certmonger-scep-submit(8)

1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       scep-submit
7
8

SYNOPSIS

10       scep-submit  -u  SERVER-URL  [-r  ra-cert-file]  [-R  ca-cert-file] [-I
11       other-certs-file] [-i ca-identifier] [-v] [-n]  [-c|-C|-g|-p]  [pkimes‐
12       sage-filename]
13
14

DESCRIPTION

16       scep-submit is the helper which certmonger can use to transmit certifi‐
17       cate enrollment and renewal requests to servers using SCEP.  It is  not
18       normally run interactively, but it can be for troubleshooting purposes.
19
20       The  request  which  is  to  be  submitted should be a PEM-encoded SCEP
21       pkiMessage either in a file whose name is given as an argument, or  fed
22       into scep-submit via stdin.
23
24

MODES

26       -c     scep-submit  will  issue  a  GetCACaps request to the server and
27              print the results.
28
29       -C     scep-submit will issue GetCACert and GetCAChain requests to  the
30              server,  parse  the  responses, and then print, in order, the RA
31              certificate, the CA certificate,  and  any  additional  certifi‐
32              cates.
33
34       -p     scep-submit  will  issue  a  PKIOperation  request to the server
35              using the passed-in message as the  message  content.   It  will
36              parse  the  server's  response, verify the signature, and if the
37              response includes an issued certificate, it will output the pkc‐
38              sPKIEnvelope in PEM format.  If the response indicates an error,
39              it will print the error.
40
41       -g     scep-submit will issue a  PKIOperation  request  to  the  server
42              using  the  passed-in  message  as the message content.  It will
43              parse the server's response, verify the signature,  and  if  the
44              response includes an issued certificate, it will output the pkc‐
45              sPKIEnvelope in PEM format.  If the response indicates an error,
46              it will print the error.
47

OPTIONS

49       -u SERVER-URL
50              The  location of the SCEP interface provided by the CA.  This is
51              typically         http://SERVER/cgi-bin/PKICLIENT.EXE         or
52              http://SERVER/certsrv/mscep/mscep.dll.   This  option  is always
53              required.
54
55       -R CA-certificate-file
56              The location of the SCEP server's CA certificate, which was used
57              to issue the SCEP server's certificate, or the SCEP server's own
58              certificate, if it is self-signed, in  PEM  form.   If  the  URL
59              specified  with  the -u option is an https URL, then this option
60              is required.
61
62       -r RA-certificate-file
63              The location of the  SCEP  server's  RA  certificate,  which  is
64              expected  to  be  used  for  signing  responses sent by the SCEP
65              server back to the client.  This option is required when  either
66              the -g flag or the -p flag is specified.
67
68       -I other-certificates-file
69              The  location  of a file containing other PEM-formatted certifi‐
70              cates which may be needed in order  to  properly  verify  signed
71              responses  sent  by  the  SCEP  server back to the client.  This
72              option may be necessary when either the -g flag or the  -p  flag
73              is specified.
74
75       -i ca-identifier
76              When  called  with the -c or -C flag, this option can be used to
77              specify the CA identifier which is passed to the server as  part
78              of the client's request.  The default is "0".
79
80       -n     The  SCEP  Renewal  feature  allows  a client with a previously-
81              issued certificate to use that certificate  and  the  associated
82              private  key  to  request  a new certificate for a different key
83              pair, and can be used to support certmonger's  rekeying  feature
84              if  the  SCEP  server  advertises  support  for it.  This option
85              forces the scep-submit helper to prefer to issue requests  which
86              do not make use of this feature.
87
88       -v     Increases  the logging level.  Use twice for more logging.  This
89              option is mainly useful for troubleshooting.
90
91

EXIT STATUS

93       0      if the certificate  was  issued.  The  pkcsPKIEnvelope  will  be
94              printed in PEM-encoded form.
95
96       1      if  the  CA  is  still thinking.  A cookie (state) value will be
97              printed.
98
99       2      if the CA  rejected  the  request.   An  error  message  may  be
100              printed.
101
102       3      if the CA was unreachable.  An error message may be printed.
103
104       4      if critical configuration information is missing.  An error mes‐
105              sage may be printed.
106
107       5      if the CA is still thinking.  A suggested poll delay  (specified
108              in seconds) and a cookie (state) value will be printed.
109
110       16     if the helper needs an SCEP pkiMessage, but couldn't read one.
111
112       17     if  the CA indicates that the client needs to attempt enrollment
113              using a new key pair.
114
115

BUGS

117       Please  file  tickets  for  any  that  you  find   at   https://fedora‐
118       hosted.org/certmonger/
119
120