certmonger-dogtag-ipa-renew-agent-submit(8)

1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       dogtag-ipa-renew-agent-submit
7
8

SYNOPSIS

10       dogtag-ipa-renew-agent-submit  -E  EE-URL  -A  AGENT-URL [-d dbdir] [-n
11       nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile]  [-p  pin‐
12       file]  [-P  pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
13       profile] [-O param=value] [-v] [csrfile]
14
15

DESCRIPTION

17       dogtag-ipa-renew-agent-submit is the helper which  certmonger  uses  to
18       make  certificate  renewal  requests to Dogtag instances running on IPA
19       servers.  It is not normally run interactively, but it can be for trou‐
20       bleshooting purposes.
21
22       The  preferred option is to request a renewal of an already-issued cer‐
23       tificate, using its serial number, which can be read from a PEM-format‐
24       ted  certificate  provided  in  the  CERTMONGER_CERTIFICATE environment
25       variable, or via the -s or -D option on the command line.  If no serial
26       number  is  provided, then the client will attempt to obtain a new cer‐
27       tificate by submitting a signing request to the CA.
28
29       The signing request which is to be submitted should either be in a file
30       whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
31       submit via stdin.
32
33       certmonger does not yet support retrieving trust information from  Dog‐
34       tag CAs.
35
36

OPTIONS

38       -E EE-URL
39              The  top-level  URL for the end-entity interface provided by the
40              CA.     In    IPA    installations,    this     is     typically
41              http://SERVER:EEPORT/ca/ee/ca.  If no URL is specified, the host
42              named in the [global] section in the /etc/ipa/default.conf  file
43              is  used as the value of SERVER, and the value of EEPORT will be
44              inferred based  on  the  value  of  the  dogtag_version  in  the
45              [global]  section  in  the  /etc/ipa/default.conf  file: if dog‐
46              tag_version is set to 10 or more, EEPORT will be  set  to  8080.
47              Otherwise it will be 9180.
48
49       -A AGENT-URL
50              The  top-level  URL  for the agent interface provided by the CA.
51              In IPA installations, this  is  typically  https://SERVER:AGENT‐
52              PORT/ca/agent/ca.  If no URL is specified, the host named in the
53              [global] section in the /etc/ipa/default.conf file  is  used  as
54              the value of SERVER, and the value of AGENTPORT will be inferred
55              based on the value of the dogtag_version in the [global] section
56              in  the  /etc/ipa/default.conf file: if dogtag_version is set to
57              10 or more, AGENTPORT will be set to 8443.  Otherwise it will be
58              9443.
59
60       -d dbdir -n nickname -c certfile -k keyfile
61              The  location of the key and certificate which the client should
62              use to authenticate to the CA's agent interface.  Exactly  which
63              values  are meaningful depend on which cryptography library your
64              copy of libcurl was linked with.
65
66              If none of these options are specified, and none of the -p,  -P,
67              -i,  nor  -C options are specified, then this set of defaults is
68              used:
69               -i /etc/ipa/ca.crt
70               -d /etc/httpd/alias
71               -n ipaCert
72               -p /etc/httpd/alias/pwdfile.txt
73
74       -p pinfile
75              The name of a file which contains a PIN/password which  will  be
76              needed in order to make use of the agent credentials.
77
78              If this option is not specified, and none of the -d, -n, -c, -k,
79              -P, -i, nor -C options are specified, then this set of  defaults
80              is used:
81               -i /etc/ipa/ca.crt
82               -d /etc/httpd/alias
83               -n ipaCert
84               -p /etc/httpd/alias/pwdfile.txt
85
86       -i cainfo -C capath
87              The  location  of  a file containing a copy of the CA's certifi‐
88              cate, against which the CA server's certificate  will  be  veri‐
89              fied,  or  a  directory  containing,  among other things, such a
90              file.
91
92              If these options are not specified, and none of the -d, -n,  -c,
93              -k,  -p, nor -P options are specified, then this set of defaults
94              is used:
95               -i /etc/ipa/ca.crt
96               -d /etc/httpd/alias
97               -n ipaCert
98               -p /etc/httpd/alias/pwdfile.txt
99
100       -s serial
101              The serial number of an already-issued certificate for which the
102              client  should attempt to obtain a new certificate, in hexadeci‐
103              mal form, if one can not be read from the CERTMONGER_CERTIFICATE
104              environment variable.
105
106       -D serial
107              The serial number of an already-issued certificate for which the
108              client should attempt to obtain a new  certificate,  in  decimal
109              form,  if  one  can  not be read from the CERTMONGER_CERTIFICATE
110              environment variable.
111
112       -S state
113              A cookie value provided by a previous instance of  this  helper,
114              if the helper is being asked to continue a multi-step enrollment
115              process.  If the CERTMONGER_COOKIE environment variable is  set,
116              its value is used.
117
118       -T profile/template
119              The  name  of  the  type  of certificate which the client should
120              request from the CA if it is not renewing a certificate (per the
121              -s  option  above).   If  the  CERTMONGER_CA_PROFILE environment
122              variable is set, its value  is  used.   Otherwise,  the  default
123              value is caServerCert.
124
125       -O param=value
126              An additional parameter to pass to the server when approving the
127              signing request using the agent's credentials.  By default,  any
128              server-supplied  default  settings are applied.  This option can
129              be used either to override a server-supplied default setting, or
130              to supply one which would otherwise have not been used.
131
132       -v     Increases  the logging level.  Use twice for more logging.  This
133              option is mainly useful for troubleshooting.
134
135

EXIT STATUS

137       0      if the certificate was issued. The certificate will be printed.
138
139       1      if the CA is still thinking.  A cookie  (state)  value  will  be
140              printed.
141
142       2      if  the  CA  rejected  the  request.   An  error  message may be
143              printed.
144
145       3      if the CA was unreachable.  An error message may be printed.
146
147       4      if critical configuration information is missing.  An error mes‐
148              sage may be printed.
149
150       5      if  the CA is still thinking.  A suggested poll delay (specified
151              in seconds) and a cookie (state) value will be printed.
152
153       17     if the CA indicates that the client needs to attempt  enrollment
154              using a new key pair.
155
156

FILES

158       /etc/ipa/default.conf
159              is the IPA client configuration file.  This file is consulted to
160              determine the URL for the Dogtag server's end-entity  and  agent
161              interfaces if they are not supplied as arguments.
162
163

BUGS

165       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
166       hosted.org/certmonger/
167
168