1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       dogtag-ipa-renew-agent-submit
7
8

SYNOPSIS

10       dogtag-ipa-renew-agent-submit  -E  EE-URL  -A  AGENT-URL [-d dbdir] [-n
11       nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile]  [-p  pin‐
12       file]  [-P  pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
13       profile] [-O param=value] [-N | -R] [-t] [-o option=value]  [-v]  [csr‐
14       file]
15
16

DESCRIPTION

18       dogtag-ipa-renew-agent-submit  is  the  helper which certmonger uses to
19       make certificate renewal requests to Dogtag instances  running  on  IPA
20       servers.  It is not normally run interactively, but it can be for trou‐
21       bleshooting purposes.
22
23       The preferred option is to request a renewal of an already-issued  cer‐
24       tificate, using its serial number, which can be read from a PEM-format‐
25       ted certificate  provided  in  the  CERTMONGER_CERTIFICATE  environment
26       variable, or via the -s or -D option on the command line.  If no serial
27       number is provided, then the client will attempt to obtain a  new  cer‐
28       tificate by submitting a signing request to the CA.
29
30       The signing request which is to be submitted should either be in a file
31       whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
32       submit via stdin.
33
34       certmonger  does not yet support retrieving trust information from Dog‐
35       tag CAs.
36
37

OPTIONS

39       -E EE-URL
40              The top-level URL for the end-entity interface provided  by  the
41              CA.      In     IPA    installations,    this    is    typically
42              http://SERVER:EEPORT/ca/ee/ca.  If no URL is specified, the host
43              named  in the [global] section in the /etc/ipa/default.conf file
44              is used as the value of SERVER, and the value of EEPORT will  be
45              inferred  based  on  the  value  of  the  dogtag_version  in the
46              [global] section in  the  /etc/ipa/default.conf  file:  if  dog‐
47              tag_version  is  set  to 10 or more, EEPORT will be set to 8080.
48              Otherwise it will be 9180.
49
50       -A AGENT-URL
51              The top-level URL for the agent interface provided  by  the  CA.
52              In  IPA  installations,  this is typically https://SERVER:AGENT‐
53              PORT/ca/agent/ca.  If no URL is specified, the host named in the
54              [global]  section  in  the /etc/ipa/default.conf file is used as
55              the value of SERVER, and the value of AGENTPORT will be inferred
56              based on the value of the dogtag_version in the [global] section
57              in the /etc/ipa/default.conf file: if dogtag_version is  set  to
58              10 or more, AGENTPORT will be set to 8443.  Otherwise it will be
59              9443.
60
61       -d dbdir -n nickname -c certfile -k keyfile
62              The location of the key and certificate which the client  should
63              use  to authenticate to the CA's agent interface.  Exactly which
64              values are meaningful depend on which cryptography library  your
65              copy of libcurl was linked with.
66
67              If  none of these options are specified, and none of the -p, -P,
68              -i, nor -C options are specified, then this set of  defaults  is
69              used:
70               -i /etc/ipa/ca.crt
71               -d /etc/httpd/alias
72               -n ipaCert
73               -p /etc/httpd/alias/pwdfile.txt
74
75       -p pinfile
76              The  name  of a file which contains a PIN/password which will be
77              needed in order to make use of the agent credentials.
78
79              If this option is not specified, and none of the -d, -n, -c, -k,
80              -P,  -i, nor -C options are specified, then this set of defaults
81              is used:
82               -i /etc/ipa/ca.crt
83               -d /etc/httpd/alias
84               -n ipaCert
85               -p /etc/httpd/alias/pwdfile.txt
86
87       -i cainfo -C capath
88              The location of a file containing a copy of  the  CA's  certifi‐
89              cate,  against  which  the CA server's certificate will be veri‐
90              fied, or a directory containing,  among  other  things,  such  a
91              file.
92
93              If  these options are not specified, and none of the -d, -n, -c,
94              -k, -p, nor -P options are specified, then this set of  defaults
95              is used:
96               -i /etc/ipa/ca.crt
97               -d /etc/httpd/alias
98               -n ipaCert
99               -p /etc/httpd/alias/pwdfile.txt
100
101       -s serial
102              The serial number of an already-issued certificate for which the
103              client should attempt to obtain a new certificate, in  hexadeci‐
104              mal form, if one can not be read from the CERTMONGER_CERTIFICATE
105              environment variable.
106
107       -D serial
108              The serial number of an already-issued certificate for which the
109              client  should  attempt  to obtain a new certificate, in decimal
110              form, if one can not be  read  from  the  CERTMONGER_CERTIFICATE
111              environment variable.
112
113       -S state
114              A  cookie  value provided by a previous instance of this helper,
115              if the helper is being asked to continue a multi-step enrollment
116              process.   If the CERTMONGER_COOKIE environment variable is set,
117              its value is used.
118
119       -T profile/template
120              The name of the type of  certificate  which  the  client  should
121              request from the CA if it is not renewing a certificate (per the
122              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
123              variable  is  set,  its  value  is used.  Otherwise, the default
124              value is caServerCert.
125
126       -O param=value
127              An additional parameter to pass to the server when approving the
128              signing  request using the agent's credentials.  By default, any
129              server-supplied default settings are applied.  This  option  can
130              be used either to override a server-supplied default setting, or
131              to supply one which would otherwise have not been used.
132
133       -N     Even if an already-issued certificate is available in the  CERT‐
134              MONGER_CERTIFICATE  environment variable, or a serial number has
135              been provided, don't attempt to renew a  certificate  using  its
136              serial  number.   Instead,  attempt  to obtain a new certificate
137              using the signing request.  The default behavior is to request a
138              renewal if possible.
139
140       -R     Negates the effect of the -N flag.
141
142       -t     Instead  of  attempting  to  obtain a new certificate, query the
143              server for a list of the enabled enrollment profiles.
144
145       -o param=value
146              When initially submitting a request to the CA, add the specified
147              parameter  and  value  along  with  any request parameters which
148              would otherwise be sent.  This option is not typically used.
149
150       -v     Increases the logging level.  Use twice for more logging.   This
151              option is mainly useful for troubleshooting.
152
153

EXIT STATUS

155       0      if the certificate was issued. The certificate will be printed.
156
157       1      if  the  CA  is  still thinking.  A cookie (state) value will be
158              printed.
159
160       2      if the CA  rejected  the  request.   An  error  message  may  be
161              printed.
162
163       3      if the CA was unreachable.  An error message may be printed.
164
165       4      if critical configuration information is missing.  An error mes‐
166              sage may be printed.
167
168       5      if the CA is still thinking.  A suggested poll delay  (specified
169              in seconds) and a cookie (state) value will be printed.
170
171       17     if  the CA indicates that the client needs to attempt enrollment
172              using a new key pair.
173
174

FILES

176       /etc/ipa/default.conf
177              is the IPA client configuration file.  This file is consulted to
178              determine  the  URL for the Dogtag server's end-entity and agent
179              interfaces if they are not supplied as arguments.
180
181

BUGS

183       Please  file  tickets  for  any  that  you  find   at   https://fedora
184       hosted.org/certmonger/
185
186

SEE ALSO

188       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
189       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
190       refresh-ca(1)  getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
191       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
192       getcert-stop-tracking(1)   certmonger-certmaster-submit(8)  certmonger-
193       dogtag-submit(8)  certmonger-ipa-submit(8)   certmonger-local-submit(8)
194       certmonger-scep-submit(8) certmonger_selinux(8)
195
196
197
198certmonger Manual                 27 Oct 2015                    certmonger(8)
Impressum