Provided by: certmonger_0.78.6-3_amd64 bug

NAME

       ipa-submit

SYNOPSIS

       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]  | [-t keytab] [-k
       submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]

DESCRIPTION

       ipa-submit is the helper which certmonger uses to make requests to IPA-based CAs.   It  is
       not  normally  run interactively, but it can be for troubleshooting purposes.  The signing
       request which is to be submitted should either be in a file whose  name  is  given  as  an
       argument, or fed into ipa-submit via stdin.

       certmonger  supports retrieving trusted certificates from IPA CAs.  See getcert-request(1)
       and getcert-resubmit(1) for information about specifying where those  certificates  should
       be  stored on the local system.  Trusted certificates are retrieved from the caCertificate
       attribute of entries present at and below cn=cacert,cn=ipa,cn=etc,$BASE in  the  IPA  LDAP
       server's  directory  tree,  where  $BASE  defaults  to  the value of the basedn setting in
       /etc/ipa/default.conf.

OPTIONS

       -P csrPrincipal
              Identifies the principal name of the service for which  the  certificate  is  being
              issued.  This setting is required by IPA and must always be specified.

       -T profile
              Requests that the certificate be processed using the specified certificate profile.
              By default, if this flag is not specified, and the  CERTMONGER_CA_PROFILE  variable
              is set in the environment, then the value of the environment variable will be used.
              This setting is optional, and if a server returns error 3005,  indicating  that  it
              does  not  understand  multiple  profiles, the request will be re-submitted without
              specifying a profile.

       -h serverHost
              Submit the request to the IPA server running on the named host.  The default is  to
              read the location of the host from /etc/ipa/default.conf.

       -H serverURL
              Submit  the request to the IPA server at the specified location.  The default is to
              read the location of the host from /etc/ipa/default.conf.

       -c cafile
              The server's certificate was issued by the CA whose certificate  is  in  the  named
              file.  The default value is /etc/ipa/ca.crt.

       -C capath
              Trust  the  server  if its certificate was issued by a CA whose certificate is in a
              file in the named directory.  There is no default for this option, and  it  is  not
              expected to be necessary.

       -t keytab
              Authenticate  to  the  IPA server using credentials derived from keys stored in the
              named keytab.  The default value can vary,  but  it  is  usually  /etc/krb5.keytab.
              This option conflicts with the -K option.

       -k authPrincipal
              Authenticate  to  the  IPA server using credentials derived from keys stored in the
              named keytab for this principal name.  The default value is the  host  service  for
              the local host in the local realm.  This option conflicts with the -K option.

       -K     Authenticate  to  the  IPA  server  using  credentials  derived  from  the  default
              credential cache rather than a keytab.  This option conflicts with the -k option.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       17     if the CA indicates that the client needs to attempt enrollment  using  a  new  key
              pair.

FILES

       /etc/ipa/default.conf
              is  the IPA client configuration file.  This file is consulted to determine the URL
              for the IPA server's XML-RPC interface.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)   getcert-list-cas(1)
       getcert-list(1)  getcert-modify-ca(1)  getcert-refresh-ca(1) getcert-remove-ca(1) getcert-
       request(1) getcert-resubmit(1) getcert-start-tracking(1)  getcert-status(1)  getcert-stop-
       tracking(1)   certmonger-certmaster-submit(8)  certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-dogtag-submit(8)      certmonger-local-submit(8)      certmonger-scep-submit(8)
       certmonger_selinux(8)