+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | | RHEL 7.6 / 4.6.4-10.el7_6.3 | RHEL 7.5 / 4.5.4-10.el7_5.4.4 | RHEL 7.4 / 4.5.0-22.el7_4 | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Tracking requests | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | RA cert | /var/lib/ipa/ra-agent.pem | /var/lib/ipa/ra-agent.pem | /var/lib/ipa/ra-agent.pem | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/renew_ra_cert_pre | /usr/libexec/ipa/certmonger/renew_ra_cert_pre | /usr/libexec/ipa/certmonger/renew_ra_cert_pre | | | | | | | | /usr/libexec/ipa/certmonger/renew_ra_cert | /usr/libexec/ipa/certmonger/renew_ra_cert | /usr/libexec/ipa/certmonger/renew_ra_cert | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | auditSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | ocspSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | subsystemCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | caSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "caSigningCert cert-pki-ca" | "caSigningCert cert-pki-ca" | "caSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "Server-Cert cert-pki-ca" | "Server-Cert cert-pki-ca" | "Server-Cert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOMAIN | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/libexec/ipa/certmonger/restart_dirsrv | /usr/libexec/ipa/certmonger/restart_dirsrv | /usr/libexec/ipa/certmonger/restart_dirsrv | | | DOMAIN | DOMAIN | DOMAIN | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/httpd/alias | /etc/httpd/alias | /etc/httpd/alias | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/libexec/ipa/certmonger/restart_httpd | /usr/libexec/ipa/certmonger/restart_httpd | /usr/libexec/ipa/certmonger/restart_httpd | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | PKINIT | /var/kerberos/krb5kdc/kdc.crt | var/kerberos/krb5kdc/kdc.crt | /var/kerberos/krb5kdc/kdc.key | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/libexec/ipa/certmonger/renew_kdc_cert | /usr/libexec/ipa/certmonger/renew_kdc_cert | /usr/libexec/ipa/certmonger/renew_kdc_cert | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | auditSigningCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "auditSigningCert cert-pki-kra" | "auditSigningCert cert-pki-kra" | "auditSigningCert cert-pki-kra" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | transportCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "transportCert cert-pki-kra" | "transportCert cert-pki-kra" | "transportCert cert-pki-kra" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | storageCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/libexec/ipa/certmonger/renew_ca_cert | | | "storageCert cert-pki-kra" | "storageCert cert-pki-kra" | "storageCert cert-pki-kra" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | CA helpers | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | IPA | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | | | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-renew-agent | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | | | submit | submit | submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-ca-renew-agent | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | | | nt-submit | nt-submit | nt-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-ca-renew-agent-reuse | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | | | nt-submit | nt-submit | nt-submit | | | --reuse-existing | --reuse-existing | --reuse-existing | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | | RHEL 7.3 / 4.4.0-14.el7_3.7 | RHEL 7.2 / 4.2.0-15.el7_2.19 | RHEL 7.1 / 4.1.0-18.el7_1.6 | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Tracking requests | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | RA cert | /etc/httpd/alias | /etc/httpd/alias | /etc/httpd/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/renew_ra_cert_pre | /usr/lib64/ipa/certmonger/renew_ra_cert_pre | | | | | | | | | /usr/libexec/ipa/certmonger/renew_ra_cert | /usr/lib64/ipa/certmonger/renew_ra_cert | /usr/lib64/ipa/certmonger/renew_ra_cert | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | auditSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | ocspSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | subsystemCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | caSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "caSigningCert cert-pki-ca" | "caSigningCert cert-pki-ca" | "caSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert cert-pki-ca | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "Server-Cert cert-pki-ca" | "Server-Cert cert-pki-ca" | "Server-Cert | | | | | | | | | | cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOM | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/libexec/ipa/certmonger/restart_dirsrv | /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN | /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN | | | DOMAIN | | | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/httpd/alias | /etc/httpd/alias | /etc/httpd/alias | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/libexec/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | auditSigningCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | NA | | | | dogtag-ipa-ca-renew-agent | | | | dogtag-ipa-ca-renew-agent | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | | | | /usr/libexec/ipa/certmonger/stop_pkicad | | | | | | /usr/lib64/ipa/certmonger/renew_ca_cert | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | "auditSigningCert cert-pki-kra" | | | | "auditSigningCert cert-pki-kra" | | | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | transportCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | NA | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | | "transportCert cert-pki-kra" | "transportCert cert-pki-kra" | | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | storageCert cert-pki-kra | /etc/pki/pki-tomcat/alias | /etc/pki/pki-tomcat/alias | NA | | | | | | | | dogtag-ipa-ca-renew-agent | dogtag-ipa-ca-renew-agent | | | | | | | | | /usr/libexec/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | | /usr/libexec/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | | | "storageCert cert-pki-kra" | | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | CA helpers | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | IPA | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | | | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-renew-agent | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | /usr/libexec/certmonger/ipa-server-guard | | | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | | | submit | submit | submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-ca-renew-agent | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | /usr/libexec/certmonger/dogtag-ipa-ca-renew-age | | | nt-submit | nt-submit | nt-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | | RHEL 7.0 / 3.3.3-28.el7_0.3 | RHEL 6.9 / 3.0.0-51.el6 | RHEL 6.8 / 3.0.0-50.el6_8.3 | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Tracking requests | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | RA cert | /etc/httpd/alias | /etc/httpd/alias | /etc/httpd/alias | | | | | | | | (renewal master) | (renewal master) | (renewal master) | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | | | | | | | | | | | /usr/lib64/ipa/certmonger/renew_ra_cert | /usr/lib64/ipa/certmonger/renew_ra_cert | /usr/lib64/ipa/certmonger/renew_ra_cert | | | | | | | | (replica) | (replica) | (replica) | | | | | | | | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | | | | | | | | | | | | | | | | | | /usr/lib64/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | auditSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /var/lib/pki-ca/alias | /var/lib/pki-ca/alias | | | | | | | | (renewal master) | (renewal master) | (renewal master) | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | | | | | | | | (replica) | (replica) | (replica) | | | | | | | | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | | | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/lib64/ipa/certmonger/restart_pkicad | /usr/lib64/ipa/certmonger/restart_pkicad | /usr/lib64/ipa/certmonger/restart_pkicad | | | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | "auditSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | ocspSigningCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /var/lib/pki-ca/alias | /var/lib/pki-ca/alias | | | | | | | | (renewal master) | (renewal master) | (renewal master) | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | | | | | | | | (replica) | (replica) | (replica) | | | | | | | | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | | | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/lib64/ipa/certmonger/restart_pkicad | /usr/lib64/ipa/certmonger/restart_pkicad | /usr/lib64/ipa/certmonger/restart_pkicad | | | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | "ocspSigningCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | subsystemCert cert-pki-ca | /etc/pki/pki-tomcat/alias | /var/lib/pki-ca/alias | /var/lib/pki-ca/alias | | | | | | | | (renewal master) | (renewal master) | (renewal master) | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | | | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | /usr/lib64/ipa/certmonger/renew_ca_cert | | | | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | | | (replica) | | | | | | (replica) | (replica) | | | dogtag-ipa-retrieve-agent-submit | | | | | | dogtag-ipa-retrieve-agent-submit | dogtag-ipa-retrieve-agent-submit | | | /usr/lib64/ipa/certmonger/stop_pkicad | | | | | | /usr/lib64/ipa/certmonger/stop_pkicad | /usr/lib64/ipa/certmonger/stop_pkicad | | | /usr/lib64/ipa/certmonger/restart_pkicad | | | | | "subsystemCert cert-pki-ca" | /usr/lib64/ipa/certmonger/restart_pkicad | /usr/lib64/ipa/certmonger/restart_pkicad | | | | "subsystemCert cert-pki-ca" | "subsystemCert cert-pki-ca" | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert cert-pki-ca | /etc/pki/pki-tomcat/alias | /var/lib/pki-ca/alias | /var/lib/pki-ca/alias | | | | | | | | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | dogtag-ipa-renew-agent | | | | | | | | | | | | | | | | | | | | | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOMAIN | /etc/dirsrv/slapd-DOMAIN | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN | /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN | /usr/lib64/ipa/certmonger/restart_dirsrv DOMAIN | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | NA | /etc/dirsrv/slapd-PKI-IPA | /etc/dirsrv/slapd-PKI-IPA | | | | | | | | | IPA | IPA | | | | | | | | | | | | | | | | | | | /usr/lib64/ipa/certmonger/restart_dirsrv | /usr/lib64/ipa/certmonger/restart_dirsrv | | | | PKI-IPA | PKI-IPA | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | Server-Cert | /etc/httpd/alias | /etc/httpd/alias | /etc/httpd/alias | | | | | | | | IPA | IPA | IPA | | | | | | | | | | | | | | | | | | /usr/lib64/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | /usr/lib64/ipa/certmonger/restart_httpd | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | CA helpers | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | IPA | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | /usr/libexec/certmonger/ipa-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-renew-agent | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | /usr/libexec/certmonger/dogtag-ipa-renew-agent- | | | submit | submit | submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ | dogtag-ipa-retrieve-agent-submit | /usr/libexec/certmonger/dogtag-ipa-retrieve-age | /usr/libexec/certmonger/dogtag-ipa-retrieve-age | /usr/libexec/certmonger/dogtag-ipa-retrieve-age | | | nt-submit | nt-submit | nt-submit | +-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+-------------------------------------------------+ Summary of changes: RHEL 6.9 -> RHEL 7.0: - Move /var/lib/pki-ca/alias to /etc/pki/pki-tomcat/alias - Single dirsrv instance instead of slapd-DOMAIN and slapd-PKI-IPA RHEL 7.0 -> RHEL 7.1: - Use the same helper for renewal master and replica (dogtag-ipa-ca-renew-agent instead of dogtag-ipa-renew-agent and dogtag-ipa-retrieve-agent-submit), dogtag-ipa-retrieve-agent-submit helper is removed and dogtag-ipa-ca-renew-agent helper is added - Use same pre and post-commands on renewal master and replica - IPA and dogtag-ipa-renew-agent helpers use ipa-server-guard - Tracking of IPA CA RHEL 7.1 -> RHEL 7.2: - Support of KRA + tracking of KRA certs - RA cert has pre-command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre RHEL 7.2 -> RHEL 7.3: - Pre and post-commands are moved from /usr/lib64/ipa/certmonger to /usr/libexec/ipa/certmonger RHEL 7.3 -> RHEL 7.4: - RA cert moved from /etc/httpd/alias to /var/lib/ipa/ra-agent.pem - Introduction of PKINIT cert in /var/kerberos/krb5kdc/kdc.crt - dogtag-ipa-renew-agent CA stops using ipa-server-guard - Introduction of dogtag-ipa-ca-renew-agent-reuse