NAME

       scep-submit

SYNOPSIS

       scep-submit  -u  SERVER-URL  [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] [-i
       ca-identifier] [-v] [-n] [-c|-C|-g|-p] [pkimessage-filename]

DESCRIPTION

       scep-submit is the helper which certmonger can use to transmit certificate enrollment  and
       renewal  requests to servers using SCEP.  It is not normally run interactively, but it can
       be for troubleshooting purposes.

       The request which is to be submitted should be a PEM-encoded SCEP pkiMessage either  in  a
       file whose name is given as an argument, or fed into scep-submit via stdin.

MODES

       -c     scep-submit will issue a GetCACaps request to the server and print the results.

       -C     scep-submit  will  issue GetCACert and GetCAChain requests to the server, parse the
              responses, and then print, in order, the RA certificate, the  CA  certificate,  and
              any additional certificates.

       -p     scep-submit  will  issue  a  PKIOperation request to the server using the passed-in
              message as the message content.  It will parse the server's  response,  verify  the
              signature,  and  if the response includes an issued certificate, it will output the
              pkcsPKIEnvelope in PEM format.  If the response indicates an error, it  will  print
              the error.

       -g     scep-submit  will  issue  a  PKIOperation request to the server using the passed-in
              message as the message content.  It will parse the server's  response,  verify  the
              signature,  and  if the response includes an issued certificate, it will output the
              pkcsPKIEnvelope in PEM format.  If the response indicates an error, it  will  print
              the error.

OPTIONS

       -u SERVER-URL
              The  location  of  the  SCEP  interface  provided  by  the  CA.   This is typically
              http://SERVER/cgi-bin/PKICLIENT.EXE or http://SERVER/certsrv/mscep/mscep.dll.  This
              option is always required.

       -R CA-certificate-file
              The  location of the SCEP server's CA certificate, which was used to issue the SCEP
              server's certificate, or the SCEP server's own certificate, if it  is  self-signed,
              in  PEM  form.   If the URL specified with the -u option is an https URL, then this
              option is required.

       -r RA-certificate-file
              The location of the SCEP server's RA certificate, which is expected to be used  for
              signing  responses  sent  by  the  SCEP  server back to the client.  This option is
              required when either the -g flag or the -p flag is specified.

       -I other-certificates-file
              The location of a file containing other PEM-formatted  certificates  which  may  be
              needed in order to properly verify signed responses sent by the SCEP server back to
              the client.  This option may be necessary when either the -g flag or the -p flag is
              specified.

       -i ca-identifier
              When  called  with  the  -c  or  -C flag, this option can be used to specify the CA
              identifier which is passed to the server as part  of  the  client's  request.   The
              default is "0".

       -n     The  SCEP  Renewal  feature allows a client with a previously-issued certificate to
              use that certificate and the associated private key to request  a  new  certificate
              for  a different key pair, and can be used to support certmonger's rekeying feature
              if the SCEP server advertises support for it.  This option forces  the  scep-submit
              helper to prefer to issue requests which do not make use of this feature.

       -v     Increases  the  logging  level.  Use twice for more logging.  This option is mainly
              useful for troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The pkcsPKIEnvelope will be printed  in  PEM-encoded
              form.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a
              cookie (state) value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read one.

       17     if the CA indicates that the client needs to attempt enrollment  using  a  new  key
              pair.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)
       getcert-list(1) getcert-modify-ca(1) getcert-refresh-ca(1)  getcert-remove-ca(1)  getcert-
       resubmit(1)     getcert-start-tracking(1)    getcert-status(1)    getcert-stop-tracking(1)
       certmonger-certmaster-submit(8)  certmonger-dogtag-ipa-renew-agent-submit(8)   certmonger-
       dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)