1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 ipa-submit
7
8
10 ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]
11 | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T pro‐
12 file] [csrfile]
13
14
16 ipa-submit is the helper which certmonger uses to make requests to IPA-
17 based CAs. It is not normally run interactively, but it can be for
18 troubleshooting purposes. The signing request which is to be submitted
19 should either be in a file whose name is given as an argument, or fed
20 into ipa-submit via stdin.
21
22 certmonger supports retrieving trusted certificates from IPA CAs. See
23 getcert-request(1) and getcert-resubmit(1) for information about speci‐
24 fying where those certificates should be stored on the local system.
25 Trusted certificates are retrieved from the caCertificate attribute of
26 entries present at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA
27 LDAP server's directory tree, where $BASE defaults to the value of the
28 basedn setting in /etc/ipa/default.conf.
29
30
32 -P csrPrincipal
33 Identifies the principal name of the service for which the cer‐
34 tificate is being issued. This setting is required by IPA and
35 must always be specified.
36
37 -X issuer
38 Requests that the certificate be processed by the specified cer‐
39 tificate issuer. By default, if this flag is not specified, and
40 the CERTMONGER_CA_ISSUER variable is set in the environment,
41 then the value of the environment variable will be used. This
42 setting is optional, and if a server returns error 3005, indi‐
43 cating that it does not understand multiple profiles, the
44 request will be re-submitted without specifying an issuer name.
45
46 -T profile
47 Requests that the certificate be processed using the specified
48 certificate profile. By default, if this flag is not specified,
49 and the CERTMONGER_CA_PROFILE variable is set in the environ‐
50 ment, then the value of the environment variable will be used.
51 This setting is optional, and if a server returns error 3005,
52 indicating that it does not understand multiple profiles, the
53 request will be re-submitted without specifying a profile.
54
55 -h serverHost
56 Submit the request to the IPA server running on the named host.
57 The default is to read the location of the host from
58 /etc/ipa/default.conf. If no server is configured, or the con‐
59 figured server cannot be reached, the client will attempt to use
60 DNS discovery to locate LDAP servers for the IPA domain. If
61 servers are found, they will be searched for entries pointing to
62 IPA masters running the "CA" service, and the client will
63 attempt to contact each of those in turn.
64
65 -H serverURL
66 Submit the request to the IPA server at the specified location.
67 The default is to read the location of the host from
68 /etc/ipa/default.conf. If no server is configured, or the con‐
69 figured server cannot be reached, the client will attempt to use
70 DNS discovery to locate LDAP servers for the IPA domain. If
71 servers are found, they will be searched for entries pointing to
72 IPA masters running the "CA" service, and the client will
73 attempt to contact each of those in turn.
74
75 -c cafile
76 The server's certificate was issued by the CA whose certificate
77 is in the named file. The default value is /etc/ipa/ca.crt.
78
79 -C capath
80 Trust the server if its certificate was issued by a CA whose
81 certificate is in a file in the named directory. There is no
82 default for this option, and it is not expected to be necessary.
83
84 -t keytab
85 Authenticate to the IPA server using Kerberos with credentials
86 derived from keys stored in the named keytab. The default value
87 can vary, but it is usually /etc/krb5.keytab. This option con‐
88 flicts with the -K, -u, -W, and -w options.
89
90 -k authPrincipal
91 Authenticate to the IPA server using Kerberos with credentials
92 derived from keys stored in the named keytab for this principal
93 name. The default value is the host service for the local host
94 in the local realm. This option conflicts with the -K, -u, -W,
95 and -w options.
96
97 -K Authenticate to the IPA server using Kerberos with credentials
98 derived from the default credential cache rather than a keytab.
99 This option conflicts with the -k, -u, -W, and -w options.
100
101 -u uid Authenticate to the IPA server using a user name and password,
102 using the specified value as the user name. This option con‐
103 flicts with the -k, -K, and -t options.
104
105 -W pwd Authenticate to the IPA server using a user name and password,
106 using the specified value as the password. This option con‐
107 flicts with the -k, -K, -t, and -w options.
108
109 -w pwdfile
110 Authenticate to the IPA server using a user name and password,
111 reading the password from the specified file. This option con‐
112 flicts with the -k, -K, -t, and -W options.
113
114
116 0 if the certificate was issued. The certificate will be printed.
117
118 1 if the CA is still thinking. A cookie value will be printed.
119
120 2 if the CA rejected the request. An error message may be
121 printed.
122
123 3 if the CA was unreachable. An error message may be printed.
124
125 4 if critical configuration information is missing. An error mes‐
126 sage may be printed.
127
128 17 if the CA indicates that the client needs to attempt enrollment
129 using a new key pair.
130
131
133 /etc/ipa/default.conf
134 is the IPA client configuration file. This file is consulted to
135 determine the URL for the IPA server's XML-RPC interface.
136
137
139 Please file tickets for any that you find at https://fedora‐
140 hosted.org/certmonger/
141
142
144 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
145 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
146 refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
147 getcert-request(1) getcert-resubmit(1) getcert-start-tracking(1)
148 getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-sub‐
149 mit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-
150 submit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
151 ger_selinux(8)
152
153
154
155certmonger Manual 16 April 2015 certmonger(8)