Provided by: certmonger_0.78.6-2_i386 bug

NAME

       dogtag-submit

SYNOPSIS

       dogtag-submit  -E  EE-URL  -A  AGENT-URL  [-d  dbdir] [-n nickname] [-i
       cainfo] [-C capath] [-c certfile] [-k keyfile] [-p  pinfile]  [-P  pin]
       [-s  serial  (hex)]  [-D  serial (decimal)] [-S state] [-T profile] [-O
       param=value] [-N | -R] [-t] [-o option=value] [-a ] [-u  username]  [-U
       userdn]  [-W  userpassword]  [-w  userpasswordfile]  [-Y  userpin]  [-y
       userpinfile] [-v] [csrfile]

DESCRIPTION

       dogtag-submit  is  the  helper  which  certmonger  can  use   to   make
       certificate  enrollment  and renewal requests to Dogtag servers.  It is
       not normally run interactively,  but  it  can  be  for  troubleshooting
       purposes.

       The  preferred  option  is  to  request  a renewal of an already-issued
       certificate, using its serial number, which can be  read  from  a  PEM-
       formatted    certificate   provided   in   the   CERTMONGER_CERTIFICATE
       environment variable, or via the -s or -D option on the  command  line.
       If no serial number is provided, then the client will attempt to obtain
       a new certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in a file
       whose  name  is  given  as  an  argument, or fed into dogtag-submit via
       stdin.

       certmonger does not  yet  support  retrieving  trust  information  from
       Dogtag CAs.

OPTIONS

       -E EE-URL
              The  top-level  URL for the end-entity interface provided by the
              CA,  through  which  the  initial  enrollment  request  will  be
              submitted.  This is typically http://SERVER:EEPORT/ca/ee/ca.

       -A AGENT-URL
              The  top-level  URL  for the agent interface provided by the CA,
              through  which  the  request  can  be   approved   using   agent
              credentials.             This            is            typically
              https://SERVER:AGENTPORT/ca/agent/ca.

       -d dbdir -n nickname -c certfile -k keyfile
              The location of the key and certificate which the client  should
              use  to authenticate to the CA's agent interface.  Exactly which
              values are meaningful depend on which cryptography library  your
              copy of libcurl was linked with.

       -p pinfile
              The  name  of a file which contains a PIN/password which will be
              needed in order to make use of the agent credentials.

       -i cainfo -C capath
              The  location  of  a  file  containing  a  copy  of   the   CA's
              certificate,  against  which the CA server's certificate will be
              verified, or a directory containing, among other things, such  a
              file.

       -s serial
              The serial number of an already-issued certificate for which the
              client  should  attempt  to  obtain  a   new   certificate,   in
              hexadecimal   form,   if   one   can   not   be  read  from  the
              CERTMONGER_CERTIFICATE environment variable.

       -D serial
              The serial number of an already-issued certificate for which the
              client  should  attempt  to obtain a new certificate, in decimal
              form, if one can not be  read  from  the  CERTMONGER_CERTIFICATE
              environment variable.

       -S state
              A  cookie  value provided by a previous instance of this helper,
              if the helper is being asked to continue a multi-step enrollment
              process.   If the CERTMONGER_COOKIE environment variable is set,
              its value is used.

       -T profile/template
              The name of the type of  certificate  which  the  client  should
              request from the CA if it is not renewing a certificate (per the
              -s option  above).   If  the  CERTMONGER_CA_PROFILE  environment
              variable  is  set,  its  value  is used.  Otherwise, the default
              value is caServerCert.

       -O param=value
              An additional parameter to pass to the server when approving the
              signing  request  using  agent  credentials.   By  default,  any
              server-supplied default settings are applied.  This  option  can
              be used either to override a server-supplied default setting, or
              to  supply  one  which  would  otherwise  have  not  been  used.
              Requires the -A option.

       -N     Even  if  an  already-issued  certificate  is  available  in the
              CERTMONGER_CERTIFICATE environment variable, or a serial  number
              has  been  provided,  don't attempt to renew a certificate using
              its serial number.  Instead, attempt to obtain a new certificate
              using the signing request.  The default behavior is to request a
              renewal if possible.

       -R     Negates the effect of the -N flag.

       -t     Instead of attempting to obtain a  new  certificate,  query  the
              server for a list of the enabled enrollment profiles.

       -o param=value
              When initially submitting a request to the CA, add the specified
              parameter and value along  with  any  request  parameters  which
              would otherwise be sent.

       -a     Use  agent  credentials, specified using some combination of the
              -d, -n, -c, and  -k  flags,  to  authenticate  to  the  CA  when
              initially  submitting a request to the CA or retrieving the list
              of enabled enrollment profiles.  This is typically required when
              the  enrollment  profile  being  used  uses  AgentCertAuth-based
              authentication, and requires that the URL specified using the -E
              flag  be  an  HTTPS  URL, or when the URL specified using the -E
              flag is an HTTPS URL.

       -u username
              When initially submitting  a  request  to  the  CA,  supply  the
              specified value as a user name.  This is typically required when
              the enrollment profile being used  uses  UidPwdDirAuth-based  or
              NISAuth-based authentication.

       -U userdn
              When  initially  submitting  a  request  to  the  CA, supply the
              specified value as the DN (distinguished  name)  of  the  user's
              entry  in  a  directory server which the CA is configured to use
              for checking the user's password.  This  is  typically  required
              when  the enrollment profile being used uses UdnPwdDirAuth-based
              authentication.

       -W userpassword
              When initially submitting  a  request  to  the  CA,  supply  the
              specified  value  as  the  password  for  the user whose name is
              specified with the -u option, or whose DN is specified with  the
              -U  option.  This is typically only required when the enrollment
              profile being  used  uses  UidPwdDirAuth-based,  UserPwdDirAuth-
              based,  or  NISAuth-based  authentication.  If the URL specified
              using the -E flag is not an HTTPS URL, this value  will  not  be
              encrypted.

       -w userpasswordfile
              When  initially  submitting  a  request to the CA, read from the
              specified file a password to supply for the user whose  name  is
              specified  with the -u option, or whose DN is specified with the
              -U option.  This is typically only required when the  enrollment
              profile  being  used  uses  UidPwdDirAuth-based, UserPwdDirAuth-
              based, or NISAuth-based authentication.  If  the  URL  specified
              using  the  -E  flag is not an HTTPS URL, this value will not be
              encrypted.

       -Y userpin
              When initially submitting  a  request  to  the  CA,  supply  the
              specified  value as the PIN for the user whose name is specified
              with the -u option, or whose DN is specified with the -U option.
              This  is  typically  only  required  when the enrollment profile
              being used uses UidPwdPinDirAuth-based authentication.   If  the
              URL  specified using the -E flag is not an HTTPS URL, this value
              will not be encrypted.

       -y userpinfile
              When initially submitting a request to the  CA,  read  from  the
              specified  file  a  PIN  to  supply  for  the user whose name is
              specified with the -u option, or whose DN is specified with  the
              -U  option.  This is typically only required when the enrollment
              profile being used uses  UidPwdPinDirAuth-based  authentication.
              If the URL specified using the -E flag is not an HTTPS URL, this
              value will not be encrypted.

       -v     Increases the logging level.  Use twice for more logging.   This
              option is mainly useful for troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if  the  CA  is  still thinking.  A cookie (state) value will be
              printed.

       2      if the CA  rejected  the  request.   An  error  message  may  be
              printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if  critical  configuration  information  is  missing.  An error
              message may be printed.

       5      if the CA is still thinking.  A suggested poll delay  (specified
              in seconds) and a cookie (state) value will be printed.

       17     if  the CA indicates that the client needs to attempt enrollment
              using a new key pair.

BUGS

       Please    file    tickets    for    any    that     you     find     at
       https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
       refresh-ca(1)  getcert-remove-ca(1)  getcert-resubmit(1) getcert-start-
       tracking(1)  getcert-status(1)   getcert-stop-tracking(1)   certmonger-
       certmaster-submit(8)        certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-ipa-submit(8)  certmonger-local-submit(8)   certmonger-scep-
       submit(8) certmonger_selinux(8)