Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1356091

Summary:	ipa-cacert-manage --help and man differ
Product:	Red Hat Enterprise Linux 7	Reporter:	Petr Vobornik <pvoborni>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED ERRATA	QA Contact:	Kaleem <ksiddiqu>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	mbasti, pvoborni, rcritten, xdong
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.4.0-6.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-04 05:57:49 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petr Vobornik 2016-07-13 11:51:21 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6013

The ipa-cacert-manage --help differs from its man page.

The --help displays which options are available for which subcommand, the man page shows all options for both subcommands (although some of the options are not taken into account during renew action, neither are some during install).

Also, neither help nor man page expresses the need to add the certificate file as an argument to the script for the install subcommand.

Comment 1 Martin Bašti 2016-08-09 14:10:59 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/bf6adfe69d2dc1e6cc76d17023f4049e49cfd8ae

Comment 3 Xiyang Dong 2016-09-18 13:22:49 UTC

Verified on ipa-server-4.4.0-9.el7:
[root@auto-hv-01-guest02 ~]# ipa-cacert-manage --help
Usage: ipa-cacert-manage renew [options]
ipa-cacert-manage install [options] CERTFILE

Manage CA certificates.

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-p PASSWORD, --password=PASSWORD
Directory Manager password

Logging and output options:
-v, --verbose print debugging information
-q, --quiet output only errors
--log-file=FILE log to the given file

Renew options:
--self-signed Sign the renewed certificate by itself
--external-ca Sign the renewed certificate by external CA
--external-cert-file=FILE
File containing the IPA CA certificate and the
external CA certificate chain

Install options:
-n NICKNAME, --nickname=NICKNAME
Nickname for the certificate
-t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
Trust flags for the certificate in certutil format

[root@auto-hv-01-guest02 ~]# man ipa-cacert-manage > /tmp/ipa-cacert-manage.out
[root@auto-hv-01-guest02 ~]# cat /tmp/ipa-cacert-manage.out
ipa-cacert-manage(1) IPA Manual Pages ipa-cacert-manage(1)

NAME
ipa-cacert-manage - Manage CA certificates in IPA

SYNOPSIS
ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE

DESCRIPTION
ipa-cacert-manage can be used to manage CA certificates in IPA.

COMMANDS
renew - Renew the IPA CA certificate

This command can be used to manually renew the CA certificate of the IPA CA.

When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate,
as it will be renewed automatically when it is about to expire, but you can do so if you wish.

When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external
CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to
manually renew the CA certificate in this setup.

When the IPA CA is not configured, this command is not available.

install
- Install a CA certificate

This command can be used to install the certificate contained in CERTFILE as a new CA certificate to IPA.

COMMON OPTIONS
--version
Show the program's version and exit.

-h, --help
Show the help for this program.

-p DM_PASSWORD, --password=DM_PASSWORD
The Directory Manager password to use for authentication.

-v, --verbose
Print debugging information.

-q, --quiet
Output only errors.

--log-file=FILE
Log to the given file.

RENEW OPTIONS
--self-signed
Sign the renewed certificate by itself.

--external-ca
Sign the renewed certificate by external CA.

--external-cert-file=FILE
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER
certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

INSTALL OPTIONS
-n NICKNAME, --nickname=NICKNAME
Nickname for the certificate.

-t TRUST_FLAGS, --trust-flags=TRUST_FLAGS
Trust flags for the certificate in certutil format. Trust flags are of the form "X,Y,Z" where X is for SSL, Y is
for S/MIME, and Z is for code signing. Use ",," for no explicit trust.

The supported trust flags are:

C - CA trusted to issue server certificates

T - CA trusted to issue client certificates

p - not trusted

EXIT STATUS
0 if the command was successful

1 if an error occurred

IPA Aug 12 2013 ipa-cacert-manage(1)

Comment 4 Xiyang Dong 2016-09-18 13:25:48 UTC

A minor issue should be fixed.
In man page:

.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
ipa-cacert-manage [OPTIONS...] install CERTFILE


should change to :
.
.
.
SYNOPSIS
       ipa-cacert-manage [OPTIONS...] renew
       ipa-cacert-manage [OPTIONS...] install CERTFILE

Comment 6 errata-xmlrpc 2016-11-04 05:57:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html