Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Managing the validity of certificates in IdM

In Identity Management (IdM), you can manage the validity of both already existing certificates and certificates you want to issue in the future, but the methods are different.

Administrators maintain security by monitoring expiration dates and renewing valid certificates or immediately revoking compromised credentials. Utilities like certmonger and certutil handle these lifecycle actions.

You can manage the validity of an already existing certificate that was issued by IdM CA in the following ways:

  • Renew a certificate by requesting a new certificate using either the original certificate signing request (CSR) or a new CSR generated from the private key. You can request a new certificate using the following utilities:

    certmonger
    You can use certmonger to request a service certificate. Before the certificate is due to expire, certmonger will automatically renew the certificate, thereby ensuring a continuing validity of the service certificate. For details, see Obtaining an IdM certificate for a service using certmonger.
    certutil
    You can use certutil to renew user, host, and service certificates. For details on requesting a user certificate, see Requesting a new user certificate and exporting it to the client.
    openssl
    You can use openssl to renew user, host, and service certificates.
  • Revoke a certificate.
  • Restore a certificate if it has been temporarily revoked.

To manage the validity of future certificates issued by IdM CA, modify, import, or create a certificate profile. For details, see Creating and managing certificate profiles in Identity Management.

You can use the IdM WebUI to view the expiry date of all the certificates that have been issued by IdM CA.

Prerequisites

  • Ensure that you have obtained the administrator’s credentials.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    List of Certificates

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, locate the Expires On information.

You can use the command line (CLI) to view the expiry date of a certificate.

Procedure

  • Use the openssl utility to open the file in a human-readable format: 

    $ openssl x509 -noout -text -in ca.pem
    Copy to Clipboard Toggle word wrap 
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = IDM.EXAMPLE.COM, CN = Certificate Authority
        Validity
            Not Before: Oct 30 19:39:14 2017 GMT
            Not After : Oct 30 19:39:14 2037 GMT
    Copy to Clipboard Toggle word wrap

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. You can revoke a certificate with the integrated IdM CAs in the following ways:

7.5.1. Certificate revocation reasons
Copy link

A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.

The default revocation reason is 0: unspecified.

Expand
Table 7.1. Revocation Reasons
IDReasonExplanation

0

Unspecified

-

1

Key Compromised

The key that issued the certificate is no longer trusted.

Possible causes include a lost token or an improperly accessed file.

2

CA Compromised

The CA that issued the certificate is no longer trusted.

3

Affiliation Changed

Possible causes include:

  • A person has left the company or moved to another department.
  • A host or service is being retired.

4

Superseded

A newer certificate has replaced the current certificate.

5

Cessation of Operation

The host or service is being decommissioned.

6

Certificate Hold

The certificate is temporarily revoked. You can restore the certificate later.

8

Remove from CRL

The certificate is not included in the certificate revocation list (CRL).

9

Privilege Withdrawn

The user, host, or service is no longer permitted to use the certificate.

10

Attribute Authority (AA) Compromise

The AA certificate is no longer trusted.

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. You can use the IdM WebUI to revoke a certificate issued by the IdM CA.

Procedure

  1. Click Authentication > Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    List of Certificates

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, click Actions Revoke Certificate.
  4. Select the reason for revoking and click Revoke. See Certificate revocation reasons for details.

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. You can use the IdM CLI to revoke a certificate issued by the IdM CA.

Procedure

  • Use the ipa cert-revoke command, and specify:

    • the certificate serial number

    • the ID number for the revocation reason; see Certificate revocation reasons for details

      For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised, enter: 

      $ ipa cert-revoke 1032 --revocation-reason=1
      Copy to Clipboard Toggle word wrap

Administrators can reinstate certificates previously placed on "Certificate Hold." Restoring a temporarily revoked credential reactivates it for authentication without requiring a new issuance request.

The IdM Web UI simplifies restoring functionality for suspended certificates. Administrators locate the serial number in the registry and remove the hold status to immediately validate the credential.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    List of Certificates in the IdM Web UI

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, click Actions Restore Certificate.

The ipa cert-remove-hold command reactivates certificates currently in a hold state. Administrators execute this tool with the target serial number to lift the temporary revocation and restore access.

Procedure

  • Use the ipa cert-remove-hold command and specify the certificate serial number. For example: 

    $ ipa cert-remove-hold 1032
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top