1CERTMONGER(8)               System Manager's Manual              CERTMONGER(8)
2
3
4

NAME

6       ipa-submit
7
8

SYNOPSIS

10       ipa-submit  [-h serverHost] [-H serverURL] [-d domain] [-L ldapurl] [-b
11       basedn] [-c cafile] [-C capath] [[-K] | [-t keytab] [-k  submitterPrin‐
12       cipal]]  [-u  UID]  [-W PASSWORD] [-w FILE] [-P principalOfRequest] [-T
13       profile] [-X issuer] [csrfile]
14
15

DESCRIPTION

17       ipa-submit is the helper which certmonger  uses  to  make  requests  to
18       IPA-based CAs.  It is not normally run interactively, but it can be for
19       troubleshooting purposes.  The signing request which is to be submitted
20       should  either  be in a file whose name is given as an argument, or fed
21       into ipa-submit via stdin.
22
23       certmonger supports retrieving trusted certificates from IPA CAs.   See
24       getcert-request(1) and getcert-resubmit(1) for information about speci‐
25       fying where those certificates should be stored on  the  local  system.
26       Trusted  certificates are retrieved from the caCertificate attribute of
27       entries present at and below cn=cacert,cn=ipa,cn=etc,$BASE in  the  IPA
28       LDAP  server's directory tree, where $BASE defaults to the value of the
29       basedn setting in /etc/ipa/default.conf.
30
31

OPTIONS

33       -P PRINCIPAL, --principal-of-request=PRINCIPAL
34              Identifies the principal name of the service for which the  cer‐
35              tificate  is  being issued.  This setting is required by IPA and
36              must always be specified.
37
38       -X NAME, --issuer=NAME
39              Requests that the certificate be processed by the specified cer‐
40              tificate issuer.  By default, if this flag is not specified, and
41              the CERTMONGER_CA_ISSUER variable is  set  in  the  environment,
42              then  the  value of the environment variable will be used.  This
43              setting is optional, and if a server returns error  3005,  indi‐
44              cating  that  it  does  not  understand  multiple  profiles, the
45              request will be re-submitted without specifying an issuer name.
46
47       -T NAME, --profile=NAME
48              Requests that the certificate be processed using  the  specified
49              certificate profile.  By default, if this flag is not specified,
50              and the CERTMONGER_CA_PROFILE variable is set  in  the  environ‐
51              ment,  then  the value of the environment variable will be used.
52              This setting is optional, and if a server  returns  error  3005,
53              indicating  that  it  does not understand multiple profiles, the
54              request will be re-submitted without specifying a profile.
55
56       -h HOSTNAME, --host=HOSTNAME
57              Submit the request to the IPA server running on the named  host.
58              The   default   is  to  read  the  location  of  the  host  from
59              /etc/ipa/default.conf.  If no server is configured, or the  con‐
60              figured server cannot be reached, the client will attempt to use
61              DNS discovery to locate LDAP servers for  the  IPA  domain.   If
62              servers are found, they will be searched for entries pointing to
63              IPA masters running  the  "CA"  service,  and  the  client  will
64              attempt to contact each of those in turn.
65
66       -H URL, --xmlrpc-url=URL
67              Submit  the request to the IPA server at the specified location.
68              The  default  is  to  read  the  location  of  the   host   from
69              /etc/ipa/default.conf.   If no server is configured, or the con‐
70              figured server cannot be reached, the client will attempt to use
71              DNS  discovery  to  locate  LDAP servers for the IPA domain.  If
72              servers are found, they will be searched for entries pointing to
73              IPA  masters  running  the  "CA"  service,  and  the client will
74              attempt to contact each of those in turn.
75
76       -L URL, --ldap-url=URL
77              Provide the IPA LDAP service location rather than using DNS dis‐
78              covery.   The  default  is to read the location of the host from
79              /etc/ipa/default.conf and use DNS discovery to find the  set  of
80              _ldap._tcp.DOMAIN values and pick one for use.
81
82       -d DOMAIN, --domain=DOMAIN
83              Use  this domain when doing DNS discovery to locate LDAP servers
84              for the IPA installation. The default is to read the location of
85              the host from /etc/ipa/default.conf.
86
87       -b BASEDN, --basedn=BASEDN
88              Use  this  basedn to search for an IPA installation in LDAP. The
89              default  is  to   read   the   location   of   the   host   from
90              /etc/ipa/default.conf.
91
92       -c FILE, --cafile=FILE
93              The  server's certificate was issued by the CA whose certificate
94              is in the named file.  The default value is /etc/ipa/ca.crt.
95
96       -C PATH, --capath=DIR
97              Trust the server if its certificate was issued  by  a  CA  whose
98              certificate  is  in  a file in the named directory.  There is no
99              default for this option, and it is not expected to be necessary.
100
101       -t KEYTAB, --keytab=KEYTAB
102              Authenticate to the IPA server using Kerberos  with  credentials
103              derived from keys stored in the named keytab.  The default value
104              can vary, but it is usually /etc/krb5.keytab.  This option  con‐
105              flicts with the -K, -u, -W, and -w options.
106
107       -k PRINCIPAL, --submitter-principal=PRINCIPAL
108              Authenticate  to  the IPA server using Kerberos with credentials
109              derived from keys stored in the named keytab for this  principal
110              name.   The default value is the host service for the local host
111              in the local realm.  This option conflicts with the -K, -u,  -W,
112              and -w options.
113
114       -K, --use-ccache-creds
115              Authenticate  to  the IPA server using Kerberos with credentials
116              derived from the default credential cache rather than a  keytab.
117              This option conflicts with the -k, -u, -W, and -w options.
118
119       -u USERNAME, --uid=USERNAME
120              Authenticate  to  the IPA server using a user name and password,
121              using the specified value as the user name.   This  option  con‐
122              flicts with the -k, -K, and -t options.
123
124       -W PASSWORD, --pwd=PASSWORD
125              Authenticate  to  the IPA server using a user name and password,
126              using the specified value as the  password.   This  option  con‐
127              flicts with the -k, -K, -t, and -w options.
128
129       -w FILE, --pwdfile=FILE
130              Authenticate  to  the IPA server using a user name and password,
131              reading the password from the specified file.  This option  con‐
132              flicts with the -k, -K, -t, and -W options.
133
134

EXIT STATUS

136       0      if the certificate was issued. The certificate will be printed.
137
138       1      if the CA is still thinking.  A cookie value will be printed.
139
140       2      if  the  CA  rejected  the  request.   An  error  message may be
141              printed.
142
143       3      if the CA was unreachable.  An error message may be printed.
144
145       4      if critical configuration information is missing.  An error mes‐
146              sage may be printed.
147
148       17     if  the CA indicates that the client needs to attempt enrollment
149              using a new key pair.
150
151

FILES

153       /etc/ipa/default.conf
154              is the IPA client configuration file.  This file is consulted to
155              determine the URL for the IPA server's XML-RPC interface.
156
157

BUGS

159       Please   file   tickets  for  any  that  you  find  at  https://fedora
160       hosted.org/certmonger/
161
162

SEE ALSO

164       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
165       getcert-list-cas(1)         getcert-list(1)        getcert-modify-ca(1)
166       getcert-refresh-ca(1)        getcert-refresh(1)        getcert-rekey(1)
167       getcert-remove-ca(1)       getcert-request(1)       getcert-resubmit(1)
168       getcert-start-tracking(1)  getcert-status(1)   getcert-stop-tracking(1)
169       certmonger-certmaster-submit(8)  certmonger-dogtag-ipa-renew-agent-sub‐
170       mit(8) certmonger-dogtag-submit(8) certmonger-local-submit(8)  certmon‐
171       ger-scep-submit(8) certmonger_selinux(8)
172
173
174
175certmonger Manual               April 16, 2015                   CERTMONGER(8)
Impressum