1CERTMONGER(8) System Manager's Manual CERTMONGER(8)
2
3
4
6 dogtag-submit
7
8
10 dogtag-submit -E EE-URL -A AGENT-URL [-d DIR] [-n NAME] [-i FILE] [-C
11 DIR] [-c FILE] [-k FILE] [-p FILE] [-P PIN] [-s serial (hex)] [-D
12 serial (decimal)] [-S state] [-T profile] [-O param=value] [-N | -R]
13 [-t] [-o option=value] [-a] [-u username] [-U userdn] [-W PASSWORD] [-w
14 FILE] [-Y PIN] [-y FILE] [-v] [csrfile]
15
16
18 dogtag-submit is the helper which certmonger can use to make certifi‐
19 cate enrollment and renewal requests to Dogtag servers. It is not nor‐
20 mally run interactively, but it can be for troubleshooting purposes.
21
22 The preferred option is to request a renewal of an already-issued cer‐
23 tificate, using its serial number, which can be read from a PEM-format‐
24 ted certificate provided in the CERTMONGER_CERTIFICATE environment
25 variable, or via the -s or -D option on the command line. If no serial
26 number is provided, then the client will attempt to obtain a new cer‐
27 tificate by submitting a signing request to the CA.
28
29 The signing request which is to be submitted should either be in a file
30 whose name is given as an argument, or fed into dogtag-submit via
31 stdin.
32
33 certmonger does not yet support retrieving trust information from Dog‐
34 tag CAs.
35
36
38 -E EE-URL, --ee-url=EE-URL
39 The top-level URL for the end-entity interface provided by the
40 CA, through which the initial enrollment request will be submit‐
41 ted. This is typically http://SERVER:EEPORT/ca/ee/ca.
42
43 -A AGENT-URL, --agent-url=AGENT-URL
44 The top-level URL for the agent interface provided by the CA,
45 through which the request can be approved using agent creden‐
46 tials. This is typically https://SERVER:AGENTPORT/ca/agent/ca.
47
48 -i FILE, --cafile=FILE
49 The location of a file containing a copy of the CA's certifi‐
50 cate, against which the CA server's certificate will be veri‐
51 fied.
52
53 -C DIR, --capath=DIR
54 The location of a directory containing a copy of the CA's cer‐
55 tificate(s), against which the CA server's certificate will be
56 verified.
57
58 -D SERIAL, --serial=SERIAL
59 The serial number of an already-issued certificate for which the
60 client should attempt to obtain a new certificate, in decimal
61 form, if one can not be read from the CERTMONGER_CERTIFICATE
62 environment variable.
63
64 -s SERIAL, --hex-serial=SERIAL
65 The serial number of an already-issued certificate for which the
66 client should attempt to obtain a new certificate, in hexadeci‐
67 mal form, if one can not be read from the CERTMONGER_CERTIFICATE
68 environment variable.
69
70 -S STATE, --state=STATE
71 A cookie value provided by a previous instance of this helper,
72 if the helper is being asked to continue a multi-step enrollment
73 process. If the CERTMONGER_COOKIE environment variable is set,
74 its value is used.
75
76 -T NAME, --profile=NAME
77 The name of the type of certificate which the client should
78 request from the CA if it is not renewing a certificate (per the
79 -s option above). If the CERTMONGER_CA_PROFILE environment
80 variable is set, its value is used. Otherwise, the default
81 value is caServerCert.
82
83 -O param=value, --approval-options=param=value
84 An additional parameter to pass to the server when approving the
85 signing request using agent credentials. By default, any
86 server-supplied default settings are applied. This option can
87 be used either to override a server-supplied default setting, or
88 to supply one which would otherwise have not been used.
89 Requires the -A option.
90
91 -N, --force-new
92 Even if an already-issued certificate is available in the CERT‐
93 MONGER_CERTIFICATE environment variable, or a serial number has
94 been provided, don't attempt to renew a certificate using its
95 serial number. Instead, attempt to obtain a new certificate
96 using the signing request. The default behavior is to request a
97 renewal if possible.
98
99 -R, --force-renew
100 Negates the effect of the -N flag.
101
102 -t, --profile-list
103 Instead of attempting to obtain a new certificate, query the
104 server for a list of the enabled enrollment profiles.
105
106 -o param=value, --submit-option=param=value
107 When initially submitting a request to the CA, add the specified
108 parameter and value along with any request parameters which
109 would otherwise be sent.
110
111 -a, --agent-submit
112 Use agent credentials, specified using some combination of the
113 -d, -n, -c, and -k flags, to authenticate to the CA when ini‐
114 tially submitting a request to the CA or retrieving the list of
115 enabled enrollment profiles. This is typically required when
116 the enrollment profile being used uses AgentCertAuth-based
117 authentication, and requires that the URL specified using the -E
118 flag be an HTTPS URL, or when the URL specified using the -E
119 flag is an HTTPS URL.
120
121 -u username, --uid=username
122 When initially submitting a request to the CA, supply the speci‐
123 fied value as a user name. This is typically required when the
124 enrollment profile being used uses UidPwdDirAuth-based or
125 NISAuth-based authentication.
126
127 -U userdn, --upn=userdn
128 When initially submitting a request to the CA, supply the speci‐
129 fied value as the DN (distinguished name) of the user's entry in
130 a directory server which the CA is configured to use for check‐
131 ing the user's password. This is typically required when the
132 enrollment profile being used uses UdnPwdDirAuth-based authenti‐
133 cation.
134
135 -W PASSWORD, --userpwd=PASSWORD
136 When initially submitting a request to the CA, supply the speci‐
137 fied value as the password for the user whose name is specified
138 with the -u option, or whose DN is specified with the -U option.
139 This is typically only required when the enrollment profile
140 being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or
141 NISAuth-based authentication. If the URL specified using the -E
142 flag is not an HTTPS URL, this value will not be encrypted.
143
144 -w FILE, --userpwdfile=FILE
145 When initially submitting a request to the CA, read from the
146 specified file a password to supply for the user whose name is
147 specified with the -u option, or whose DN is specified with the
148 -U option. This is typically only required when the enrollment
149 profile being used uses UidPwdDirAuth-based, UserPwdDi‐
150 rAuth-based, or NISAuth-based authentication. If the URL speci‐
151 fied using the -E flag is not an HTTPS URL, this value will not
152 be encrypted.
153
154 -Y PIN, --userpin=PIN
155 When initially submitting a request to the CA, supply the speci‐
156 fied value as the PIN for the user whose name is specified with
157 the -u option, or whose DN is specified with the -U option.
158 This is typically only required when the enrollment profile
159 being used uses UidPwdPinDirAuth-based authentication. If the
160 URL specified using the -E flag is not an HTTPS URL, this value
161 will not be encrypted.
162
163 -y FILE, --userpinfile=FILE
164 When initially submitting a request to the CA, read from the
165 specified file a PIN to supply for the user whose name is speci‐
166 fied with the -u option, or whose DN is specified with the -U
167 option. This is typically only required when the enrollment
168 profile being used uses UidPwdPinDirAuth-based authentication.
169 If the URL specified using the -E flag is not an HTTPS URL, this
170 value will not be encrypted.
171
172 -v, --verbose
173 Increases the logging level. Use twice for more logging. This
174 option is mainly useful for troubleshooting.
175
177 Options that provide the location for the private key and public cer‐
178 tificate which the client should use to authenticate to the CA's agent
179 interface. The values to use depend on which cryptography library your
180 copy of libcurl was linked with.
181
182 -d DIR, --dbdir=DIR
183 Use an NSS database in the specified directory for this certifi‐
184 cate and key. Only valid with -n.
185
186 -n NAME, --nickname=NAME
187 Use the NSS key with this nickname. Only valid with -d.
188
189 -c FILE, --certfile=FILE
190 The PEM file that contains the public certificate. Only valid
191 with -k.
192
193 -k FILE, --keyfile=FILE
194 The PEM file that contains the private certificate. Only valid
195 with -c.
196
197 -p FILE, --sslpinfile=FILE
198 The name of a file which contains a PIN/password which will be
199 needed in order to make use of the agent credentials.
200
201 -P PIN, --sslpin=PIN
202 The name of a file which contains a PIN/password which will be
203 needed in order to make use of the agent credentials.
204
206 0 if the certificate was issued. The certificate will be printed.
207
208 1 if the CA is still thinking. A cookie (state) value will be
209 printed.
210
211 2 if the CA rejected the request. An error message may be
212 printed.
213
214 3 if the CA was unreachable. An error message may be printed.
215
216 4 if critical configuration information is missing. An error mes‐
217 sage may be printed.
218
219 5 if the CA is still thinking. A suggested poll delay (specified
220 in seconds) and a cookie (state) value will be printed.
221
222 17 if the CA indicates that the client needs to attempt enrollment
223 using a new key pair.
224
225
227 Please file tickets for any that you find at https://fedora‐
228 hosted.org/certmonger/
229
230
232 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
233 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1)
234 getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1)
235 getcert-remove-ca(1) getcert-resubmit(1) getcert-start-tracking(1)
236 getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-sub‐
237 mit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-ipa-sub‐
238 mit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
239 ger_selinux(8)
240
241
242
243certmonger Manual October 27, 2015 CERTMONGER(8)