1CERTMONGER(8)               System Manager's Manual              CERTMONGER(8)
2
3
4

NAME

6       dogtag-submit
7
8

SYNOPSIS

10       dogtag-submit  -E  EE-URL -A AGENT-URL [-d DIR] [-n NAME] [-i FILE] [-C
11       DIR] [-c FILE] [-k FILE] [-p FILE]  [-P  PIN]  [-s  serial  (hex)]  [-D
12       serial  (decimal)]  [-S  state] [-T profile] [-O param=value] [-N | -R]
13       [-t] [-o option=value] [-a] [-u username] [-U userdn] [-W PASSWORD] [-w
14       FILE] [-Y PIN] [-y FILE] [-v] [csrfile]
15
16

DESCRIPTION

18       dogtag-submit  is  the helper which certmonger can use to make certifi‐
19       cate enrollment and renewal requests to Dogtag servers.  It is not nor‐
20       mally run interactively, but it can be for troubleshooting purposes.
21
22       The  preferred option is to request a renewal of an already-issued cer‐
23       tificate, using its serial number, which can be read from a PEM-format‐
24       ted  certificate  provided  in  the  CERTMONGER_CERTIFICATE environment
25       variable, or via the -s or -D option on the command line.  If no serial
26       number  is  provided, then the client will attempt to obtain a new cer‐
27       tificate by submitting a signing request to the CA.
28
29       The signing request which is to be submitted should either be in a file
30       whose  name  is  given  as  an  argument, or fed into dogtag-submit via
31       stdin.
32
33       certmonger does not yet support retrieving trust information from  Dog‐
34       tag CAs.
35
36

OPTIONS

38       -E EE-URL, --ee-url=EE-URL
39              The  top-level  URL for the end-entity interface provided by the
40              CA, through which the initial enrollment request will be submit‐
41              ted.  This is typically http://SERVER:EEPORT/ca/ee/ca.
42
43       -A AGENT-URL, --agent-url=AGENT-URL
44              The  top-level  URL  for the agent interface provided by the CA,
45              through which the request can be approved  using  agent  creden‐
46              tials.  This is typically https://SERVER:AGENTPORT/ca/agent/ca.
47
48       -i FILE, --cafile=FILE
49              The  location  of  a file containing a copy of the CA's certifi‐
50              cate, against which the CA server's certificate  will  be  veri‐
51              fied.
52
53       -C DIR, --capath=DIR
54              The  location  of a directory containing a copy of the CA's cer‐
55              tificate(s), against which the CA server's certificate  will  be
56              verified.
57
58       -D SERIAL, --serial=SERIAL
59              The serial number of an already-issued certificate for which the
60              client should attempt to obtain a new  certificate,  in  decimal
61              form,  if  one  can  not be read from the CERTMONGER_CERTIFICATE
62              environment variable.
63
64       -s SERIAL, --hex-serial=SERIAL
65              The serial number of an already-issued certificate for which the
66              client  should attempt to obtain a new certificate, in hexadeci‐
67              mal form, if one can not be read from the CERTMONGER_CERTIFICATE
68              environment variable.
69
70       -S STATE, --state=STATE
71              A  cookie  value provided by a previous instance of this helper,
72              if the helper is being asked to continue a multi-step enrollment
73              process.   If the CERTMONGER_COOKIE environment variable is set,
74              its value is used.
75
76       -T NAME, --profile=NAME
77              The name of the type of  certificate  which  the  client  should
78              request from the CA if it is not renewing a certificate (per the
79              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
80              variable  is  set,  its  value  is used.  Otherwise, the default
81              value is caServerCert.
82
83       -O param=value, --approval-options=param=value
84              An additional parameter to pass to the server when approving the
85              signing  request  using  agent  credentials.   By  default,  any
86              server-supplied default settings are applied.  This  option  can
87              be used either to override a server-supplied default setting, or
88              to  supply  one  which  would  otherwise  have  not  been  used.
89              Requires the -A option.
90
91       -N, --force-new
92              Even  if an already-issued certificate is available in the CERT‐
93              MONGER_CERTIFICATE environment variable, or a serial number  has
94              been  provided,  don't  attempt to renew a certificate using its
95              serial number.  Instead, attempt to  obtain  a  new  certificate
96              using the signing request.  The default behavior is to request a
97              renewal if possible.
98
99       -R, --force-renew
100              Negates the effect of the -N flag.
101
102       -t, --profile-list
103              Instead of attempting to obtain a  new  certificate,  query  the
104              server for a list of the enabled enrollment profiles.
105
106       -o param=value, --submit-option=param=value
107              When initially submitting a request to the CA, add the specified
108              parameter and value along  with  any  request  parameters  which
109              would otherwise be sent.
110
111       -a, --agent-submit
112              Use  agent  credentials, specified using some combination of the
113              -d, -n, -c, and -k flags, to authenticate to the  CA  when  ini‐
114              tially  submitting a request to the CA or retrieving the list of
115              enabled enrollment profiles.  This is  typically  required  when
116              the  enrollment  profile  being  used  uses  AgentCertAuth-based
117              authentication, and requires that the URL specified using the -E
118              flag  be  an  HTTPS  URL, or when the URL specified using the -E
119              flag is an HTTPS URL.
120
121       -u username, --uid=username
122              When initially submitting a request to the CA, supply the speci‐
123              fied  value as a user name.  This is typically required when the
124              enrollment  profile  being  used  uses  UidPwdDirAuth-based   or
125              NISAuth-based authentication.
126
127       -U userdn, --upn=userdn
128              When initially submitting a request to the CA, supply the speci‐
129              fied value as the DN (distinguished name) of the user's entry in
130              a  directory server which the CA is configured to use for check‐
131              ing the user's password.  This is typically  required  when  the
132              enrollment profile being used uses UdnPwdDirAuth-based authenti‐
133              cation.
134
135       -W PASSWORD, --userpwd=PASSWORD
136              When initially submitting a request to the CA, supply the speci‐
137              fied  value as the password for the user whose name is specified
138              with the -u option, or whose DN is specified with the -U option.
139              This  is  typically  only  required  when the enrollment profile
140              being used uses  UidPwdDirAuth-based,  UserPwdDirAuth-based,  or
141              NISAuth-based authentication.  If the URL specified using the -E
142              flag is not an HTTPS URL, this value will not be encrypted.
143
144       -w FILE, --userpwdfile=FILE
145              When initially submitting a request to the  CA,  read  from  the
146              specified  file  a password to supply for the user whose name is
147              specified with the -u option, or whose DN is specified with  the
148              -U  option.  This is typically only required when the enrollment
149              profile  being   used   uses   UidPwdDirAuth-based,   UserPwdDi‐
150              rAuth-based, or NISAuth-based authentication.  If the URL speci‐
151              fied using the -E flag is not an HTTPS URL, this value will  not
152              be encrypted.
153
154       -Y PIN, --userpin=PIN
155              When initially submitting a request to the CA, supply the speci‐
156              fied value as the PIN for the user whose name is specified  with
157              the  -u  option,  or  whose  DN is specified with the -U option.
158              This is typically only  required  when  the  enrollment  profile
159              being  used  uses UidPwdPinDirAuth-based authentication.  If the
160              URL specified using the -E flag is not an HTTPS URL, this  value
161              will not be encrypted.
162
163       -y FILE, --userpinfile=FILE
164              When  initially  submitting  a  request to the CA, read from the
165              specified file a PIN to supply for the user whose name is speci‐
166              fied  with  the  -u option, or whose DN is specified with the -U
167              option.  This is typically only  required  when  the  enrollment
168              profile  being  used uses UidPwdPinDirAuth-based authentication.
169              If the URL specified using the -E flag is not an HTTPS URL, this
170              value will not be encrypted.
171
172       -v, --verbose
173              Increases  the logging level.  Use twice for more logging.  This
174              option is mainly useful for troubleshooting.
175

AGENT KEY AND CERTIFICATE OPTIONS

177       Options that provide the location for the private key and  public  cer‐
178       tificate  which the client should use to authenticate to the CA's agent
179       interface.  The values to use depend on which cryptography library your
180       copy of libcurl was linked with.
181
182       -d DIR, --dbdir=DIR
183              Use an NSS database in the specified directory for this certifi‐
184              cate and key. Only valid with -n.
185
186       -n NAME, --nickname=NAME
187              Use the NSS key with this nickname. Only valid with -d.
188
189       -c FILE, --certfile=FILE
190              The PEM file that contains the public  certificate.  Only  valid
191              with -k.
192
193       -k FILE, --keyfile=FILE
194              The  PEM  file that contains the private certificate. Only valid
195              with -c.
196
197       -p FILE, --sslpinfile=FILE
198              The name of a file which contains a PIN/password which  will  be
199              needed in order to make use of the agent credentials.
200
201       -P PIN, --sslpin=PIN
202              The  name  of a file which contains a PIN/password which will be
203              needed in order to make use of the agent credentials.
204

EXIT STATUS

206       0      if the certificate was issued. The certificate will be printed.
207
208       1      if the CA is still thinking.  A cookie  (state)  value  will  be
209              printed.
210
211       2      if  the  CA  rejected  the  request.   An  error  message may be
212              printed.
213
214       3      if the CA was unreachable.  An error message may be printed.
215
216       4      if critical configuration information is missing.  An error mes‐
217              sage may be printed.
218
219       5      if  the CA is still thinking.  A suggested poll delay (specified
220              in seconds) and a cookie (state) value will be printed.
221
222       17     if the CA indicates that the client needs to attempt  enrollment
223              using a new key pair.
224
225

BUGS

227       Please   file   tickets  for  any  that  you  find  at  https://fedora
228       hosted.org/certmonger/
229
230

SEE ALSO

232       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
233       getcert-list-cas(1)         getcert-list(1)        getcert-modify-ca(1)
234       getcert-refresh-ca(1)        getcert-refresh(1)        getcert-rekey(1)
235       getcert-remove-ca(1)    getcert-resubmit(1)   getcert-start-tracking(1)
236       getcert-status(1)  getcert-stop-tracking(1)  certmonger-certmaster-sub‐
237       mit(8)  certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-ipa-sub‐
238       mit(8)  certmonger-local-submit(8)  certmonger-scep-submit(8)  certmon‐
239       ger_selinux(8)
240
241
242
243certmonger Manual              October 27, 2015                  CERTMONGER(8)
Impressum