1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 scep-submit
7
8
10 scep-submit -u SERVER-URL [-r ra-cert-file] [-R ca-cert-file] [-I
11 other-certs-file] [-i ca-identifier] [-v] [-n] [-c|-C|-g|-p] [pkimes‐
12 sage-filename]
13
14
16 scep-submit is the helper which certmonger can use to transmit certifi‐
17 cate enrollment and renewal requests to servers using SCEP. It is not
18 normally run interactively, but it can be for troubleshooting purposes.
19
20 The request which is to be submitted should be a PEM-encoded SCEP
21 pkiMessage either in a file whose name is given as an argument, or fed
22 into scep-submit via stdin.
23
24
26 -c scep-submit will issue a GetCACaps request to the server and
27 print the results.
28
29 -C scep-submit will issue GetCACert and GetCAChain requests to the
30 server, parse the responses, and then print, in order, the RA
31 certificate, the CA certificate, and any additional certifi‐
32 cates.
33
34 -p scep-submit will issue a PKIOperation request to the server
35 using the passed-in message as the message content. It will
36 parse the server's response, verify the signature, and if the
37 response includes an issued certificate, it will output the pkc‐
38 sPKIEnvelope in PEM format. If the response indicates an error,
39 it will print the error.
40
41 -g scep-submit will issue a PKIOperation request to the server
42 using the passed-in message as the message content. It will
43 parse the server's response, verify the signature, and if the
44 response includes an issued certificate, it will output the pkc‐
45 sPKIEnvelope in PEM format. If the response indicates an error,
46 it will print the error.
47
49 -u SERVER-URL
50 The location of the SCEP interface provided by the CA. This is
51 typically http://SERVER/cgi-bin/PKICLIENT.EXE or
52 http://SERVER/certsrv/mscep/mscep.dll. This option is always
53 required.
54
55 -R CA-certificate-file
56 The location of the SCEP server's CA certificate, which was used
57 to issue the SCEP server's certificate, or the SCEP server's own
58 certificate, if it is self-signed, in PEM form. If the URL
59 specified with the -u option is an https URL, then this option
60 is required.
61
62 -r RA-certificate-file
63 The location of the SCEP server's RA certificate, which is
64 expected to be used for signing responses sent by the SCEP
65 server back to the client. This option is required when either
66 the -g flag or the -p flag is specified.
67
68 -I other-certificates-file
69 The location of a file containing other PEM-formatted certifi‐
70 cates which may be needed in order to properly verify signed
71 responses sent by the SCEP server back to the client. This
72 option may be necessary when either the -g flag or the -p flag
73 is specified.
74
75 -i ca-identifier
76 When called with the -c or -C flag, this option can be used to
77 specify the CA identifier which is passed to the server as part
78 of the client's request. The default is "0".
79
80 -n The SCEP Renewal feature allows a client with a previously-
81 issued certificate to use that certificate and the associated
82 private key to request a new certificate for a different key
83 pair, and can be used to support certmonger's rekeying feature
84 if the SCEP server advertises support for it. This option
85 forces the scep-submit helper to prefer to issue requests which
86 do not make use of this feature.
87
88 -v Increases the logging level. Use twice for more logging. This
89 option is mainly useful for troubleshooting.
90
91
93 0 if the certificate was issued. The pkcsPKIEnvelope will be
94 printed in PEM-encoded form.
95
96 1 if the CA is still thinking. A cookie (state) value will be
97 printed.
98
99 2 if the CA rejected the request. An error message may be
100 printed.
101
102 3 if the CA was unreachable. An error message may be printed.
103
104 4 if critical configuration information is missing. An error mes‐
105 sage may be printed.
106
107 5 if the CA is still thinking. A suggested poll delay (specified
108 in seconds) and a cookie (state) value will be printed.
109
110 16 if the helper needs an SCEP pkiMessage, but couldn't read one.
111
112 17 if the CA indicates that the client needs to attempt enrollment
113 using a new key pair.
114
115
117 Please file tickets for any that you find at https://fedora‐
118 hosted.org/certmonger/
119
120
122 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
123 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
124 refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
125 getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1)
126 getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-
127 dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) certmon‐
128 ger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)
129
130
131
132certmonger Manual 20 June 2015 certmonger(8)