1CERTMONGER(8) System Manager's Manual CERTMONGER(8)
2
6 ipa-submit
7
10 ipa-submit [-h serverHost] [-H serverURL] [-d domain] [-L ldapurl] [-b
11 basedn] [-c cafile] [-C capath] [[-K] | [-t keytab] [-k submitterPrin‐
12 cipal]] [-u UID] [-W PASSWORD] [-w FILE] [-P principalOfRequest] [-T
13 profile] [-X issuer] [csrfile]
14
17 ipa-submit is the helper which certmonger uses to make requests to
18 IPA-based CAs. It is not normally run interactively, but it can be for
19 troubleshooting purposes. The signing request which is to be submitted
20 should either be in a file whose name is given as an argument, or fed
21 into ipa-submit via stdin.
22 certmonger supports retrieving trusted certificates from IPA CAs. See
24 getcert-request(1) and getcert-resubmit(1) for information about speci‐
25 fying where those certificates should be stored on the local system.
26 Trusted certificates are retrieved from the caCertificate attribute of
27 entries present at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA
28 LDAP server's directory tree, where $BASE defaults to the value of the
29 basedn setting in /etc/ipa/default.conf.
30
33 -P PRINCIPAL, --principal-of-request=PRINCIPAL
34 Identifies the principal name of the service for which the cer‐
35 tificate is being issued. This setting is required by IPA and
36 must always be specified.
37 -X NAME, --issuer=NAME
39 Requests that the certificate be processed by the specified cer‐
40 tificate issuer. By default, if this flag is not specified, and
41 the CERTMONGER_CA_ISSUER variable is set in the environment,
42 then the value of the environment variable will be used. This
43 setting is optional, and if a server returns error 3005, indi‐
44 cating that it does not understand multiple profiles, the
45 request will be re-submitted without specifying an issuer name.
46 -T NAME, --profile=NAME
48 Requests that the certificate be processed using the specified
49 certificate profile. By default, if this flag is not specified,
50 and the CERTMONGER_CA_PROFILE variable is set in the environ‐
51 ment, then the value of the environment variable will be used.
52 This setting is optional, and if a server returns error 3005,
53 indicating that it does not understand multiple profiles, the
54 request will be re-submitted without specifying a profile.
55 -h HOSTNAME, --host=HOSTNAME
57 Submit the request to the IPA server running on the named host.
58 The default is to read the location of the host from
59 /etc/ipa/default.conf. If no server is configured, or the con‐
60 figured server cannot be reached, the client will attempt to use
61 DNS discovery to locate LDAP servers for the IPA domain. If
62 servers are found, they will be searched for entries pointing to
63 IPA masters running the "CA" service, and the client will
64 attempt to contact each of those in turn.
65 -H URL, --xmlrpc-url=URL
67 Submit the request to the IPA server at the specified location.
68 The default is to read the location of the host from
69 /etc/ipa/default.conf. If no server is configured, or the con‐
70 figured server cannot be reached, the client will attempt to use
71 DNS discovery to locate LDAP servers for the IPA domain. If
72 servers are found, they will be searched for entries pointing to
73 IPA masters running the "CA" service, and the client will
74 attempt to contact each of those in turn.
75 -L URL, --ldap-url=URL
77 Provide the IPA LDAP service location rather than using DNS dis‐
78 covery. The default is to read the location of the host from
79 /etc/ipa/default.conf and use DNS discovery to find the set of
80 _ldap._tcp.DOMAIN values and pick one for use.
81 -d DOMAIN, --domain=DOMAIN
83 Use this domain when doing DNS discovery to locate LDAP servers
84 for the IPA installation. The default is to read the location of
85 the host from /etc/ipa/default.conf.
86 -b BASEDN, --basedn=BASEDN
88 Use this basedn to search for an IPA installation in LDAP. The
89 default is to read the location of the host from
90 /etc/ipa/default.conf.
91 -c FILE, --cafile=FILE
93 The server's certificate was issued by the CA whose certificate
94 is in the named file. The default value is /etc/ipa/ca.crt.
95 -C PATH, --capath=DIR
97 Trust the server if its certificate was issued by a CA whose
98 certificate is in a file in the named directory. There is no
99 default for this option, and it is not expected to be necessary.
100 -t KEYTAB, --keytab=KEYTAB
102 Authenticate to the IPA server using Kerberos with credentials
103 derived from keys stored in the named keytab. The default value
104 can vary, but it is usually /etc/krb5.keytab. This option con‐
105 flicts with the -K, -u, -W, and -w options.
106 -k PRINCIPAL, --submitter-principal=PRINCIPAL
108 Authenticate to the IPA server using Kerberos with credentials
109 derived from keys stored in the named keytab for this principal
110 name. The default value is the host service for the local host
111 in the local realm. This option conflicts with the -K, -u, -W,
112 and -w options.
113 -K, --use-ccache-creds
115 Authenticate to the IPA server using Kerberos with credentials
116 derived from the default credential cache rather than a keytab.
117 This option conflicts with the -k, -u, -W, and -w options.
118 -u USERNAME, --uid=USERNAME
120 Authenticate to the IPA server using a user name and password,
121 using the specified value as the user name. This option con‐
122 flicts with the -k, -K, and -t options.
123 -W PASSWORD, --pwd=PASSWORD
125 Authenticate to the IPA server using a user name and password,
126 using the specified value as the password. This option con‐
127 flicts with the -k, -K, -t, and -w options.
128 -w FILE, --pwdfile=FILE
130 Authenticate to the IPA server using a user name and password,
131 reading the password from the specified file. This option con‐
132 flicts with the -k, -K, -t, and -W options.
133
136 0 if the certificate was issued. The certificate will be printed.
137 1 if the CA is still thinking. A cookie value will be printed.
139 2 if the CA rejected the request. An error message may be
141 printed.
142 3 if the CA was unreachable. An error message may be printed.
144 4 if critical configuration information is missing. An error mes‐
146 sage may be printed.
147 17 if the CA indicates that the client needs to attempt enrollment
149 using a new key pair.
150
153 /etc/ipa/default.conf
154 is the IPA client configuration file. This file is consulted to
155 determine the URL for the IPA server's XML-RPC interface.
156
159 Please file tickets for any that you find at https://fedora‐
160 hosted.org/certmonger/
161
164 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
165 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1)
166 getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1)
167 getcert-remove-ca(1) getcert-request(1) getcert-resubmit(1)
168 getcert-start-tracking(1) getcert-status(1) getcert-stop-tracking(1)
169 certmonger-certmaster-submit(8) certmonger-dogtag-ipa-renew-agent-sub‐
170 mit(8) certmonger-dogtag-submit(8) certmonger-local-submit(8) certmon‐
171 ger-scep-submit(8) certmonger_selinux(8)
172certmonger Manual April 16, 2015 CERTMONGER(8)