Provided by: certmonger_0.79.6-2_amd64 bug

NAME

       dogtag-ipa-renew-agent-submit

SYNOPSIS

       dogtag-ipa-renew-agent-submit  -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i cainfo]
       [-C capath] [-c certfile] [-k keyfile] [-p pinfile] [-P pin] [-s serial (hex)] [-D  serial
       (decimal)]  [-S state] [-T profile] [-O param=value] [-N | -R] [-t] [-o option=value] [-v]
       [csrfile]

DESCRIPTION

       dogtag-ipa-renew-agent-submit is the helper which  certmonger  uses  to  make  certificate
       renewal  requests  to  Dogtag  instances  running  on IPA servers.  It is not normally run
       interactively, but it can be for troubleshooting purposes.

       The preferred option is to request a renewal of an already-issued certificate,  using  its
       serial  number,  which  can  be  read  from  a  PEM-formatted  certificate provided in the
       CERTMONGER_CERTIFICATE environment variable, or via the -s or -D  option  on  the  command
       line.   If  no  serial  number  is  provided, then the client will attempt to obtain a new
       certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in  a  file  whose  name  is
       given as an argument, or fed into dogtag-ipa-renew-agent-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

OPTIONS

       -E EE-URL
              The  top-level  URL  for  the  end-entity  interface  provided  by  the CA.  In IPA
              installations, this is  typically  http://SERVER:EEPORT/ca/ee/ca.   If  no  URL  is
              specified, the host named in the [global] section in the /etc/ipa/default.conf file
              is used as the value of SERVER, and the value of EEPORT will be inferred  based  on
              the    value   of   the   dogtag_version   in   the   [global]   section   in   the
              /etc/ipa/default.conf file: if dogtag_version is set to 10 or more, EEPORT will  be
              set to 8080.  Otherwise it will be 9180.

       -A AGENT-URL
              The   top-level   URL  for  the  agent  interface  provided  by  the  CA.   In  IPA
              installations, this is typically https://SERVER:AGENTPORT/ca/agent/ca.  If  no  URL
              is  specified,  the host named in the [global] section in the /etc/ipa/default.conf
              file is used as the value of SERVER, and the value of AGENTPORT  will  be  inferred
              based  on  the  value  of  the  dogtag_version  in  the  [global]  section  in  the
              /etc/ipa/default.conf file: if dogtag_version is set to 10 or more, AGENTPORT  will
              be set to 8443.  Otherwise it will be 9443.

       -d dbdir -n nickname -c certfile -k keyfile
              The location of the key and certificate which the client should use to authenticate
              to the CA's agent interface.  Exactly which values are meaningful depend  on  which
              cryptography library your copy of libcurl was linked with.

              If  none of these options are specified, and none of the -p, -P, -i, nor -C options
              are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -p pinfile
              The name of a file which contains a PIN/password which will be needed in  order  to
              make use of the agent credentials.

              If  this  option  is  not specified, and none of the -d, -n, -c, -k, -P, -i, nor -C
              options are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -i cainfo -C capath
              The location of a file containing a copy of the CA's certificate, against which the
              CA  server's  certificate  will be verified, or a directory containing, among other
              things, such a file.

              If these options are not specified, and none of the -d, -n,  -c,  -k,  -p,  nor  -P
              options are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -s serial
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in hexadecimal form, if one can  not  be  read
              from the CERTMONGER_CERTIFICATE environment variable.

       -D serial
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in decimal form, if one can not be  read  from
              the CERTMONGER_CERTIFICATE environment variable.

       -S state
              A  cookie  value  provided  by a previous instance of this helper, if the helper is
              being asked to continue a multi-step enrollment process.  If the  CERTMONGER_COOKIE
              environment variable is set, its value is used.

       -T profile/template
              The  name of the type of certificate which the client should request from the CA if
              it  is  not  renewing  a  certificate  (per  the  -s   option   above).    If   the
              CERTMONGER_CA_PROFILE  environment  variable is set, its value is used.  Otherwise,
              the default value is caServerCert.

       -O param=value
              An additional parameter to pass to the server when approving  the  signing  request
              using  the  agent's  credentials.  By default, any server-supplied default settings
              are applied.  This option can be used either to override a server-supplied  default
              setting, or to supply one which would otherwise have not been used.

       -N     Even  if  an  already-issued certificate is available in the CERTMONGER_CERTIFICATE
              environment variable, or a serial number has been provided, don't attempt to  renew
              a  certificate  using  its  serial  number.   Instead,  attempt  to  obtain  a  new
              certificate using the signing request.   The  default  behavior  is  to  request  a
              renewal if possible.

       -R     Negates the effect of the -N flag.

       -t     Instead  of  attempting to obtain a new certificate, query the server for a list of
              the enabled enrollment profiles.

       -o param=value
              When initially submitting a request to the CA,  add  the  specified  parameter  and
              value along with any request parameters which would otherwise be sent.  This option
              is not typically used.

       -v     Increases the logging level.  Use twice for more logging.  This  option  is  mainly
              useful for troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a
              cookie (state) value will be printed.

       17     if the CA indicates that the client needs to attempt enrollment  using  a  new  key
              pair.

FILES

       /etc/ipa/default.conf
              is  the IPA client configuration file.  This file is consulted to determine the URL
              for the Dogtag server's end-entity and agent interfaces if they are not supplied as
              arguments.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)
       getcert-list(1)  getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)  getcert-
       rekey(1)   getcert-remove-ca(1)   getcert-resubmit(1)  getcert-start-tracking(1)  getcert-
       status(1)  getcert-stop-tracking(1)   certmonger-certmaster-submit(8)   certmonger-dogtag-
       submit(8)  certmonger-ipa-submit(8)  certmonger-local-submit(8)  certmonger-scep-submit(8)
       certmonger_selinux(8)