(1)
|
||||
@@ -1,47 +0,0 @@
|
||||
.\"
|
||||
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
||||
.\"
|
||||
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
|
||||
.SH "NAME"
|
||||
ipa\-crlgen\-manage \- Enables or disables CRL generation
|
||||
.SH "SYNOPSIS"
|
||||
ipa\-crlgen\-manage [options] <enable|disable|status>
|
||||
.SH "DESCRIPTION"
|
||||
Run the command with the \fBenable\fR option to enable CRL generation on the
|
||||
local host. This requires that the IPA server is already installed and
|
||||
configured, including a CA. The command will restart Dogtag and Apache.
|
||||
|
||||
Run the command with the \fBdisable\fR option to disable CRL generation on the
|
||||
local host. The command will restart Dogtag and Apache.
|
||||
|
||||
Run the command with the \fBstatus\fR option to determine the current status
|
||||
of CRL generation. If the local host is configured for CRL generation, the
|
||||
command also prints the last CRL generation date and number.
|
||||
|
||||
Important: the administrator must ensure that there is only one IPA server
|
||||
generating CRLs. In order to transfer the CRL generation from one server to
|
||||
another, please run \fBipa-crlgen-manage disable\fR on the current CRL
|
||||
generation master, followed by \fBipa-crlgen-manage enable\fR on the new
|
||||
CRL generation master.
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
\fB\-\-version\fR
|
||||
Show the program's version and exit.
|
||||
.TP
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
Show the help for this program.
|
||||
.TP
|
||||
\fB\-v\fR, \fB\-\-verbose\fR
|
||||
Print debugging information.
|
||||
.TP
|
||||
\fB\-q\fR, \fB\-\-quiet\fR
|
||||
Output only errors.
|
||||
.TP
|
||||
\fB\-\-log\-file\fR=\fIFILE\fR
|
||||
Log to the given file.
|
||||
.SH "EXIT STATUS"
|
||||
0 if the command was successful
|
||||
|
||||
1 if an error occurred
|
||||
|
||||
2 if the local host is not an IPA server
|
||||
@@ -51,9 +51,6 @@ Output only errors
|
||||
.TP
|
||||
\fB\-\-log-file\fR=\fRFILE\fR
|
||||
Log to the given file
|
||||
.TP
|
||||
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
|
||||
File containing overrides for KRA installation.
|
||||
.SH "EXIT STATUS"
|
||||
0 if the command was successful
|
||||
|
||||
|
||||
@@ -47,7 +47,7 @@ One Time Password for joining a machine to the IPA realm.
|
||||
Path to host keytab.
|
||||
.TP
|
||||
\fB\-\-server\fR
|
||||
The fully qualified domain name of the IPA server to enroll to. The IPA server must provide the CA role if \fB\-\-setup-ca\fR option is specified, and the KRA role if \fB\-\-setup-kra\fR option is specified.
|
||||
The fully qualified domain name of the IPA server to enroll to.
|
||||
.TP
|
||||
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
|
||||
The primary DNS domain of an existing IPA deployment, e.g. example.com.
|
||||
@@ -140,9 +140,6 @@ Name of the Apache Server SSL certificate to install
|
||||
\fB\-\-pkinit\-cert\-name\fR=NAME
|
||||
Name of the Kerberos KDC SSL certificate to install
|
||||
.TP
|
||||
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
|
||||
File containing overrides for CA and KRA installation.
|
||||
.TP
|
||||
\fB\-\-skip\-schema\-check\fR
|
||||
Skip check for updated CA DS schema on the remote master
|
||||
|
||||
@@ -278,5 +275,3 @@ path.
|
||||
1 if an error occurred
|
||||
|
||||
3 if the host exists in the IPA server or a replication agreement to the remote master already exists
|
||||
|
||||
4 if the remote master specified for enrollment does not provide required services such as CA or KRA
|
||||
|
||||
@@ -47,23 +47,8 @@ The password to unlock the private key
|
||||
\fB\-\-cert\-name\fR=\fINAME\fR
|
||||
Name of the certificate to install
|
||||
.TP
|
||||
\fB\-p\fR, \fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
|
||||
\fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
|
||||
Directory Manager password
|
||||
.TP
|
||||
\fB\-\-version\fR
|
||||
Show the program's version and exit
|
||||
.TP
|
||||
\fB\-h\fR, \fB\-\-help\fR
|
||||
Show the help for this program
|
||||
.TP
|
||||
\fB\-v\fR, \fB\-\-verbose\fR
|
||||
Print debugging information
|
||||
.TP
|
||||
\fB\-q\fR, \fB\-\-quiet\fR
|
||||
Output only errors
|
||||
.TP
|
||||
\fB\-\-log\-file\fR=\fIFILE\fR
|
||||
Log to the given file
|
||||
.SH "EXIT STATUS"
|
||||
0 if the installation was successful
|
||||
|
||||
|
||||
@@ -152,9 +152,6 @@ Name of the Kerberos KDC SSL certificate to install.
|
||||
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
|
||||
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
|
||||
.TP
|
||||
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
|
||||
File containing overrides for CA and KRA installation.
|
||||
.TP
|
||||
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
|
||||
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
|
||||
.TP
|
||||
|
||||
Reference in New Issue
Block a user