1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       ipa-submit
7
8

SYNOPSIS

10       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]
11       | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T pro‐
12       file] [csrfile]
13
14

DESCRIPTION

16       ipa-submit is the helper which certmonger uses to make requests to IPA-
17       based CAs.  It is not normally run interactively, but  it  can  be  for
18       troubleshooting purposes.  The signing request which is to be submitted
19       should either be in a file whose name is given as an argument,  or  fed
20       into ipa-submit via stdin.
21
22       certmonger  supports retrieving trusted certificates from IPA CAs.  See
23       getcert-request(1) and getcert-resubmit(1) for information about speci‐
24       fying  where  those  certificates should be stored on the local system.
25       Trusted certificates are retrieved from the caCertificate attribute  of
26       entries  present  at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA
27       LDAP server's directory tree, where $BASE defaults to the value of  the
28       basedn setting in /etc/ipa/default.conf.
29
30

OPTIONS

32       -P csrPrincipal
33              Identifies  the principal name of the service for which the cer‐
34              tificate is being issued.  This setting is required by  IPA  and
35              must always be specified.
36
37       -X issuer
38              Requests that the certificate be processed by the specified cer‐
39              tificate issuer.  By default, if this flag is not specified, and
40              the  CERTMONGER_CA_ISSUER  variable  is  set in the environment,
41              then the value of the environment variable will be  used.   This
42              setting  is  optional, and if a server returns error 3005, indi‐
43              cating that  it  does  not  understand  multiple  profiles,  the
44              request will be re-submitted without specifying an issuer name.
45
46       -T profile
47              Requests  that  the certificate be processed using the specified
48              certificate profile.  By default, if this flag is not specified,
49              and  the  CERTMONGER_CA_PROFILE  variable is set in the environ‐
50              ment, then the value of the environment variable will  be  used.
51              This  setting  is  optional, and if a server returns error 3005,
52              indicating that it does not understand  multiple  profiles,  the
53              request will be re-submitted without specifying a profile.
54
55       -h serverHost
56              Submit  the request to the IPA server running on the named host.
57              The  default  is  to  read  the  location  of  the   host   from
58              /etc/ipa/default.conf.   If no server is configured, or the con‐
59              figured server cannot be reached, the client will attempt to use
60              DNS  discovery  to  locate  LDAP servers for the IPA domain.  If
61              servers are found, they will be searched for entries pointing to
62              IPA  masters  running  the  "CA"  service,  and  the client will
63              attempt to contact each of those in turn.
64
65       -H serverURL
66              Submit the request to the IPA server at the specified  location.
67              The   default   is  to  read  the  location  of  the  host  from
68              /etc/ipa/default.conf.  If no server is configured, or the  con‐
69              figured server cannot be reached, the client will attempt to use
70              DNS discovery to locate LDAP servers for  the  IPA  domain.   If
71              servers are found, they will be searched for entries pointing to
72              IPA masters running  the  "CA"  service,  and  the  client  will
73              attempt to contact each of those in turn.
74
75       -c cafile
76              The  server's certificate was issued by the CA whose certificate
77              is in the named file.  The default value is /etc/ipa/ca.crt.
78
79       -C capath
80              Trust the server if its certificate was issued  by  a  CA  whose
81              certificate  is  in  a file in the named directory.  There is no
82              default for this option, and it is not expected to be necessary.
83
84       -t keytab
85              Authenticate to the IPA server using Kerberos  with  credentials
86              derived from keys stored in the named keytab.  The default value
87              can vary, but it is usually /etc/krb5.keytab.  This option  con‐
88              flicts with the -K, -u, -W, and -w options.
89
90       -k authPrincipal
91              Authenticate  to  the IPA server using Kerberos with credentials
92              derived from keys stored in the named keytab for this  principal
93              name.   The default value is the host service for the local host
94              in the local realm.  This option conflicts with the -K, -u,  -W,
95              and -w options.
96
97       -K     Authenticate  to  the IPA server using Kerberos with credentials
98              derived from the default credential cache rather than a  keytab.
99              This option conflicts with the -k, -u, -W, and -w options.
100
101       -u uid Authenticate  to  the IPA server using a user name and password,
102              using the specified value as the user name.   This  option  con‐
103              flicts with the -k, -K, and -t options.
104
105       -W pwd Authenticate  to  the IPA server using a user name and password,
106              using the specified value as the  password.   This  option  con‐
107              flicts with the -k, -K, -t, and -w options.
108
109       -w pwdfile
110              Authenticate  to  the IPA server using a user name and password,
111              reading the password from the specified file.  This option  con‐
112              flicts with the -k, -K, -t, and -W options.
113
114

EXIT STATUS

116       0      if the certificate was issued. The certificate will be printed.
117
118       1      if the CA is still thinking.  A cookie value will be printed.
119
120       2      if  the  CA  rejected  the  request.   An  error  message may be
121              printed.
122
123       3      if the CA was unreachable.  An error message may be printed.
124
125       4      if critical configuration information is missing.  An error mes‐
126              sage may be printed.
127
128       17     if  the CA indicates that the client needs to attempt enrollment
129              using a new key pair.
130
131

FILES

133       /etc/ipa/default.conf
134              is the IPA client configuration file.  This file is consulted to
135              determine the URL for the IPA server's XML-RPC interface.
136
137

BUGS

139       Please   file   tickets  for  any  that  you  find  at  https://fedora
140       hosted.org/certmonger/
141
142

SEE ALSO

144       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
145       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
146       refresh-ca(1) getcert-refresh(1) getcert-rekey(1)  getcert-remove-ca(1)
147       getcert-request(1)     getcert-resubmit(1)    getcert-start-tracking(1)
148       getcert-status(1)  getcert-stop-tracking(1)  certmonger-certmaster-sub‐
149       mit(8)  certmonger-dogtag-ipa-renew-agent-submit(8)  certmonger-dogtag-
150       submit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
151       ger_selinux(8)
152
153
154
155certmonger Manual                16 April 2015                   certmonger(8)
Impressum