1certmonger(8) System Manager's Manual certmonger(8)
2
6 dogtag-submit
7
10 dogtag-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i
11 cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pinfile] [-P pin]
12 [-s serial (hex)] [-D serial (decimal)] [-S state] [-T profile] [-O
13 param=value] [-N | -R] [-o option=value] [-a ] [-u username] [-U
14 userdn] [-W userpassword] [-w userpasswordfile] [-Y userpin] [-y user‐
15 pinfile] [-v] [csrfile]
16
19 dogtag-submit is the helper which certmonger can use to make certifi‐
20 cate enrollment and renewal requests to Dogtag servers. It is not nor‐
21 mally run interactively, but it can be for troubleshooting purposes.
22 The preferred option is to request a renewal of an already-issued cer‐
24 tificate, using its serial number, which can be read from a PEM-format‐
25 ted certificate provided in the CERTMONGER_CERTIFICATE environment
26 variable, or via the -s or -D option on the command line. If no serial
27 number is provided, then the client will attempt to obtain a new cer‐
28 tificate by submitting a signing request to the CA.
29 The signing request which is to be submitted should either be in a file
31 whose name is given as an argument, or fed into dogtag-submit via
32 stdin.
33 certmonger does not yet support retrieving trust information from Dog‐
35 tag CAs.
36
39 -E EE-URL
40 The top-level URL for the end-entity interface provided by the
41 CA, through which the initial enrollment request will be submit‐
42 ted. This is typically http://SERVER:EEPORT/ca/ee/ca.
43 -A AGENT-URL
45 The top-level URL for the agent interface provided by the CA,
46 through which the request can be approved using agent creden‐
47 tials. This is typically https://SERVER:AGENTPORT/ca/agent/ca.
48 -d dbdir -n nickname -c certfile -k keyfile
50 The location of the key and certificate which the client should
51 use to authenticate to the CA's agent interface. Exactly which
52 values are meaningful depend on which cryptography library your
53 copy of libcurl was linked with.
54 -p pinfile
56 The name of a file which contains a PIN/password which will be
57 needed in order to make use of the agent credentials.
58 -i cainfo -C capath
60 The location of a file containing a copy of the CA's certifi‐
61 cate, against which the CA server's certificate will be veri‐
62 fied, or a directory containing, among other things, such a
63 file.
64 -s serial
66 The serial number of an already-issued certificate for which the
67 client should attempt to obtain a new certificate, in hexadeci‐
68 mal form, if one can not be read from the CERTMONGER_CERTIFICATE
69 environment variable.
70 -D serial
72 The serial number of an already-issued certificate for which the
73 client should attempt to obtain a new certificate, in decimal
74 form, if one can not be read from the CERTMONGER_CERTIFICATE
75 environment variable.
76 -S state
78 A cookie value provided by a previous instance of this helper,
79 if the helper is being asked to continue a multi-step enrollment
80 process. If the CERTMONGER_COOKIE environment variable is set,
81 its value is used.
82 -T profile
84 The name of the type of certificate which the client should
85 request from the CA if it is not renewing a certificate (per the
86 -s option above). If the CERTMONGER_CA_PROFILE environment
87 variable is set, its value is used. Otherwise, the default
88 value is caServerCert.
89 -O param=value
91 An additional parameter to pass to the server when approving the
92 signing request using agent credentials. By default, any
93 server-supplied default settings are applied. This option can
94 be used either to override a server-supplied default setting, or
95 to supply one which would otherwise have not been used.
96 Requires the -A option.
97 -N Even if an already-issued certificate is available in the CERT‐
99 MONGER_CERTIFICATE environment variable, or a serial number has
100 been provided, don't attempt to renew a certificate using its
101 serial number. Instead, attempt to obtain a new certificate
102 using the signing request.
103 -R Negates the effect of the -N flag.
105 -t Instead of attempting to obtain a new certificate, query the
107 server for a list of the enabled enrollment profiles.
108 -o param=value
110 When initially submitting a request to the CA, add the specified
111 parameter and value along with any request parameters which
112 would otherwise be sent.
113 -a Use agent credentials, specified using some combination of the
115 -d, -n, -c, and -k flags, to authenticate to the CA when ini‐
116 tially submitting a request to the CA or retrieving the list of
117 enabled enrollment profiles. This is typically required when
118 the enrollment profile being used uses AgentCertAuth-based
119 authentication, and requires that the URL specified using the -E
120 flag be an HTTPS URL, or when the URL specified using the -E
121 flag is an HTTPS URL.
122 -u username
124 When initially submitting a request to the CA, supply the speci‐
125 fied value as a user name. This is typically required when the
126 enrollment profile being used uses UidPwdDirAuth-based or
127 NISAuth-based authentication.
128 -U userdn
130 When initially submitting a request to the CA, supply the speci‐
131 fied value as the DN (distinguished name) of the user's entry in
132 a directory server which the CA is configured to use for check‐
133 ing the user's password. This is typically required when the
134 enrollment profile being used uses UdnPwdDirAuth-based authenti‐
135 cation.
136 -W userpassword
138 When initially submitting a request to the CA, supply the speci‐
139 fied value as the password for the user whose name is specified
140 with the -u option, or whose DN is specified with the -U option.
141 This is typically only required when the enrollment profile
142 being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or
143 NISAuth-based authentication. If the URL specified using the -E
144 flag is not an HTTPS URL, this value will not be encrypted.
145 -w userpasswordfile
147 When initially submitting a request to the CA, read from the
148 specified file a password to supply for the user whose name is
149 specified with the -u option, or whose DN is specified with the
150 -U option. This is typically only required when the enrollment
151 profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-
152 based, or NISAuth-based authentication. If the URL specified
153 using the -E flag is not an HTTPS URL, this value will not be
154 encrypted.
155 -Y userpin
157 When initially submitting a request to the CA, supply the speci‐
158 fied value as the PIN for the user whose name is specified with
159 the -u option, or whose DN is specified with the -U option.
160 This is typically only required when the enrollment profile
161 being used uses UidPwdPinDirAuth-based authentication. If the
162 URL specified using the -E flag is not an HTTPS URL, this value
163 will not be encrypted.
164 -y userpinfile
166 When initially submitting a request to the CA, read from the
167 specified file a PIN to supply for the user whose name is speci‐
168 fied with the -u option, or whose DN is specified with the -U
169 option. This is typically only required when the enrollment
170 profile being used uses UidPwdPinDirAuth-based authentication.
171 If the URL specified using the -E flag is not an HTTPS URL, this
172 value will not be encrypted.
173 -v Increases the logging level. Use twice for more logging. This
175 option is mainly useful for troubleshooting.
176
179 0 if the certificate was issued. The certificate will be printed.
180 1 if the CA is still thinking. A cookie (state) value will be
182 printed.
183 2 if the CA rejected the request. An error message may be
185 printed.
186 3 if the CA was unreachable. An error message may be printed.
188 4 if critical configuration information is missing. An error mes‐
190 sage may be printed.
191 5 if the CA is still thinking. A suggested poll delay (specified
193 in seconds) and a cookie (state) value will be printed.
194 17 if the CA indicates that the client needs to attempt enrollment
196 using a new key pair.
197
200 Please file tickets for any that you find at https://fedora‐
201 hosted.org/certmonger/
202
205 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
206 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
207 refresh-ca(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-
208 tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-cert‐
209 master-submit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmon‐
210 ger-ipa-submit(8) certmonger-local-submit(8) certmonger-scep-submit(8)
211 certmonger_selinux(8)
212certmonger Manual 13 Apr 2015 certmonger(8)