Provided by: certmonger_0.79.17-2_amd64 bug

NAME

       dogtag-ipa-renew-agent-submit

SYNOPSIS

       dogtag-ipa-renew-agent-submit [options] [csrfile]

DESCRIPTION

       dogtag-ipa-renew-agent-submit  is  the  helper  which  certmonger uses to make certificate
       renewal requests to Dogtag instances running on IPA  servers.   It  is  not  normally  run
       interactively, but it can be for troubleshooting purposes.

       The  preferred  option is to request a renewal of an already-issued certificate, using its
       serial number, which can  be  read  from  a  PEM-formatted  certificate  provided  in  the
       CERTMONGER_CERTIFICATE  environment  variable,  or  via the -s or -D option on the command
       line.  If no serial number is provided, then the client  will  attempt  to  obtain  a  new
       certificate by submitting a signing request to the CA.

       The  signing  request  which  is  to be submitted should either be in a file whose name is
       given as an argument, or fed into dogtag-ipa-renew-agent-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

OPTIONS

       -E EE-URL, --ee-url=EE-URL
              The top-level URL for  the  end-entity  interface  provided  by  the  CA.   In  IPA
              installations,  this  is  typically  http://SERVER:EEPORT/ca/ee/ca.   If  no URL is
              specified, the host named in the [global] section in the /etc/ipa/default.conf file
              is  used  as the value of SERVER, and the value of EEPORT will be inferred based on
              the   value   of   the   dogtag_version   in   the   [global]   section   in    the
              /etc/ipa/default.conf  file: if dogtag_version is set to 10 or more, EEPORT will be
              set to 8080.  Otherwise it will be 9180.

       -A AGENT-URL, --agent-url=AGENT-URL
              The  top-level  URL  for  the  agent  interface  provided  by  the  CA.    In   IPA
              installations,  this  is typically https://SERVER:AGENTPORT/ca/agent/ca.  If no URL
              is specified, the host named in the [global] section in  the  /etc/ipa/default.conf
              file  is  used  as the value of SERVER, and the value of AGENTPORT will be inferred
              based  on  the  value  of  the  dogtag_version  in  the  [global]  section  in  the
              /etc/ipa/default.conf  file: if dogtag_version is set to 10 or more, AGENTPORT will
              be set to 8443.  Otherwise it will be 9443.

       -i FILE, --cafile=PATH
              The location of a file containing a copy of the CA's certificate, against which the
              CA server's certificate will be verified. The default is /etc/ipa/ca.crt.

       -C DIR, --capath=DIR
              The  location  of  a  directory  containing a copy of the CA's certificate, against
              which the CA server's certificate will be verified.

       -d DIR, --dbdir=DIR
              The NSS database that contains credentials to authenticate to the CA.

       -n NAME, --nickname=NAME
              The nickname of the certificate used for authentication.

       -c FILENAME, --certfile=FILENAME
              The certificate in PEM format used for authentication.

       -k FILENAME, --keyfile=FILENAME
              The private key for the certificate in PEM format used for authentication.  It  may
              be encrypted.

       -p FILENAME, --sslpinfile=FILENAME
              A file that contains the pin for the private key file or NSS database.

       -P STRING, --sslpin=STRING
              The pin for the private key file or NSS database.

       -s NUMBER, --hex-serial=NUMBER
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in hexidecimal form, if one can  not  be  read
              from the CERTMONGER_CERTIFICATE environment variable.

       -D NUMBER, --serial=NUMBER
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in decimal form, if one can not be  read  from
              the CERTMONGER_CERTIFICATE environment variable.

       -S STATE-VALUE, --state=STATE-VALUE
              A  cookie  value  provided  by a previous instance of this helper, if the helper is
              being asked to continue a multi-step enrollment process.  If the  CERTMONGER_COOKIE
              environment variable is set, its value is used.

       -T NAME, --profile=NAME
              The  name of the type of certificate which the client should request from the CA if
              it  is  not  renewing  a  certificate  (per  the  -s   option   above).    If   the
              CERTMONGER_CA_PROFILE  environment  variable is set, its value is used.  Otherwise,
              the default value is caServerCert.

       -t, --profile-list
              Instead of attempting to obtain a new certificate, query the server for a  list  of
              the enabled enrollment profiles.

       -O param=value, --approval-option=param=value
              An  additional  parameter  to pass to the server when approving the signing request
              using the agent's credentials.  By default, any  server-supplied  default  settings
              are  applied.  This option can be used either to override a server-supplied default
              setting, or to supply one which would otherwise have not been used.

       -N, --force-new
              Even if an already-issued certificate is available  in  the  CERTMONGER_CERTIFICATE
              environment  variable, or a serial number has been provided, don't attempt to renew
              a  certificate  using  its  serial  number.   Instead,  attempt  to  obtain  a  new
              certificate  using  the  signing  request.   The  default  behavior is to request a
              renewal if possible.

       -R, --force-renew
              Negates the effect of the -N flag.

       -o param=value, --submit-option=param=value
              When initially submitting a request to the CA,  add  the  specified  parameter  and
              value along with any request parameters which would otherwise be sent.  This option
              is not typically used.

       -a, --agent-submit
              Use agent credentials, specified using some combination of the -d, -n, -c,  and  -k
              flags,  to  authenticate to the CA when initially submitting a request to the CA or
              retrieving the list of enabled enrollment profiles.   This  is  typically  required
              when the enrollment profile being used uses AgentCertAuth-based authentication, and
              requires that the URL specified using the -E flag be an HTTPS URL, or when the  URL
              specified using the -E flag is an HTTPS URL.

       -u username, --uid=username
              When initially submitting a request to the CA, supply the specified value as a user
              name.  This is typically required when  the  enrollment  profile  being  used  uses
              UidPwdDirAuth-based  or  NISAuth-based  authentication..TP  -U userdn, --upn=userdn
              When initially submitting a request to the CA, supply the specified value as the DN
              (distinguished  name)  of  the  user's  entry in a directory server which the CA is
              configured to use for checking the user's password.   This  is  typically  required
              when the enrollment profile being used uses UdnPwdDirAuth-based authentication.

       -W PASSWORD, --userpwd=PASSWORD
              When  initially  submitting  a request to the CA, supply the specified value as the
              password for the user whose name is specified with the -u option, or  whose  DN  is
              specified  with the -U option.  This is typically only required when the enrollment
              profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or NISAuth-based
              authentication.   If  the URL specified using the -E flag is not an HTTPS URL, this
              value will not be encrypted.

       -w FILE, --userpwdfile=FILE
              When initially submitting a request to the CA,  read  from  the  specified  file  a
              password  to  supply  for  the  user whose name is specified with the -u option, or
              whose DN is specified with the -U option.  This is typically only required when the
              enrollment  profile  being  used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or
              NISAuth-based authentication.  If the URL specified using the -E  flag  is  not  an
              HTTPS URL, this value will not be encrypted.

       -Y PIN, --userpin=PIN
              When  initially  submitting  a request to the CA, supply the specified value as the
              PIN for the user whose name is specified  with  the  -u  option,  or  whose  DN  is
              specified  with the -U option.  This is typically only required when the enrollment
              profile  being  used  uses  UidPwdPinDirAuth-based  authentication.   If  the   URL
              specified  using the -E flag is not an HTTPS URL, this value will not be encrypted.
              -y FILE, --userpinfile=FILE When initially submitting a request  to  the  CA,  read
              from  the  specified file a PIN to supply for the user whose name is specified with
              the -u option, or whose DN is specified with the -U option.  This is typically only
              required  when  the  enrollment  profile  being  used  uses  UidPwdPinDirAuth-based
              authentication.  If the URL specified using the -E flag is not an HTTPS  URL,  this
              value will not be encrypted.

       -v, --verbose
              Increases  the  logging  level.  Use twice for more logging.  This option is mainly
              useful for troubleshooting.

AGENT KEY AND CERTIFICATE OPTIONS

       Options that provide the location for the private key and  public  certificate  which  the
       client  should  use to authenticate to the CA's agent interface.  The values to use depend
       on which cryptography library your copy of libcurl was linked with.

       The location of the certificate used for authentication to the CA needs to be provided  in
       either  a  combination  of  PEM  files  using  --certfile and --keyfile or an NSS database
       using--dbdir and --nickname. The default for --cafile is /etc/ipa/ca.crt.

       -d dbdir, --dbdir=dbdir
              Use an NSS database in the specified directory for this certificate and  key.  Only
              valid with -n.

       -n NAME, --nickname=NAME
              Use the NSS key with this nickname. Only valid with -d.

       -c FILE, --certfile=FILE
              The PEM file that contains the public certificate. Only valid with -k.

       -k FILE, --keyfile=FILE
              The PEM file that contains the private certificate. Only valid with -c.

       -p FILE, --sslpinfile=FILE
              The  name  of a file which contains a PIN/password which will be needed in order to
              make use of the agent credentials.

       -P PIN, --sslpin=PIN
              The name of a file which contains a PIN/password which will be needed in  order  to
              make use of the agent credentials.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a
              cookie (state) value will be printed.

       17     if the CA indicates that the client needs to attempt enrollment  using  a  new  key
              pair.

FILES

       /etc/ipa/default.conf
              is  the IPA client configuration file.  This file is consulted to determine the URL
              for the Dogtag server's end-entity and agent interfaces if they are not supplied as
              arguments.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)
       getcert-list(1)     getcert-modify-ca(1)     getcert-refresh-ca(1)      getcert-refresh(1)
       getcert-rekey(1)    getcert-remove-ca(1)   getcert-resubmit(1)   getcert-start-tracking(1)
       getcert-status(1)         getcert-stop-tracking(1)         certmonger-certmaster-submit(8)
       certmonger-dogtag-submit(8)       certmonger-ipa-submit(8)      certmonger-local-submit(8)
       certmonger-scep-submit(8) certmonger_selinux(8)