Bug 1434729

Summary: man ipa-cacert-manage install needs clarification
Product: Red Hat Enterprise Linux 7 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Varun Mylaraiah <mvarun>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.4CC: gkaihoro, mvarun, nsoman, pvoborni, rcritten, tkrizek, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:46:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Vobornik 2017-03-22 09:07:37 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6795

The customers are often confused by ipa-cacert-manage install. The man page currently states:

       install
              - Install a CA certificate
              This command can be used to install the certificate contained in
              CERTFILE as an additional CA certificate to IPA.

The man page should make it clear that IPA CA is not modified in any way by this command.
Comment 2 Petr Vobornik 2017-03-22 09:09:47 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6795
Comment 3 Tomas Krizek 2017-03-22 09:17:16 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/3ea2834b76a72c97186b01487e885800754c0fbc
ipa-4-5:
https://pagure.io/freeipa/c/bb53a9ab6dce023dd51c2a434fd8597eab5bc0d0
Comment 5 Ganna Kaihorodova 2017-05-25 13:16:37 UTC 
[root@bkr-hv03-guest08 ~]# rpm -q ipa-server
ipa-server-4.5.0-9.el7.x86_64
[root@bkr-hv03-guest08 ~]# man ipa-cacert-manage | grep "install"
ipa-cacert-manage [OPTIONS...] install CERTFILE
              When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA,  which  cannot  be  done
       install
              This command can be used to install the certificate contained in CERTFILE as an additional CA certificate to IPA.
              Important:  this  does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.
Comment 6 errata-xmlrpc 2017-08-01 09:46:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304