Bug 1434729 - man ipa-cacert-manage install needs clarification
Summary: man ipa-cacert-manage install needs clarification
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Varun Mylaraiah
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-22 09:07 UTC by Petr Vobornik
Modified: 2017-08-01 09:46 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:46:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-22 09:07:37 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6795

The customers are often confused by ipa-cacert-manage install. The man page currently states:

       install
              - Install a CA certificate
              This command can be used to install the certificate contained in
              CERTFILE as an additional CA certificate to IPA.

The man page should make it clear that IPA CA is not modified in any way by this command.

Comment 2 Petr Vobornik 2017-03-22 09:09:47 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/6795

Comment 5 Ganna Kaihorodova 2017-05-25 13:16:37 UTC
[root@bkr-hv03-guest08 ~]# rpm -q ipa-server
ipa-server-4.5.0-9.el7.x86_64
[root@bkr-hv03-guest08 ~]# man ipa-cacert-manage | grep "install"
ipa-cacert-manage [OPTIONS...] install CERTFILE
              When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA,  which  cannot  be  done
       install
              This command can be used to install the certificate contained in CERTFILE as an additional CA certificate to IPA.
              Important:  this  does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.

Comment 6 errata-xmlrpc 2017-08-01 09:46:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.