certmonger-scep-submit(8)

1CERTMONGER(8)               System Manager's Manual              CERTMONGER(8)
2
3
4

NAME

6       scep-submit
7
8

SYNOPSIS

10       scep-submit  -u  SERVER-URL  [-r  ra-cert-file]  [-R  ca-cert-file] [-I
11       other-certs-file]  [-N  ca-cert-file]  [-i  ca-identifier]  [-v]   [-n]
12       [-c|-C|-g|-p] [pkimessage-filename]
13
14

DESCRIPTION

16       scep-submit is the helper which certmonger can use to transmit certifi‐
17       cate enrollment and renewal requests to servers using SCEP.  It is  not
18       normally run interactively, but it can be for troubleshooting purposes.
19
20       The  request  which  is  to  be  submitted should be a PEM-encoded SCEP
21       pkiMessage either in a file whose name is given as an argument, or  fed
22       into scep-submit via stdin.
23
24

MODES

26       -c, --retrieve-ca-capabilities
27              scep-submit  will  issue  a  GetCACaps request to the server and
28              print the results.
29
30       -C, --retrieve-ca-certificates
31              scep-submit will issue a GetCACert request to the server,  parse
32              the  response, and then print, in order, the RA certificate, the
33              CA certificate, and any additional certificates.
34
35       -p, --pki-message
36              scep-submit will issue a  PKIOperation  request  to  the  server
37              using  the  passed-in  message  as the message content.  It will
38              parse the server's response, verify the signature,  and  if  the
39              response includes an issued certificate, it will output the pkc‐
40              sPKIEnvelope in PEM format.  If the response indicates an error,
41              it will print the error.
42
43       -g, --get-initial-cert
44              scep-submit  will  issue  a  PKIOperation  request to the server
45              using the passed-in message as the  message  content.   It  will
46              parse  the  server's  response, verify the signature, and if the
47              response includes an issued certificate, it will output the pkc‐
48              sPKIEnvelope in PEM format.  If the response indicates an error,
49              it will print the error.
50

OPTIONS

52       -u URL, --url=URL
53              The location of the SCEP interface provided by the CA.  This  is
54              typically         http://SERVER/cgi-bin/PKICLIENT.EXE         or
55              http://SERVER/certsrv/mscep/mscep.dll.  This  option  is  always
56              required.
57
58       -R FILE, --cacert=FILE
59              The  location  of the CA certificate which was used to issue the
60              SCEP web server's certificate in PEM form. If the URL  specified
61              with  the  -u  option  is  an  https  URL,  then  this option is
62              required.
63
64       -N FILE, --signingca=FILE
65              The location of a PEM-formatted copy of  the  SCEP  server's  CA
66              certificate.   A  discovered  value  is normally supplied by the
67              certmonger daemon, but one can be specified for  troubleshooting
68              purposes.
69
70       -r FILE, --racert=FILE
71              The  location  of  the  SCEP  server's  RA certificate, which is
72              expected to be used for  signing  responses  sent  by  the  SCEP
73              server  back to the client.  This option is required when either
74              the -g flag or the -p flag is specified.
75
76       -I FILE, --other-certs=FILE
77              The location of a file containing other  PEM-formatted  certifi‐
78              cates  which  may  be  needed in order to properly verify signed
79              responses sent by the SCEP server  back  to  the  client.   This
80              option  may  be necessary when either the -g flag or the -p flag
81              is specified.
82
83       -i NAME, --ca-identifier=NAME
84              When called with the -c or -C flag, this option can be  used  to
85              specify  the CA identifier which is passed to the server as part
86              of the client's request.  The default is "0".
87
88       -n, --non-renewal
89              The  SCEP  Renewal  feature  allows  a  client  with  a   previ‐
90              ously-issued certificate to use that certificate and the associ‐
91              ated private key to request a new certificate  for  a  different
92              key  pair, and can be used to support certmonger's rekeying fea‐
93              ture if the SCEP server advertises support for it.  This  option
94              forces  the scep-submit helper to prefer to issue requests which
95              do not make use of this feature.
96
97       -v, --verbose
98              Increases the logging level.  Use twice for more logging.   This
99              option is mainly useful for troubleshooting.
100
101

EXIT STATUS

103       0      if  the  certificate  was  issued.  The  pkcsPKIEnvelope will be
104              printed in PEM-encoded form.
105
106       1      if the CA is still thinking.  A cookie  (state)  value  will  be
107              printed.
108
109       2      if  the  CA  rejected  the  request.   An  error  message may be
110              printed.
111
112       3      if the CA was unreachable.  An error message may be printed.
113
114       4      if critical configuration information is missing.  An error mes‐
115              sage may be printed.
116
117       5      if  the CA is still thinking.  A suggested poll delay (specified
118              in seconds) and a cookie (state) value will be printed.
119
120       16     if the helper needs an SCEP pkiMessage, but couldn't read one.
121
122       17     if the CA indicates that the client needs to attempt  enrollment
123              using a new key pair.
124
125

BUGS

127       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
128       hosted.org/certmonger/
129
130