Bug 1327207
Summary: | ipa cert-revoke --help doesn't provide enough info on revocation reasons | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Aneta Šteflová Petrová <apetrova> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | dkupka, mbasti, pvoborni, rcritten, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:37:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aneta Šteflová Petrová
2016-04-14 12:56:08 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5819 ipa help cert contains the information. Thanks, Rob, I didn't know that. Is it possible to refer the users to "ipa help cert" from the "ipa cert-revoke-h" output? Fixed upstream master: https://fedorahosted.org/freeipa/changeset/deb896768f395dc535ad72715bad4339c97a6a8b Did this patch get missed/reverted? [root@master ~]# ipa cert-revoke -h Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options] Revoke a certificate. Options: -h, --help show this help message and exit --revocation-reason=INT Reason for revoking the certificate (0-10) --ca=STR Name of issuing CA [root@master ~]# rpm -q ipa-server ipa-server-4.4.0-9.el7.x86_64 Looks like regression in thin client or something. No, the change was undone here: https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d44ffdad4285bf2a1c0b044e07ef1b18c7d50de1 Upstream ticket: https://fedorahosted.org/freeipa/ticket/6327 #6327 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/75f77e0f2a55de4802b2ab74a0e6f50eaf728dc8 ipa-4-4: https://fedorahosted.org/freeipa/changeset/43ab75e56d8e661c51cc45803c4f7752e24bcde7 Verified. Version :: ipa-server-4.5.0-4.el7.x86_64 Results :: [root@auto-hv-02-guest08 ~]# ipa cert-revoke --help Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options] Revoke a certificate. Options: -h, --help show this help message and exit --revocation-reason=INT Reason for revoking the certificate (0-10). Type "ipa help cert" for revocation reason details. --ca=STR Name of issuing CA [root@auto-hv-02-guest08 ~]# ipa help cert IPA certificate operations Implements a set of commands for managing server SSL certificates. Certificate requests exist in the form of a Certificate Signing Request (CSR) in PEM format. The dogtag CA uses just the CN value of the CSR and forces the rest of the subject to values configured in the server. A certificate is stored with a service principal and a service principal needs a host. In order to request a certificate: * The host must exist * The service must exist (or you use the --add option to automatically add it) SEARCHING: Certificates may be searched on by certificate subject, serial number, revocation reason, validity dates and the issued date. When searching on dates the _from date does a >= search and the _to date does a <= search. When combined these are done as an AND. Dates are treated as GMT to match the dates in the certificates. The date format is YYYY-mm-dd. EXAMPLES: Request a new certificate and add the principal: ipa cert-request --add --principal=HTTP/lion.example.com example.csr Retrieve an existing certificate: ipa cert-show 1032 Revoke a certificate (see RFC 5280 for reason details): ipa cert-revoke --revocation-reason=6 1032 Remove a certificate from revocation hold status: ipa cert-remove-hold 1032 Check the status of a signing request: ipa cert-status 10 Search for certificates by hostname: ipa cert-find --subject=ipaserver.example.com Search for revoked certificates by reason: ipa cert-find --revocation-reason=5 Search for certificates based on issuance date ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07 Search for certificates owned by a specific user: ipa cert-find --user=user Examine a certificate: ipa cert-find --file=cert.pem --all Verify that a certificate is owned by a specific user: ipa cert-find --file=cert.pem --user=user IPA currently immediately issues (or declines) all certificate requests so the status of a request is not normally useful. This is for future use or the case where a CA does not immediately issue a certificate. The following revocation reasons are supported: * 0 - unspecified * 1 - keyCompromise * 2 - cACompromise * 3 - affiliationChanged * 4 - superseded * 5 - cessationOfOperation * 6 - certificateHold * 8 - removeFromCRL * 9 - privilegeWithdrawn * 10 - aACompromise Note that reason code 7 is not used. See RFC 5280 for more details: http://www.ietf.org/rfc/rfc5280.txt Topic commands: cert-find Search for existing certificates. cert-remove-hold Take a revoked certificate off hold. cert-request Submit a certificate signing request. cert-revoke Revoke a certificate. cert-show Retrieve an existing certificate. cert-status Check the status of a certificate signing request. To get command help, use: ipa <command> --help [root@auto-hv-02-guest08 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |