Provided by: certmonger_0.78.6-2_i386 bug

NAME

       ipa-submit

SYNOPSIS

       ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K]
       | [-t keytab]  [-k  submitterPrincipal]]  [-P  principalOfRequest]  [-T
       profile] [csrfile]

DESCRIPTION

       ipa-submit is the helper which certmonger uses to make requests to IPA-
       based CAs.  It is not normally run interactively, but  it  can  be  for
       troubleshooting purposes.  The signing request which is to be submitted
       should either be in a file whose name is given as an argument,  or  fed
       into ipa-submit via stdin.

       certmonger  supports retrieving trusted certificates from IPA CAs.  See
       getcert-request(1)  and  getcert-resubmit(1)  for   information   about
       specifying  where  those  certificates  should  be  stored on the local
       system.  Trusted certificates  are  retrieved  from  the  caCertificate
       attribute of entries present at and below cn=cacert,cn=ipa,cn=etc,$BASE
       in the IPA LDAP server's directory tree, where $BASE  defaults  to  the
       value of the basedn setting in /etc/ipa/default.conf.

OPTIONS

       -P csrPrincipal
              Identifies  the  principal  name  of  the  service for which the
              certificate is being issued.  This setting is  required  by  IPA
              and must always be specified.

       -T profile
              Requests  that  the certificate be processed using the specified
              certificate profile.  By default, if this flag is not specified,
              and   the   CERTMONGER_CA_PROFILE   variable   is   set  in  the
              environment, then the value of the environment variable will  be
              used.   This  setting is optional, and if a server returns error
              3005, indicating that it does not understand multiple  profiles,
              the request will be re-submitted without specifying a profile.

       -h serverHost
              Submit  the request to the IPA server running on the named host.
              The  default  is  to  read  the  location  of  the   host   from
              /etc/ipa/default.conf.

       -H serverURL
              Submit  the request to the IPA server at the specified location.
              The  default  is  to  read  the  location  of  the   host   from
              /etc/ipa/default.conf.

       -c cafile
              The  server's certificate was issued by the CA whose certificate
              is in the named file.  The default value is /etc/ipa/ca.crt.

       -C capath
              Trust the server if its certificate was issued  by  a  CA  whose
              certificate  is  in  a file in the named directory.  There is no
              default for this option, and it is not expected to be necessary.

       -t keytab
              Authenticate to the IPA server using  credentials  derived  from
              keys  stored  in  the named keytab.  The default value can vary,
              but it is usually /etc/krb5.keytab.  This option conflicts  with
              the -K option.

       -k authPrincipal
              Authenticate  to  the  IPA server using credentials derived from
              keys stored in the named keytab for this  principal  name.   The
              default  value  is  the  host  service for the local host in the
              local realm.  This option conflicts with the -K option.

       -K     Authenticate to the IPA server using  credentials  derived  from
              the  default credential cache rather than a keytab.  This option
              conflicts with the -k option.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA  rejected  the  request.   An  error  message  may  be
              printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if  critical  configuration  information  is  missing.  An error
              message may be printed.

       17     if the CA indicates that the client needs to attempt  enrollment
              using a new key pair.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to
              determine the URL for the IPA server's XML-RPC interface.

BUGS

       Please    file    tickets    for    any    that     you     find     at
       https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
       refresh-ca(1)    getcert-remove-ca(1)    getcert-request(1)    getcert-
       resubmit(1) getcert-start-tracking(1)  getcert-status(1)  getcert-stop-
       tracking(1)    certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-
       renew-agent-submit(8)   certmonger-dogtag-submit(8)   certmonger-local-
       submit(8) certmonger-scep-submit(8) certmonger_selinux(8)