ipa-acme-manage - Man Page

Manage the IPA ACME service

Synopsis

ipa-acme-manage enable|disable|status

Description

Use the ipa-acme-manage command to enable, disable or retrieve the status of the ACME service on a IPA CA server.

In a IPA topology all CA servers capable of ACME will have the ACME service deployed.  The service is not enabled by default.  It is expected that the ACME service will either be enabled on all CA servers, or disabled on all CA servers.  However it must be enabled or disabled on each individual server.

Commands

enable

Enable the ACME service on this host.

disable

Disable the ACME service on this host.

status

Display the status of the ACME service.

pruning

Configure certificate and request pruning.

Pruning

Pruning is a job that runs in the CA that can remove expired certificates and certificate requests which have not been issued. This is particularly important when using short-lived certificates like those issued with the ACME protocol. Pruning requires that the IPA server be installed with random serial numbers enabled.

The CA needs to be restarted after modifying the pruning configuration.

The job is a cron-like task within the CA that is controlled by a number of options which dictate how long after the certificate or request is considered no longer valid and removed from the LDAP database.

The cron time and date fields are:

fieldallowed values
-------------------
minute0-59
hour0-23
day of month1-31
month1-12
day of week0-6 (0 is Sunday)

The cron syntax is limited to * or specific numbers. Ranges are not supported.

--enable

Enable certificate pruning.

--disable

Disable certificate pruning.

--cron=CRON

Configure the pruning cron job. The syntax is similar to crontab(5) syntax. For example, "0 0 1 * *" schedules the job to run at 12:00am on the first day of each month.

--certretention=CERTRETENTION

Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.

--certretentionunit=CERTRETENTIONUNIT

Certificate retention units. Valid units are: minute, hour, day, year. The default is days.

--certsearchsizelimit=CERTSEARCHSIZELIMIT

LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.

--certsearchtimelimit=CERTSEARCHTIMELIMIT

LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.

--requestretention=REQUESTRETENTION

Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.

--requestretentionunit=REQUESTRETENTIONUNIT

Request retention units. Valid units are: minute, hour, day, year. The default is days.

--requestsearchsizelimit=REQUESTSEARCHSIZELIMIT

LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.

--requestsearchtimelimit=REQUESTSEARCHTIMELIMIT

LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.

--config-show

Show the current pruning configuration

--run

Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.

Exit Status

0 if the command was successful

1 if an error occurred

2 if the host is not a IPA server

3 if the host is not a CA server

Info

Jun 2 2020 IPA Manual Pages