Provided by: certmonger_0.78.6-2_i386 bug

NAME

       dogtag-ipa-renew-agent-submit

SYNOPSIS

       dogtag-ipa-renew-agent-submit  -E  EE-URL  -A  AGENT-URL [-d dbdir] [-n
       nickname] [-i cainfo]  [-C  capath]  [-c  certfile]  [-k  keyfile]  [-p
       pinfile]  [-P  pin]  [-s serial (hex)] [-D serial (decimal)] [-S state]
       [-T profile] [-O param=value] [-N | -R]  [-t]  [-o  option=value]  [-v]
       [csrfile]

DESCRIPTION

       dogtag-ipa-renew-agent-submit  is  the  helper which certmonger uses to
       make certificate renewal requests to Dogtag instances  running  on  IPA
       servers.   It  is  not  normally  run  interactively, but it can be for
       troubleshooting purposes.

       The preferred option is to  request  a  renewal  of  an  already-issued
       certificate,  using  its  serial  number, which can be read from a PEM-
       formatted   certificate   provided   in   the    CERTMONGER_CERTIFICATE
       environment  variable,  or via the -s or -D option on the command line.
       If no serial number is provided, then the client will attempt to obtain
       a new certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in a file
       whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
       submit via stdin.

       certmonger  does  not  yet  support  retrieving  trust information from
       Dogtag CAs.

OPTIONS

       -E EE-URL
              The top-level URL for the end-entity interface provided  by  the
              CA.      In     IPA    installations,    this    is    typically
              http://SERVER:EEPORT/ca/ee/ca.  If no URL is specified, the host
              named  in the [global] section in the /etc/ipa/default.conf file
              is used as the value of SERVER, and the value of EEPORT will  be
              inferred  based  on  the  value  of  the  dogtag_version  in the
              [global]  section  in   the   /etc/ipa/default.conf   file:   if
              dogtag_version is set to 10 or more, EEPORT will be set to 8080.
              Otherwise it will be 9180.

       -A AGENT-URL
              The top-level URL for the agent interface provided  by  the  CA.
              In      IPA      installations,      this      is      typically
              https://SERVER:AGENTPORT/ca/agent/ca.  If no URL  is  specified,
              the    host    named    in   the   [global]   section   in   the
              /etc/ipa/default.conf file is used as the value of  SERVER,  and
              the  value  of  AGENTPORT will be inferred based on the value of
              the   dogtag_version   in   the   [global]   section   in    the
              /etc/ipa/default.conf  file:  if  dogtag_version is set to 10 or
              more, AGENTPORT will be set to 8443.  Otherwise it will be 9443.

       -d dbdir -n nickname -c certfile -k keyfile
              The location of the key and certificate which the client  should
              use  to authenticate to the CA's agent interface.  Exactly which
              values are meaningful depend on which cryptography library  your
              copy of libcurl was linked with.

              If  none of these options are specified, and none of the -p, -P,
              -i, nor -C options are specified, then this set of  defaults  is
              used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -p pinfile
              The  name  of a file which contains a PIN/password which will be
              needed in order to make use of the agent credentials.

              If this option is not specified, and none of the -d, -n, -c, -k,
              -P,  -i, nor -C options are specified, then this set of defaults
              is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -i cainfo -C capath
              The  location  of  a  file  containing  a  copy  of   the   CA's
              certificate,  against  which the CA server's certificate will be
              verified, or a directory containing, among other things, such  a
              file.

              If  these options are not specified, and none of the -d, -n, -c,
              -k, -p, nor -P options are specified, then this set of  defaults
              is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -s serial
              The serial number of an already-issued certificate for which the
              client  should  attempt  to  obtain  a   new   certificate,   in
              hexadecimal   form,   if   one   can   not   be  read  from  the
              CERTMONGER_CERTIFICATE environment variable.

       -D serial
              The serial number of an already-issued certificate for which the
              client  should  attempt  to obtain a new certificate, in decimal
              form, if one can not be  read  from  the  CERTMONGER_CERTIFICATE
              environment variable.

       -S state
              A  cookie  value provided by a previous instance of this helper,
              if the helper is being asked to continue a multi-step enrollment
              process.   If the CERTMONGER_COOKIE environment variable is set,
              its value is used.

       -T profile/template
              The name of the type of  certificate  which  the  client  should
              request from the CA if it is not renewing a certificate (per the
              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
              variable  is  set,  its  value  is used.  Otherwise, the default
              value is caServerCert.

       -O param=value
              An additional parameter to pass to the server when approving the
              signing  request using the agent's credentials.  By default, any
              server-supplied default settings are applied.  This  option  can
              be used either to override a server-supplied default setting, or
              to supply one which would otherwise have not been used.

       -N     Even if  an  already-issued  certificate  is  available  in  the
              CERTMONGER_CERTIFICATE  environment variable, or a serial number
              has been provided, don't attempt to renew  a  certificate  using
              its serial number.  Instead, attempt to obtain a new certificate
              using the signing request.  The default behavior is to request a
              renewal if possible.

       -R     Negates the effect of the -N flag.

       -t     Instead  of  attempting  to  obtain a new certificate, query the
              server for a list of the enabled enrollment profiles.

       -o param=value
              When initially submitting a request to the CA, add the specified
              parameter  and  value  along  with  any request parameters which
              would otherwise be sent.  This option is not typically used.

       -v     Increases the logging level.  Use twice for more logging.   This
              option is mainly useful for troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if  the  CA  is  still thinking.  A cookie (state) value will be
              printed.

       2      if the CA  rejected  the  request.   An  error  message  may  be
              printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if  critical  configuration  information  is  missing.  An error
              message may be printed.

       5      if the CA is still thinking.  A suggested poll delay  (specified
              in seconds) and a cookie (state) value will be printed.

       17     if  the CA indicates that the client needs to attempt enrollment
              using a new key pair.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to
              determine  the  URL for the Dogtag server's end-entity and agent
              interfaces if they are not supplied as arguments.

BUGS

       Please    file    tickets    for    any    that     you     find     at
       https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
       refresh-ca(1)  getcert-remove-ca(1)  getcert-resubmit(1) getcert-start-
       tracking(1)  getcert-status(1)   getcert-stop-tracking(1)   certmonger-
       certmaster-submit(8)     certmonger-dogtag-submit(8)    certmonger-ipa-
       submit(8)     certmonger-local-submit(8)      certmonger-scep-submit(8)
       certmonger_selinux(8)