1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 dogtag-ipa-renew-agent-submit
7
8
10 dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n
11 nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pin‐
12 file] [-P pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
13 profile] [-O param=value] [-v] [csrfile]
14
15
17 dogtag-ipa-renew-agent-submit is the helper which certmonger uses to
18 make certificate renewal requests to Dogtag instances running on IPA
19 servers. It is not normally run interactively, but it can be for trou‐
20 bleshooting purposes.
21
22 The preferred option is to request a renewal of an already-issued cer‐
23 tificate, using its serial number, which can be read from a PEM-format‐
24 ted certificate provided in the CERTMONGER_CERTIFICATE environment
25 variable, or via the -s or -D option on the command line. If no serial
26 number is provided, then the client will attempt to obtain a new cer‐
27 tificate by submitting a signing request to the CA.
28
29 The signing request which is to be submitted should either be in a file
30 whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
31 submit via stdin.
32
33 certmonger does not yet support retrieving trust information from Dog‐
34 tag CAs.
35
36
38 -E EE-URL
39 The top-level URL for the end-entity interface provided by the
40 CA. In IPA installations, this is typically
41 http://SERVER:EEPORT/ca/ee/ca. If no URL is specified, the host
42 named in the [global] section in the /etc/ipa/default.conf file
43 is used as the value of SERVER, and the value of EEPORT will be
44 inferred based on the value of the dogtag_version in the
45 [global] section in the /etc/ipa/default.conf file: if dog‐
46 tag_version is set to 10 or more, EEPORT will be set to 8080.
47 Otherwise it will be 9180.
48
49 -A AGENT-URL
50 The top-level URL for the agent interface provided by the CA.
51 In IPA installations, this is typically https://SERVER:AGENT‐
52 PORT/ca/agent/ca. If no URL is specified, the host named in the
53 [global] section in the /etc/ipa/default.conf file is used as
54 the value of SERVER, and the value of AGENTPORT will be inferred
55 based on the value of the dogtag_version in the [global] section
56 in the /etc/ipa/default.conf file: if dogtag_version is set to
57 10 or more, AGENTPORT will be set to 8443. Otherwise it will be
58 9443.
59
60 -d dbdir -n nickname -c certfile -k keyfile
61 The location of the key and certificate which the client should
62 use to authenticate to the CA's agent interface. Exactly which
63 values are meaningful depend on which cryptography library your
64 copy of libcurl was linked with.
65
66 If none of these options are specified, and none of the -p, -P,
67 -i, nor -C options are specified, then this set of defaults is
68 used:
69 -i /etc/ipa/ca.crt
70 -d /etc/httpd/alias
71 -n ipaCert
72 -p /etc/httpd/alias/pwdfile.txt
73
74 -p pinfile
75 The name of a file which contains a PIN/password which will be
76 needed in order to make use of the agent credentials.
77
78 If this option is not specified, and none of the -d, -n, -c, -k,
79 -P, -i, nor -C options are specified, then this set of defaults
80 is used:
81 -i /etc/ipa/ca.crt
82 -d /etc/httpd/alias
83 -n ipaCert
84 -p /etc/httpd/alias/pwdfile.txt
85
86 -i cainfo -C capath
87 The location of a file containing a copy of the CA's certifi‐
88 cate, against which the CA server's certificate will be veri‐
89 fied, or a directory containing, among other things, such a
90 file.
91
92 If these options are not specified, and none of the -d, -n, -c,
93 -k, -p, nor -P options are specified, then this set of defaults
94 is used:
95 -i /etc/ipa/ca.crt
96 -d /etc/httpd/alias
97 -n ipaCert
98 -p /etc/httpd/alias/pwdfile.txt
99
100 -s serial
101 The serial number of an already-issued certificate for which the
102 client should attempt to obtain a new certificate, in hexadeci‐
103 mal form, if one can not be read from the CERTMONGER_CERTIFICATE
104 environment variable.
105
106 -D serial
107 The serial number of an already-issued certificate for which the
108 client should attempt to obtain a new certificate, in decimal
109 form, if one can not be read from the CERTMONGER_CERTIFICATE
110 environment variable.
111
112 -S state
113 A cookie value provided by a previous instance of this helper,
114 if the helper is being asked to continue a multi-step enrollment
115 process. If the CERTMONGER_COOKIE environment variable is set,
116 its value is used.
117
118 -T profile/template
119 The name of the type of certificate which the client should
120 request from the CA if it is not renewing a certificate (per the
121 -s option above). If the CERTMONGER_CA_PROFILE environment
122 variable is set, its value is used. Otherwise, the default
123 value is caServerCert.
124
125 -O param=value
126 An additional parameter to pass to the server when approving the
127 signing request using the agent's credentials. By default, any
128 server-supplied default settings are applied. This option can
129 be used either to override a server-supplied default setting, or
130 to supply one which would otherwise have not been used.
131
132 -v Increases the logging level. Use twice for more logging. This
133 option is mainly useful for troubleshooting.
134
135
137 0 if the certificate was issued. The certificate will be printed.
138
139 1 if the CA is still thinking. A cookie (state) value will be
140 printed.
141
142 2 if the CA rejected the request. An error message may be
143 printed.
144
145 3 if the CA was unreachable. An error message may be printed.
146
147 4 if critical configuration information is missing. An error mes‐
148 sage may be printed.
149
150 5 if the CA is still thinking. A suggested poll delay (specified
151 in seconds) and a cookie (state) value will be printed.
152
153 17 if the CA indicates that the client needs to attempt enrollment
154 using a new key pair.
155
156
158 /etc/ipa/default.conf
159 is the IPA client configuration file. This file is consulted to
160 determine the URL for the Dogtag server's end-entity and agent
161 interfaces if they are not supplied as arguments.
162
163
165 Please file tickets for any that you find at https://fedora‐
166 hosted.org/certmonger/
167
168
170 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
171 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
172 refresh-ca(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-
173 tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-cert‐
174 master-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-submit(8)
175 certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
176 ger_selinux(8)
177
178
179
180certmonger Manual 18 Nov 2014 certmonger(8)