ipa-acme-manage - Man Page
Manage the IPA ACME service
Synopsis
ipa-acme-manage enable|disable|status
Description
Use the ipa-acme-manage command to enable, disable or retrieve the status of the ACME service on a IPA CA server.
In a IPA topology all CA servers capable of ACME will have the ACME service deployed. The service is not enabled by default. It is expected that the ACME service will either be enabled on all CA servers, or disabled on all CA servers. However it must be enabled or disabled on each individual server.
Commands
- enable
Enable the ACME service on this host.
- disable
Disable the ACME service on this host.
- status
Display the status of the ACME service.
- pruning
Configure certificate and request pruning.
Pruning
Pruning is a job that runs in the CA that can remove expired certificates and certificate requests which have not been issued. This is particularly important when using short-lived certificates like those issued with the ACME protocol. Pruning requires that the IPA server be installed with random serial numbers enabled.
The CA needs to be restarted after modifying the pruning configuration.
The job is a cron-like task within the CA that is controlled by a number of options which dictate how long after the certificate or request is considered no longer valid and removed from the LDAP database.
The cron time and date fields are:
field | allowed values |
----- | -------------- |
minute | 0-59 |
hour | 0-23 |
day of month | 1-31 |
month | 1-12 |
day of week | 0-6 (0 is Sunday) |
The cron syntax is limited to * or specific numbers. Ranges are not supported.
- --enable
Enable certificate pruning.
- --disable
Disable certificate pruning.
- --cron=CRON
Configure the pruning cron job. The syntax is similar to crontab(5) syntax. For example, "0 0 1 * *" schedules the job to run at 12:00am on the first day of each month.
- --certretention=CERTRETENTION
Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.
- --certretentionunit=CERTRETENTIONUNIT
Certificate retention units. Valid units are: minute, hour, day, year. The default is days.
- --certsearchsizelimit=CERTSEARCHSIZELIMIT
LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.
- --certsearchtimelimit=CERTSEARCHTIMELIMIT
LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.
- --requestretention=REQUESTRETENTION
Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.
- --requestretentionunit=REQUESTRETENTIONUNIT
Request retention units. Valid units are: minute, hour, day, year. The default is days.
- --requestsearchsizelimit=REQUESTSEARCHSIZELIMIT
LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.
- --requestsearchtimelimit=REQUESTSEARCHTIMELIMIT
LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.
- --config-show
Show the current pruning configuration
- --run
Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.
Exit Status
0 if the command was successful
1 if an error occurred
2 if the host is not a IPA server
3 if the host is not a CA server