1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 dogtag-ipa-renew-agent-submit
7
8
10 dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n
11 nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pin‐
12 file] [-P pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
13 profile] [-O param=value] [-N | -R] [-t] [-o option=value] [-v] [csr‐
14 file]
15
16
18 dogtag-ipa-renew-agent-submit is the helper which certmonger uses to
19 make certificate renewal requests to Dogtag instances running on IPA
20 servers. It is not normally run interactively, but it can be for trou‐
21 bleshooting purposes.
22
23 The preferred option is to request a renewal of an already-issued cer‐
24 tificate, using its serial number, which can be read from a PEM-format‐
25 ted certificate provided in the CERTMONGER_CERTIFICATE environment
26 variable, or via the -s or -D option on the command line. If no serial
27 number is provided, then the client will attempt to obtain a new cer‐
28 tificate by submitting a signing request to the CA.
29
30 The signing request which is to be submitted should either be in a file
31 whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
32 submit via stdin.
33
34 certmonger does not yet support retrieving trust information from Dog‐
35 tag CAs.
36
37
39 -E EE-URL
40 The top-level URL for the end-entity interface provided by the
41 CA. In IPA installations, this is typically
42 http://SERVER:EEPORT/ca/ee/ca. If no URL is specified, the host
43 named in the [global] section in the /etc/ipa/default.conf file
44 is used as the value of SERVER, and the value of EEPORT will be
45 inferred based on the value of the dogtag_version in the
46 [global] section in the /etc/ipa/default.conf file: if dog‐
47 tag_version is set to 10 or more, EEPORT will be set to 8080.
48 Otherwise it will be 9180.
49
50 -A AGENT-URL
51 The top-level URL for the agent interface provided by the CA.
52 In IPA installations, this is typically https://SERVER:AGENT‐
53 PORT/ca/agent/ca. If no URL is specified, the host named in the
54 [global] section in the /etc/ipa/default.conf file is used as
55 the value of SERVER, and the value of AGENTPORT will be inferred
56 based on the value of the dogtag_version in the [global] section
57 in the /etc/ipa/default.conf file: if dogtag_version is set to
58 10 or more, AGENTPORT will be set to 8443. Otherwise it will be
59 9443.
60
61 -d dbdir -n nickname -c certfile -k keyfile
62 The location of the key and certificate which the client should
63 use to authenticate to the CA's agent interface. Exactly which
64 values are meaningful depend on which cryptography library your
65 copy of libcurl was linked with.
66
67 If none of these options are specified, and none of the -p, -P,
68 -i, nor -C options are specified, then this set of defaults is
69 used:
70 -i /etc/ipa/ca.crt
71 -d /etc/httpd/alias
72 -n ipaCert
73 -p /etc/httpd/alias/pwdfile.txt
74
75 -p pinfile
76 The name of a file which contains a PIN/password which will be
77 needed in order to make use of the agent credentials.
78
79 If this option is not specified, and none of the -d, -n, -c, -k,
80 -P, -i, nor -C options are specified, then this set of defaults
81 is used:
82 -i /etc/ipa/ca.crt
83 -d /etc/httpd/alias
84 -n ipaCert
85 -p /etc/httpd/alias/pwdfile.txt
86
87 -i cainfo -C capath
88 The location of a file containing a copy of the CA's certifi‐
89 cate, against which the CA server's certificate will be veri‐
90 fied, or a directory containing, among other things, such a
91 file.
92
93 If these options are not specified, and none of the -d, -n, -c,
94 -k, -p, nor -P options are specified, then this set of defaults
95 is used:
96 -i /etc/ipa/ca.crt
97 -d /etc/httpd/alias
98 -n ipaCert
99 -p /etc/httpd/alias/pwdfile.txt
100
101 -s serial
102 The serial number of an already-issued certificate for which the
103 client should attempt to obtain a new certificate, in hexadeci‐
104 mal form, if one can not be read from the CERTMONGER_CERTIFICATE
105 environment variable.
106
107 -D serial
108 The serial number of an already-issued certificate for which the
109 client should attempt to obtain a new certificate, in decimal
110 form, if one can not be read from the CERTMONGER_CERTIFICATE
111 environment variable.
112
113 -S state
114 A cookie value provided by a previous instance of this helper,
115 if the helper is being asked to continue a multi-step enrollment
116 process. If the CERTMONGER_COOKIE environment variable is set,
117 its value is used.
118
119 -T profile/template
120 The name of the type of certificate which the client should
121 request from the CA if it is not renewing a certificate (per the
122 -s option above). If the CERTMONGER_CA_PROFILE environment
123 variable is set, its value is used. Otherwise, the default
124 value is caServerCert.
125
126 -O param=value
127 An additional parameter to pass to the server when approving the
128 signing request using the agent's credentials. By default, any
129 server-supplied default settings are applied. This option can
130 be used either to override a server-supplied default setting, or
131 to supply one which would otherwise have not been used.
132
133 -N Even if an already-issued certificate is available in the CERT‐
134 MONGER_CERTIFICATE environment variable, or a serial number has
135 been provided, don't attempt to renew a certificate using its
136 serial number. Instead, attempt to obtain a new certificate
137 using the signing request. The default behavior is to request a
138 renewal if possible.
139
140 -R Negates the effect of the -N flag.
141
142 -t Instead of attempting to obtain a new certificate, query the
143 server for a list of the enabled enrollment profiles.
144
145 -o param=value
146 When initially submitting a request to the CA, add the specified
147 parameter and value along with any request parameters which
148 would otherwise be sent. This option is not typically used.
149
150 -v Increases the logging level. Use twice for more logging. This
151 option is mainly useful for troubleshooting.
152
153
155 0 if the certificate was issued. The certificate will be printed.
156
157 1 if the CA is still thinking. A cookie (state) value will be
158 printed.
159
160 2 if the CA rejected the request. An error message may be
161 printed.
162
163 3 if the CA was unreachable. An error message may be printed.
164
165 4 if critical configuration information is missing. An error mes‐
166 sage may be printed.
167
168 5 if the CA is still thinking. A suggested poll delay (specified
169 in seconds) and a cookie (state) value will be printed.
170
171 17 if the CA indicates that the client needs to attempt enrollment
172 using a new key pair.
173
174
176 /etc/ipa/default.conf
177 is the IPA client configuration file. This file is consulted to
178 determine the URL for the Dogtag server's end-entity and agent
179 interfaces if they are not supplied as arguments.
180
181
183 Please file tickets for any that you find at https://fedora‐
184 hosted.org/certmonger/
185
186
188 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
189 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
190 refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
191 getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1)
192 getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-
193 dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8)
194 certmonger-scep-submit(8) certmonger_selinux(8)
195
196
197
198certmonger Manual 27 Oct 2015 certmonger(8)