1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       scep-submit
7
8

SYNOPSIS

10       scep-submit  -u  SERVER-URL  [-r  ra-cert-file]  [-R  ca-cert-file] [-I
11       other-certs-file] [-i ca-identifier] [-v] [-n]  [-c|-C|-g|-p]  [pkimes‐
12       sage-filename]
13
14

DESCRIPTION

16       scep-submit is the helper which certmonger can use to transmit certifi‐
17       cate enrollment and renewal requests to servers using SCEP.  It is  not
18       normally run interactively, but it can be for troubleshooting purposes.
19
20       The  request  which  is  to  be  submitted should be a PEM-encoded SCEP
21       pkiMessage either in a file whose name is given as an argument, or  fed
22       into scep-submit via stdin.
23
24

MODES

26       -c     scep-submit  will  issue  a  GetCACaps request to the server and
27              print the results.
28
29       -C     scep-submit will issue GetCACert and GetCAChain requests to  the
30              server,  parse  the  responses, and then print, in order, the RA
31              certificate, the CA certificate,  and  any  additional  certifi‐
32              cates.
33
34       -p     scep-submit  will  issue  a  PKIOperation  request to the server
35              using the passed-in message as the  message  content.   It  will
36              parse  the  server's  response, verify the signature, and if the
37              response includes an issued certificate, it will output the pkc‐
38              sPKIEnvelope in PEM format.  If the response indicates an error,
39              it will print the error.
40
41       -g     scep-submit will issue a  PKIOperation  request  to  the  server
42              using  the  passed-in  message  as the message content.  It will
43              parse the server's response, verify the signature,  and  if  the
44              response includes an issued certificate, it will output the pkc‐
45              sPKIEnvelope in PEM format.  If the response indicates an error,
46              it will print the error.
47

OPTIONS

49       -u SERVER-URL
50              The  location of the SCEP interface provided by the CA.  This is
51              typically         http://SERVER/cgi-bin/PKICLIENT.EXE         or
52              http://SERVER/certsrv/mscep/mscep.dll.   This  option  is always
53              required.
54
55       -R CA-certificate-file
56              The location of the SCEP server's CA certificate, which was used
57              to issue the SCEP server's certificate, or the SCEP server's own
58              certificate, if it is self-signed, in  PEM  form.   If  the  URL
59              specified  with  the -u option is an https URL, then this option
60              is required.
61
62       -r RA-certificate-file
63              The location of the  SCEP  server's  RA  certificate,  which  is
64              expected  to  be  used  for  signing  responses sent by the SCEP
65              server back to the client.  This option is required when  either
66              the -g flag or the -p flag is specified.
67
68       -I other-certificates-file
69              The  location  of a file containing other PEM-formatted certifi‐
70              cates which may be needed in order  to  properly  verify  signed
71              responses  sent  by  the  SCEP  server back to the client.  This
72              option may be necessary when either the -g flag or the  -p  flag
73              is specified.
74
75       -i ca-identifier
76              When  called  with the -c or -C flag, this option can be used to
77              specify the CA identifier which is passed to the server as  part
78              of the client's request.  The default is "0".
79
80       -v     Increases  the logging level.  Use twice for more logging.  This
81              option is mainly useful for troubleshooting.
82
83

EXIT STATUS

85       0      if the certificate  was  issued.  The  pkcsPKIEnvelope  will  be
86              printed in PEM-encoded form.
87
88       1      if  the  CA  is  still thinking.  A cookie (state) value will be
89              printed.
90
91       2      if the CA  rejected  the  request.   An  error  message  may  be
92              printed.
93
94       3      if the CA was unreachable.  An error message may be printed.
95
96       4      if critical configuration information is missing.  An error mes‐
97              sage may be printed.
98
99       5      if the CA is still thinking.  A suggested poll delay  (specified
100              in seconds) and a cookie (state) value will be printed.
101
102       16     if the helper needs an SCEP pkiMessage, but couldn't read one.
103
104       17     if  the CA indicates that the client needs to attempt enrollment
105              using a new key pair.
106
107

BUGS

109       Please  file  tickets  for  any  that  you  find   at   https://fedora
110       hosted.org/certmonger/
111
112

SEE ALSO

114       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
115       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
116       refresh-ca(1)  getcert-remove-ca(1)  getcert-resubmit(1) getcert-start-
117       tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-cert‐
118       master-submit(8)  certmonger-dogtag-ipa-renew-agent-submit(8)  certmon‐
119       ger-dogtag-submit(8)   certmonger-ipa-submit(8)   certmonger-local-sub‐
120       mit(8) certmonger_selinux(8)
121
122
123
124certmonger Manual                20 June 2015                    certmonger(8)
Impressum