1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 scep-submit
7
8
10 scep-submit -u SERVER-URL [-r ra-cert-file] [-R ca-cert-file] [-I
11 other-certs-file] [-i ca-identifier] [-v] [-c|-C|-g|-p] [pkimessage-
12 filename]
13
14
16 scep-submit is the helper which certmonger can use to transmit certifi‐
17 cate enrollment and renewal requests to servers using SCEP. It is not
18 normally run interactively, but it can be for troubleshooting purposes.
19
20 The request which is to be submitted should be a PEM-encoded SCEP
21 pkiMessage either in a file whose name is given as an argument, or fed
22 into scep-submit via stdin.
23
24
26 -c scep-submit will issue a GetCACaps request to the server and
27 print the results.
28
29 -C scep-submit will issue GetCACert and GetCAChain requests to the
30 server, parse the responses, and then print, in order, the RA
31 certificate, the CA certificate, and any additional certifi‐
32 cates.
33
34 -p scep-submit will issue a PKIOperation request to the server
35 using the passed-in message as the message content. It will
36 parse the server's response, verify the signature, and if the
37 response includes an issued certificate, it will output the pkc‐
38 sPKIEnvelope in PEM format. If the response indicates an error,
39 it will print the error.
40
41 -g scep-submit will issue a PKIOperation request to the server
42 using the passed-in message as the message content. It will
43 parse the server's response, verify the signature, and if the
44 response includes an issued certificate, it will output the pkc‐
45 sPKIEnvelope in PEM format. If the response indicates an error,
46 it will print the error.
47
49 -u SERVER-URL
50 The location of the SCEP interface provided by the CA. This is
51 typically http://SERVER/cgi-bin/PKICLIENT.EXE or
52 http://SERVER/certsrv/mscep/mscep.dll. This option is always
53 required.
54
55 -R CA-certificate-file
56 The location of the SCEP server's CA certificate, which was used
57 to issue the SCEP server's certificate, or the SCEP server's own
58 certificate, if it is self-signed, in PEM form. If the URL
59 specified with the -u option is an https URL, then this option
60 is required.
61
62 -r RA-certificate-file
63 The location of the SCEP server's RA certificate, which is
64 expected to be used for signing responses sent by the SCEP
65 server back to the client. This option is required when either
66 the -g flag or the -p flag is specified.
67
68 -I other-certificates-file
69 The location of a file containing other PEM-formatted certifi‐
70 cates which may be needed in order to properly verify signed
71 responses sent by the SCEP server back to the client. This
72 option may be necessary when either the -g flag or the -p flag
73 is specified.
74
75 -i ca-identifier
76 When called with the -c or -C flag, this option can be used to
77 specify the CA identifier which is passed to the server as part
78 of the client's request. The default is "0".
79
80 -v Increases the logging level. Use twice for more logging. This
81 option is mainly useful for troubleshooting.
82
83
85 0 if the certificate was issued. The pkcsPKIEnvelope will be
86 printed in PEM-encoded form.
87
88 1 if the CA is still thinking. A cookie (state) value will be
89 printed.
90
91 2 if the CA rejected the request. An error message may be
92 printed.
93
94 3 if the CA was unreachable. An error message may be printed.
95
96 4 if critical configuration information is missing. An error mes‐
97 sage may be printed.
98
99 5 if the CA is still thinking. A suggested poll delay (specified
100 in seconds) and a cookie (state) value will be printed.
101
102 16 if the helper needs an SCEP pkiMessage, but couldn't read one.
103
104
106 Please file tickets for any that you find at https://fedora‐
107 hosted.org/certmonger/
108
109
111 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
112 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
113 refresh-ca(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-
114 tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-cert‐
115 master-submit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmon‐
116 ger-dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-sub‐
117 mit(8) certmonger_selinux(8)
118
119
120
121certmonger Manual 23 February 2015 certmonger(8)