certmonger-ipa-submit(8)

1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       ipa-submit
7
8

SYNOPSIS

10       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]
11       | [-t keytab] [-k submitterPrincipal]]  [-P  principalOfRequest]  [csr‐
12       file]
13
14

DESCRIPTION

16       ipa-submit is the helper which certmonger uses to make requests to IPA-
17       based CAs.  It is not normally run interactively, but  it  can  be  for
18       troubleshooting purposes.  The signing request which is to be submitted
19       should either be in a file whose name is given as an argument,  or  fed
20       into ipa-submit via stdin.
21
22       certmonger  supports retrieving trusted certificates from IPA CAs.  See
23       getcert-request(1) and getcert-resubmit(1) for information about speci‐
24       fying  where  those  certificates should be stored on the local system.
25       Trusted certificates are retrieved from the caCertificate attribute  of
26       entries  present  at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA
27       LDAP server's directory tree, where $BASE defaults to the value of  the
28       basedn setting in /etc/ipa/default.conf.
29
30

OPTIONS

32       -P csrPrincipal
33              Identifies  the principal name of the service for which the cer‐
34              tificate is being issued.  This setting is required by  IPA  and
35              must always be specified.
36
37       -h serverHost
38              Submit  the request to the IPA server running on the named host.
39              The  default  is  to  read  the  location  of  the   host   from
40              /etc/ipa/default.conf.
41
42       -H serverURL
43              Submit  the request to the IPA server at the specified location.
44              The  default  is  to  read  the  location  of  the   host   from
45              /etc/ipa/default.conf.
46
47       -c cafile
48              The  server's certificate was issued by the CA whose certificate
49              is in the named file.  The default value is /etc/ipa/ca.crt.
50
51       -C capath
52              Trust the server if its certificate was issued  by  a  CA  whose
53              certificate  is  in  a file in the named directory.  There is no
54              default for this option, and it is not expected to be necessary.
55
56       -t keytab
57              Authenticate to the IPA server using  credentials  derived  from
58              keys  stored  in  the named keytab.  The default value can vary,
59              but it is usually /etc/krb5.keytab.  This option conflicts  with
60              the -K option.
61
62       -k authPrincipal
63              Authenticate  to  the  IPA server using credentials derived from
64              keys stored in the named keytab for this  principal  name.   The
65              default  value  is  the  host  service for the local host in the
66              local realm.  This option conflicts with the -K option.
67
68       -K     Authenticate to the IPA server using  credentials  derived  from
69              the  default credential cache rather than a keytab.  This option
70              conflicts with the -k option.
71
72

EXIT STATUS

74       0      if the certificate was issued. The certificate will be printed.
75
76       1      if the CA is still thinking.  A cookie value will be printed.
77
78       2      if the CA  rejected  the  request.   An  error  message  may  be
79              printed.
80
81       3      if the CA was unreachable.  An error message may be printed.
82
83       4      if critical configuration information is missing.  An error mes‐
84              sage may be printed.
85
86

FILES

88       /etc/ipa/default.conf
89              is the IPA client configuration file.  This file is consulted to
90              determine the URL for the IPA server's XML-RPC interface.
91
92

BUGS

94       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
95       hosted.org/certmonger/
96
97