1certmonger(8)               System Manager's Manual              certmonger(8)
2
3
4

NAME

6       dogtag-submit
7
8

SYNOPSIS

10       dogtag-submit  -E  EE-URL  -A  AGENT-URL  [-d  dbdir] [-n nickname] [-i
11       cainfo] [-C capath] [-c certfile] [-k keyfile] [-p  pinfile]  [-P  pin]
12       [-s  serial  (hex)]  [-D  serial (decimal)] [-S state] [-T profile] [-O
13       param=value] [-N | -R] [-t] [-o option=value] [-a ] [-u  username]  [-U
14       userdn]  [-W userpassword] [-w userpasswordfile] [-Y userpin] [-y user‐
15       pinfile] [-v] [csrfile]
16
17

DESCRIPTION

19       dogtag-submit is the helper which certmonger can use to  make  certifi‐
20       cate enrollment and renewal requests to Dogtag servers.  It is not nor‐
21       mally run interactively, but it can be for troubleshooting purposes.
22
23       The preferred option is to request a renewal of an already-issued  cer‐
24       tificate, using its serial number, which can be read from a PEM-format‐
25       ted certificate  provided  in  the  CERTMONGER_CERTIFICATE  environment
26       variable, or via the -s or -D option on the command line.  If no serial
27       number is provided, then the client will attempt to obtain a  new  cer‐
28       tificate by submitting a signing request to the CA.
29
30       The signing request which is to be submitted should either be in a file
31       whose name is given as an  argument,  or  fed  into  dogtag-submit  via
32       stdin.
33
34       certmonger  does not yet support retrieving trust information from Dog‐
35       tag CAs.
36
37

OPTIONS

39       -E EE-URL
40              The top-level URL for the end-entity interface provided  by  the
41              CA, through which the initial enrollment request will be submit‐
42              ted.  This is typically http://SERVER:EEPORT/ca/ee/ca.
43
44       -A AGENT-URL
45              The top-level URL for the agent interface provided  by  the  CA,
46              through  which  the  request can be approved using agent creden‐
47              tials.  This is typically https://SERVER:AGENTPORT/ca/agent/ca.
48
49       -d dbdir -n nickname -c certfile -k keyfile
50              The location of the key and certificate which the client  should
51              use  to authenticate to the CA's agent interface.  Exactly which
52              values are meaningful depend on which cryptography library  your
53              copy of libcurl was linked with.
54
55       -p pinfile
56              The  name  of a file which contains a PIN/password which will be
57              needed in order to make use of the agent credentials.
58
59       -i cainfo -C capath
60              The location of a file containing a copy of  the  CA's  certifi‐
61              cate,  against  which  the CA server's certificate will be veri‐
62              fied, or a directory containing,  among  other  things,  such  a
63              file.
64
65       -s serial
66              The serial number of an already-issued certificate for which the
67              client should attempt to obtain a new certificate, in  hexadeci‐
68              mal form, if one can not be read from the CERTMONGER_CERTIFICATE
69              environment variable.
70
71       -D serial
72              The serial number of an already-issued certificate for which the
73              client  should  attempt  to obtain a new certificate, in decimal
74              form, if one can not be  read  from  the  CERTMONGER_CERTIFICATE
75              environment variable.
76
77       -S state
78              A  cookie  value provided by a previous instance of this helper,
79              if the helper is being asked to continue a multi-step enrollment
80              process.   If the CERTMONGER_COOKIE environment variable is set,
81              its value is used.
82
83       -T profile/template
84              The name of the type of  certificate  which  the  client  should
85              request from the CA if it is not renewing a certificate (per the
86              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
87              variable  is  set,  its  value  is used.  Otherwise, the default
88              value is caServerCert.
89
90       -O param=value
91              An additional parameter to pass to the server when approving the
92              signing  request  using  agent  credentials.   By  default,  any
93              server-supplied default settings are applied.  This  option  can
94              be used either to override a server-supplied default setting, or
95              to  supply  one  which  would  otherwise  have  not  been  used.
96              Requires the -A option.
97
98       -N     Even  if an already-issued certificate is available in the CERT‐
99              MONGER_CERTIFICATE environment variable, or a serial number  has
100              been  provided,  don't  attempt to renew a certificate using its
101              serial number.  Instead, attempt to  obtain  a  new  certificate
102              using the signing request.  The default behavior is to request a
103              renewal if possible.
104
105       -R     Negates the effect of the -N flag.
106
107       -t     Instead of attempting to obtain a  new  certificate,  query  the
108              server for a list of the enabled enrollment profiles.
109
110       -o param=value
111              When initially submitting a request to the CA, add the specified
112              parameter and value along  with  any  request  parameters  which
113              would otherwise be sent.
114
115       -a     Use  agent  credentials, specified using some combination of the
116              -d, -n, -c, and -k flags, to authenticate to the  CA  when  ini‐
117              tially  submitting a request to the CA or retrieving the list of
118              enabled enrollment profiles.  This is  typically  required  when
119              the  enrollment  profile  being  used  uses  AgentCertAuth-based
120              authentication, and requires that the URL specified using the -E
121              flag  be  an  HTTPS  URL, or when the URL specified using the -E
122              flag is an HTTPS URL.
123
124       -u username
125              When initially submitting a request to the CA, supply the speci‐
126              fied  value as a user name.  This is typically required when the
127              enrollment  profile  being  used  uses  UidPwdDirAuth-based   or
128              NISAuth-based authentication.
129
130       -U userdn
131              When initially submitting a request to the CA, supply the speci‐
132              fied value as the DN (distinguished name) of the user's entry in
133              a  directory server which the CA is configured to use for check‐
134              ing the user's password.  This is typically  required  when  the
135              enrollment profile being used uses UdnPwdDirAuth-based authenti‐
136              cation.
137
138       -W userpassword
139              When initially submitting a request to the CA, supply the speci‐
140              fied  value as the password for the user whose name is specified
141              with the -u option, or whose DN is specified with the -U option.
142              This  is  typically  only  required  when the enrollment profile
143              being used uses  UidPwdDirAuth-based,  UserPwdDirAuth-based,  or
144              NISAuth-based authentication.  If the URL specified using the -E
145              flag is not an HTTPS URL, this value will not be encrypted.
146
147       -w userpasswordfile
148              When initially submitting a request to the  CA,  read  from  the
149              specified  file  a password to supply for the user whose name is
150              specified with the -u option, or whose DN is specified with  the
151              -U  option.  This is typically only required when the enrollment
152              profile being  used  uses  UidPwdDirAuth-based,  UserPwdDirAuth-
153              based,  or  NISAuth-based  authentication.  If the URL specified
154              using the -E flag is not an HTTPS URL, this value  will  not  be
155              encrypted.
156
157       -Y userpin
158              When initially submitting a request to the CA, supply the speci‐
159              fied value as the PIN for the user whose name is specified  with
160              the  -u  option,  or  whose  DN is specified with the -U option.
161              This is typically only  required  when  the  enrollment  profile
162              being  used  uses UidPwdPinDirAuth-based authentication.  If the
163              URL specified using the -E flag is not an HTTPS URL, this  value
164              will not be encrypted.
165
166       -y userpinfile
167              When  initially  submitting  a  request to the CA, read from the
168              specified file a PIN to supply for the user whose name is speci‐
169              fied  with  the  -u option, or whose DN is specified with the -U
170              option.  This is typically only  required  when  the  enrollment
171              profile  being  used uses UidPwdPinDirAuth-based authentication.
172              If the URL specified using the -E flag is not an HTTPS URL, this
173              value will not be encrypted.
174
175       -v     Increases  the logging level.  Use twice for more logging.  This
176              option is mainly useful for troubleshooting.
177
178

EXIT STATUS

180       0      if the certificate was issued. The certificate will be printed.
181
182       1      if the CA is still thinking.  A cookie  (state)  value  will  be
183              printed.
184
185       2      if  the  CA  rejected  the  request.   An  error  message may be
186              printed.
187
188       3      if the CA was unreachable.  An error message may be printed.
189
190       4      if critical configuration information is missing.  An error mes‐
191              sage may be printed.
192
193       5      if  the CA is still thinking.  A suggested poll delay (specified
194              in seconds) and a cookie (state) value will be printed.
195
196       17     if the CA indicates that the client needs to attempt  enrollment
197              using a new key pair.
198
199

BUGS

201       Please   file   tickets  for  any  that  you  find  at  https://fedora
202       hosted.org/certmonger/
203
204

SEE ALSO

206       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
207       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
208       refresh-ca(1) getcert-refresh(1) getcert-rekey(1)  getcert-remove-ca(1)
209       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
210       getcert-stop-tracking(1)  certmonger-certmaster-submit(8)   certmonger-
211       dogtag-ipa-renew-agent-submit(8)  certmonger-ipa-submit(8)  certmonger-
212       local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)
213
214
215
216certmonger Manual                 27 Oct 2015                    certmonger(8)
Impressum