1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       ipa-submit
7
8

SYNOPSIS

10       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]
11       | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T pro‐
12       file] [csrfile]
13
14

DESCRIPTION

16       ipa-submit is the helper which certmonger uses to make requests to IPA-
17       based CAs.  It is not normally run interactively, but  it  can  be  for
18       troubleshooting purposes.  The signing request which is to be submitted
19       should either be in a file whose name is given as an argument,  or  fed
20       into ipa-submit via stdin.
21
22       certmonger  supports retrieving trusted certificates from IPA CAs.  See
23       getcert-request(1) and getcert-resubmit(1) for information about speci‐
24       fying  where  those  certificates should be stored on the local system.
25       Trusted certificates are retrieved from the caCertificate attribute  of
26       entries  present  at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA
27       LDAP server's directory tree, where $BASE defaults to the value of  the
28       basedn setting in /etc/ipa/default.conf.
29
30

OPTIONS

32       -P csrPrincipal
33              Identifies  the principal name of the service for which the cer‐
34              tificate is being issued.  This setting is required by  IPA  and
35              must always be specified.
36
37       -X issuer
38              Requests that the certificate be processed by the specified cer‐
39              tificate issuer.  By default, if this flag is not specified, and
40              the  CERTMONGER_CA_ISSUER  variable  is  set in the environment,
41              then the value of the environment variable will be  used.   This
42              setting  is  optional, and if a server returns error 3005, indi‐
43              cating that  it  does  not  understand  multiple  profiles,  the
44              request will be re-submitted without specifying an issuer name.
45
46       -T profile
47              Requests  that  the certificate be processed using the specified
48              certificate profile.  By default, if this flag is not specified,
49              and  the  CERTMONGER_CA_PROFILE  variable is set in the environ‐
50              ment, then the value of the environment variable will  be  used.
51              This  setting  is  optional, and if a server returns error 3005,
52              indicating that it does not understand  multiple  profiles,  the
53              request will be re-submitted without specifying a profile.
54
55       -h serverHost
56              Submit  the request to the IPA server running on the named host.
57              The  default  is  to  read  the  location  of  the   host   from
58              /etc/ipa/default.conf.
59
60       -H serverURL
61              Submit  the request to the IPA server at the specified location.
62              The  default  is  to  read  the  location  of  the   host   from
63              /etc/ipa/default.conf.
64
65       -c cafile
66              The  server's certificate was issued by the CA whose certificate
67              is in the named file.  The default value is /etc/ipa/ca.crt.
68
69       -C capath
70              Trust the server if its certificate was issued  by  a  CA  whose
71              certificate  is  in  a file in the named directory.  There is no
72              default for this option, and it is not expected to be necessary.
73
74       -t keytab
75              Authenticate to the IPA server using  credentials  derived  from
76              keys  stored  in  the named keytab.  The default value can vary,
77              but it is usually /etc/krb5.keytab.  This option conflicts  with
78              the -K option.
79
80       -k authPrincipal
81              Authenticate  to  the  IPA server using credentials derived from
82              keys stored in the named keytab for this  principal  name.   The
83              default  value  is  the  host  service for the local host in the
84              local realm.  This option conflicts with the -K option.
85
86       -K     Authenticate to the IPA server using  credentials  derived  from
87              the  default credential cache rather than a keytab.  This option
88              conflicts with the -k option.
89
90

EXIT STATUS

92       0      if the certificate was issued. The certificate will be printed.
93
94       1      if the CA is still thinking.  A cookie value will be printed.
95
96       2      if the CA  rejected  the  request.   An  error  message  may  be
97              printed.
98
99       3      if the CA was unreachable.  An error message may be printed.
100
101       4      if critical configuration information is missing.  An error mes‐
102              sage may be printed.
103
104       17     if the CA indicates that the client needs to attempt  enrollment
105              using a new key pair.
106
107

FILES

109       /etc/ipa/default.conf
110              is the IPA client configuration file.  This file is consulted to
111              determine the URL for the IPA server's XML-RPC interface.
112
113

BUGS

115       Please  file  tickets  for  any  that  you  find   at   https://fedora
116       hosted.org/certmonger/
117
118

SEE ALSO

120       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
121       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
122       refresh-ca(1)  getcert-remove-ca(1)  getcert-request(1)  getcert-resub‐
123       mit(1) getcert-start-tracking(1) getcert-status(1)  getcert-stop-track‐
124       ing(1)   certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-renew-
125       agent-submit(8) certmonger-dogtag-submit(8)  certmonger-local-submit(8)
126       certmonger-scep-submit(8) certmonger_selinux(8)
127
128
129
130certmonger Manual                16 April 2015                   certmonger(8)
Impressum