Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Managing the validity of certificates in IdM

In Identity Management (IdM), you can manage the validity of both already existing certificates and certificates you want to issue in the future, but the methods are different.

In IdM, the following methods of viewing the expiry date of a certificate are available:

You can manage the validity of an already existing certificate that was issued by IdM CA in the following ways:

To manage the validity of future certificates issued by IdM CA, modify, import, or create a certificate profile. For details, see Creating and managing certificate profiles in Identity Management.

You can use IdM WebUI to view the expiry date of all the certificates that have been issued by IdM CA.

Prerequisites

  • Ensure that you have obtained the administrator’s credentials.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    Figure 7.1. List of Certificates

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, locate the Expires On information.

You can use the command line (CLI) to view the expiry date of a certificate.

Procedure

  • Use the openssl utility to open the file in a human-readable format: 

    $ openssl x509 -noout -text -in ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = IDM.EXAMPLE.COM, CN = Certificate Authority
        Validity
            Not Before: Oct 30 19:39:14 2017 GMT
            Not After : Oct 30 19:39:14 2037 GMT
    Copy to Clipboard Toggle word wrap

7.5.1. Certificate revocation reasons
Copy link

A revoked certificate is invalid and cannot be used for authentication. All revocations are permanent, except for reason 6: Certificate Hold.

The default revocation reason is 0: unspecified.

Expand
Table 7.1. Revocation Reasons
IDReasonExplanation

0

Unspecified

 

1

Key Compromised

The key that issued the certificate is no longer trusted.

Possible causes: lost token, improperly accessed file.

2

CA Compromised

The CA that issued the certificate is no longer trusted.

3

Affiliation Changed

Possible causes:

* A person has left the company or moved to another department.

* A host or service is being retired.

4

Superseded

A newer certificate has replaced the current certificate.

5

Cessation of Operation

The host or service is being decommissioned.

6

Certificate Hold

The certificate is temporarily revoked. You can restore the certificate later.

8

Remove from CRL

The certificate is not included in the certificate revocation list (CRL).

9

Privilege Withdrawn

The user, host, or service is no longer permitted to use the certificate.

10

Attribute Authority (AA) Compromise

The AA certificate is no longer trusted.

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. Complete this procedure to use the IdM WebUI to revoke a certificate issued by the IdM CA.

Procedure

  1. Click Authentication > Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    Figure 7.2. List of Certificates

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, click Actions Revoke Certificate.
  4. Select the reason for revoking and click Revoke. See Certificate revocation reasons for details.

If you know you have lost the private key for your certificate, you must revoke the certificate to prevent its abuse. Complete this procedure to use the IdM CLI to revoke a certificate issued by the IdM CA.

Procedure

  • Use the ipa cert-revoke command, and specify:

For example, to revoke the certificate with serial number 1032 because of reason 1: Key Compromised, enter: 

$ ipa cert-revoke 1032 --revocation-reason=1
Copy to Clipboard Toggle word wrap

For details on requesting a new certificate, see the following documentation:

If you have revoked a certificate because of reason 6: Certificate Hold, you can restore it again if the private key for the certificate has not been compromised. To restore a certificate, use one of the following procedures:

Complete this procedure to use the IdM WebUI to restore an IdM certificate that has been revoked because of Reason 6: Certificate Hold.

Procedure

  1. In the Authentication menu, click Certificates > Certificates.

  2. Click the serial number of the certificate to open the certificate information page.

    Figure 7.3. List of Certificates

    A screenshot of the
    View larger image
    A screenshot of the
  3. In the certificate information page, click Actions Restore Certificate.

Complete this procedure to use the IdM CLI to restore an IdM certificate that has been revoked because of Reason 6: Certificate Hold.

Procedure

  • Use the ipa cert-remove-hold command and specify the certificate serial number. For example: 

    $ ipa cert-remove-hold 1032
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat