certmonger-dogtag-submit(8)

1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       dogtag-submit
7
8

SYNOPSIS

10       dogtag-submit  -E  EE-URL  -A  AGENT-URL  [-d  dbdir] [-n nickname] [-i
11       cainfo] [-C capath] [-c certfile] [-k keyfile] [-p  pinfile]  [-P  pin]
12       [-s  serial  (hex)]  [-D  serial (decimal)] [-S state] [-T profile] [-O
13       param=value] [-N | -R] [-v] [csrfile]
14
15

DESCRIPTION

17       dogtag-submit is the helper which certmonger can use to  make  certifi‐
18       cate enrollment and renewal requests to Dogtag servers.  It is not nor‐
19       mally run interactively, but it can be for troubleshooting purposes.
20
21       The preferred option is to request a renewal of an already-issued  cer‐
22       tificate, using its serial number, which can be read from a PEM-format‐
23       ted certificate  provided  in  the  CERTMONGER_CERTIFICATE  environment
24       variable, or via the -s or -D option on the command line.  If no serial
25       number is provided, then the client will attempt to obtain a  new  cer‐
26       tificate by submitting a signing request to the CA.
27
28       The signing request which is to be submitted should either be in a file
29       whose name is given as an  argument,  or  fed  into  dogtag-submit  via
30       stdin.
31
32       certmonger  does not yet support retrieving trust information from Dog‐
33       tag CAs.
34
35

OPTIONS

37       -E EE-URL
38              The top-level URL for the end-entity interface provided  by  the
39              CA.  This is typically http://SERVER:EEPORT/ca/ee/ca.
40
41       -A AGENT-URL
42              The  top-level  URL  for the agent interface provided by the CA.
43              This is typically https://SERVER:AGENTPORT/ca/agent/ca.
44
45       -d dbdir -n nickname -c certfile -k keyfile
46              The location of the key and certificate which the client  should
47              use  to authenticate to the CA's agent interface.  Exactly which
48              values are meaningful depend on which cryptography library  your
49              copy of libcurl was linked with.
50
51       -p pinfile
52              The  name  of a file which contains a PIN/password which will be
53              needed in order to make use of the agent credentials.
54
55       -i cainfo -C capath
56              The location of a file containing a copy of  the  CA's  certifi‐
57              cate,  against  which  the CA server's certificate will be veri‐
58              fied, or a directory containing,  among  other  things,  such  a
59              file.
60
61       -s serial
62              The serial number of an already-issued certificate for which the
63              client should attempt to obtain a new certificate, in  hexadeci‐
64              mal form, if one can not be read from the CERTMONGER_CERTIFICATE
65              environment variable.
66
67       -D serial
68              The serial number of an already-issued certificate for which the
69              client  should  attempt  to obtain a new certificate, in decimal
70              form, if one can not be  read  from  the  CERTMONGER_CERTIFICATE
71              environment variable.
72
73       -S state
74              A  cookie  value provided by a previous instance of this helper,
75              if the helper is being asked to continue a multi-step enrollment
76              process.   If the CERTMONGER_COOKIE environment variable is set,
77              its value is used.
78
79       -T profile/template
80              The name of the type of  certificate  which  the  client  should
81              request from the CA if it is not renewing a certificate (per the
82              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
83              variable  is  set,  its  value  is used.  Otherwise, the default
84              value is caServerCert.
85
86       -O param=value
87              An additional parameter to pass to the server when approving the
88              signing  request  using  agent  credentials.   By  default,  any
89              server-supplied default settings are applied.  This  option  can
90              be used either to override a server-supplied default setting, or
91              to  supply  one  which  would  otherwise  have  not  been  used.
92              Requires the -A option.
93
94       -N     Even  if an already-issued certificate is available in the CERT‐
95              MONGER_CERTIFICATE environment variable, or a serial number  has
96              been  provided,  don't  attempt to renew a certificate using its
97              serial number.  Instead, attempt to  obtain  a  new  certificate
98              using the signing request.
99
100       -R     Negates the effect of the -N flag.
101
102       -v     Increases  the logging level.  Use twice for more logging.  This
103              option is mainly useful for troubleshooting.
104
105

EXIT STATUS

107       0      if the certificate was issued. The certificate will be printed.
108
109       1      if the CA is still thinking.  A cookie  (state)  value  will  be
110              printed.
111
112       2      if  the  CA  rejected  the  request.   An  error  message may be
113              printed.
114
115       3      if the CA was unreachable.  An error message may be printed.
116
117       4      if critical configuration information is missing.  An error mes‐
118              sage may be printed.
119
120       5      if  the CA is still thinking.  A suggested poll delay (specified
121              in seconds) and a cookie (state) value will be printed.
122
123

BUGS

125       Please  file  tickets  for  any  that  you  find   at   https://fedora‐
126       hosted.org/certmonger/
127
128

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXIT STATUS

BUGS

SEE ALSO