NAME

       ipa-submit

SYNOPSIS

       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]  | [-t keytab] [-k
       submitterPrincipal]] [-P principalOfRequest] [csrfile]

DESCRIPTION

       ipa-submit is the helper which certmonger uses to make requests to IPA-based CAs.   It  is
       not  normally  run interactively, but it can be for troubleshooting purposes.  The signing
       request which is to be submitted should either be in a file whose  name  is  given  as  an
       argument, or fed into ipa-submit via stdin.

OPTIONS

       -P csrPrincipal
              Identifies  the  principal  name  of the service for which the certificate is being
              issued.  This setting is required by IPA and must always be specified.

       -h serverHost
              Submit the request to the IPA server running on the named host.  The default is  to
              read the location of the host from /etc/ipa/default.conf.

       -H serverURL
              Submit  the request to the IPA server at the specified location.  The default is to
              read the location of the host from /etc/ipa/default.conf.

       -c cafile
              The server's certificate was issued by the CA whose certificate  is  in  the  named
              file.  The default value is /etc/ipa/ca.crt.

       -C capath
              Trust  the  server  if its certificate was issued by a CA whose certificate is in a
              file in the named directory.  There is no default for this option, and  it  is  not
              expected to be necessary.

       -t keytab
              Authenticate  to  the  IPA server using credentials derived from keys stored in the
              named keytab.  The default value can vary,  but  it  is  usually  /etc/krb5.keytab.
              This option conflicts with the -K option.

       -k authPrincipal
              Authenticate  to  the  IPA server using credentials derived from keys stored in the
              named keytab for this principal name.  The default value is the  host  service  for
              the local host in the local realm.  This option conflicts with the -K option.

       -K     Authenticate  to  the  IPA  server  using  credentials  derived  from  the  default
              credential cache rather than a keytab.  This option conflicts with the -k option.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to determine the  URL
              for the IPA server's XML-RPC interface.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1) getcert-list(1) getcert-list-cas(1) getcert-resubmit(1) getcert-
       start-tracking(1)   getcert-stop-tracking(1)   certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-certmaster-submit(8) certmonger_selinux(8)