1certmonger(8) System Manager's Manual certmonger(8)
2
3
4
6 dogtag-submit
7
8
10 dogtag-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i
11 cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pinfile] [-P pin]
12 [-s serial (hex)] [-D serial (decimal)] [-S state] [-T profile] [-O
13 param=value] [-N | -R] [-t] [-o option=value] [-a ] [-u username] [-U
14 userdn] [-W userpassword] [-w userpasswordfile] [-Y userpin] [-y user‐
15 pinfile] [-v] [csrfile]
16
17
19 dogtag-submit is the helper which certmonger can use to make certifi‐
20 cate enrollment and renewal requests to Dogtag servers. It is not nor‐
21 mally run interactively, but it can be for troubleshooting purposes.
22
23 The preferred option is to request a renewal of an already-issued cer‐
24 tificate, using its serial number, which can be read from a PEM-format‐
25 ted certificate provided in the CERTMONGER_CERTIFICATE environment
26 variable, or via the -s or -D option on the command line. If no serial
27 number is provided, then the client will attempt to obtain a new cer‐
28 tificate by submitting a signing request to the CA.
29
30 The signing request which is to be submitted should either be in a file
31 whose name is given as an argument, or fed into dogtag-submit via
32 stdin.
33
34 certmonger does not yet support retrieving trust information from Dog‐
35 tag CAs.
36
37
39 -E EE-URL
40 The top-level URL for the end-entity interface provided by the
41 CA, through which the initial enrollment request will be submit‐
42 ted. This is typically http://SERVER:EEPORT/ca/ee/ca.
43
44 -A AGENT-URL
45 The top-level URL for the agent interface provided by the CA,
46 through which the request can be approved using agent creden‐
47 tials. This is typically https://SERVER:AGENTPORT/ca/agent/ca.
48
49 -d dbdir -n nickname -c certfile -k keyfile
50 The location of the key and certificate which the client should
51 use to authenticate to the CA's agent interface. Exactly which
52 values are meaningful depend on which cryptography library your
53 copy of libcurl was linked with.
54
55 -p pinfile
56 The name of a file which contains a PIN/password which will be
57 needed in order to make use of the agent credentials.
58
59 -i cainfo -C capath
60 The location of a file containing a copy of the CA's certifi‐
61 cate, against which the CA server's certificate will be veri‐
62 fied, or a directory containing, among other things, such a
63 file.
64
65 -s serial
66 The serial number of an already-issued certificate for which the
67 client should attempt to obtain a new certificate, in hexadeci‐
68 mal form, if one can not be read from the CERTMONGER_CERTIFICATE
69 environment variable.
70
71 -D serial
72 The serial number of an already-issued certificate for which the
73 client should attempt to obtain a new certificate, in decimal
74 form, if one can not be read from the CERTMONGER_CERTIFICATE
75 environment variable.
76
77 -S state
78 A cookie value provided by a previous instance of this helper,
79 if the helper is being asked to continue a multi-step enrollment
80 process. If the CERTMONGER_COOKIE environment variable is set,
81 its value is used.
82
83 -T profile/template
84 The name of the type of certificate which the client should
85 request from the CA if it is not renewing a certificate (per the
86 -s option above). If the CERTMONGER_CA_PROFILE environment
87 variable is set, its value is used. Otherwise, the default
88 value is caServerCert.
89
90 -O param=value
91 An additional parameter to pass to the server when approving the
92 signing request using agent credentials. By default, any
93 server-supplied default settings are applied. This option can
94 be used either to override a server-supplied default setting, or
95 to supply one which would otherwise have not been used.
96 Requires the -A option.
97
98 -N Even if an already-issued certificate is available in the CERT‐
99 MONGER_CERTIFICATE environment variable, or a serial number has
100 been provided, don't attempt to renew a certificate using its
101 serial number. Instead, attempt to obtain a new certificate
102 using the signing request. The default behavior is to request a
103 renewal if possible.
104
105 -R Negates the effect of the -N flag.
106
107 -t Instead of attempting to obtain a new certificate, query the
108 server for a list of the enabled enrollment profiles.
109
110 -o param=value
111 When initially submitting a request to the CA, add the specified
112 parameter and value along with any request parameters which
113 would otherwise be sent.
114
115 -a Use agent credentials, specified using some combination of the
116 -d, -n, -c, and -k flags, to authenticate to the CA when ini‐
117 tially submitting a request to the CA or retrieving the list of
118 enabled enrollment profiles. This is typically required when
119 the enrollment profile being used uses AgentCertAuth-based
120 authentication, and requires that the URL specified using the -E
121 flag be an HTTPS URL, or when the URL specified using the -E
122 flag is an HTTPS URL.
123
124 -u username
125 When initially submitting a request to the CA, supply the speci‐
126 fied value as a user name. This is typically required when the
127 enrollment profile being used uses UidPwdDirAuth-based or
128 NISAuth-based authentication.
129
130 -U userdn
131 When initially submitting a request to the CA, supply the speci‐
132 fied value as the DN (distinguished name) of the user's entry in
133 a directory server which the CA is configured to use for check‐
134 ing the user's password. This is typically required when the
135 enrollment profile being used uses UdnPwdDirAuth-based authenti‐
136 cation.
137
138 -W userpassword
139 When initially submitting a request to the CA, supply the speci‐
140 fied value as the password for the user whose name is specified
141 with the -u option, or whose DN is specified with the -U option.
142 This is typically only required when the enrollment profile
143 being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or
144 NISAuth-based authentication. If the URL specified using the -E
145 flag is not an HTTPS URL, this value will not be encrypted.
146
147 -w userpasswordfile
148 When initially submitting a request to the CA, read from the
149 specified file a password to supply for the user whose name is
150 specified with the -u option, or whose DN is specified with the
151 -U option. This is typically only required when the enrollment
152 profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-
153 based, or NISAuth-based authentication. If the URL specified
154 using the -E flag is not an HTTPS URL, this value will not be
155 encrypted.
156
157 -Y userpin
158 When initially submitting a request to the CA, supply the speci‐
159 fied value as the PIN for the user whose name is specified with
160 the -u option, or whose DN is specified with the -U option.
161 This is typically only required when the enrollment profile
162 being used uses UidPwdPinDirAuth-based authentication. If the
163 URL specified using the -E flag is not an HTTPS URL, this value
164 will not be encrypted.
165
166 -y userpinfile
167 When initially submitting a request to the CA, read from the
168 specified file a PIN to supply for the user whose name is speci‐
169 fied with the -u option, or whose DN is specified with the -U
170 option. This is typically only required when the enrollment
171 profile being used uses UidPwdPinDirAuth-based authentication.
172 If the URL specified using the -E flag is not an HTTPS URL, this
173 value will not be encrypted.
174
175 -v Increases the logging level. Use twice for more logging. This
176 option is mainly useful for troubleshooting.
177
178
180 0 if the certificate was issued. The certificate will be printed.
181
182 1 if the CA is still thinking. A cookie (state) value will be
183 printed.
184
185 2 if the CA rejected the request. An error message may be
186 printed.
187
188 3 if the CA was unreachable. An error message may be printed.
189
190 4 if critical configuration information is missing. An error mes‐
191 sage may be printed.
192
193 5 if the CA is still thinking. A suggested poll delay (specified
194 in seconds) and a cookie (state) value will be printed.
195
196 17 if the CA indicates that the client needs to attempt enrollment
197 using a new key pair.
198
199
201 Please file tickets for any that you find at https://fedora‐
202 hosted.org/certmonger/
203
204
206 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
207 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
208 refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
209 getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1)
210 getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-
211 dogtag-ipa-renew-agent-submit(8) certmonger-ipa-submit(8) certmonger-
212 local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)
213
214
215
216certmonger Manual 27 Oct 2015 certmonger(8)