Provided by: certmonger_0.78.6-2_i386 bug

NAME

       scep-submit

SYNOPSIS

       scep-submit  -u  SERVER-URL  [-r  ra-cert-file]  [-R  ca-cert-file] [-I
       other-certs-file]   [-i   ca-identifier]   [-v]   [-n]    [-c|-C|-g|-p]
       [pkimessage-filename]

DESCRIPTION

       scep-submit  is  the  helper  which  certmonger  can  use  to  transmit
       certificate enrollment and renewal requests to servers using SCEP.   It
       is  not  normally  run interactively, but it can be for troubleshooting
       purposes.

       The request which is to be  submitted  should  be  a  PEM-encoded  SCEP
       pkiMessage  either in a file whose name is given as an argument, or fed
       into scep-submit via stdin.

MODES

       -c     scep-submit will issue a GetCACaps request  to  the  server  and
              print the results.

       -C     scep-submit  will issue GetCACert and GetCAChain requests to the
              server, parse the responses, and then print, in  order,  the  RA
              certificate,    the   CA   certificate,   and   any   additional
              certificates.

       -p     scep-submit will issue a  PKIOperation  request  to  the  server
              using  the  passed-in  message  as the message content.  It will
              parse the server's response, verify the signature,  and  if  the
              response  includes  an  issued  certificate,  it will output the
              pkcsPKIEnvelope in PEM format.  If  the  response  indicates  an
              error, it will print the error.

       -g     scep-submit  will  issue  a  PKIOperation  request to the server
              using the passed-in message as the  message  content.   It  will
              parse  the  server's  response, verify the signature, and if the
              response includes an issued  certificate,  it  will  output  the
              pkcsPKIEnvelope  in  PEM  format.   If the response indicates an
              error, it will print the error.

OPTIONS

       -u SERVER-URL
              The location of the SCEP interface provided by the CA.  This  is
              typically         http://SERVER/cgi-bin/PKICLIENT.EXE         or
              http://SERVER/certsrv/mscep/mscep.dll.  This  option  is  always
              required.

       -R CA-certificate-file
              The location of the SCEP server's CA certificate, which was used
              to issue the SCEP server's certificate, or the SCEP server's own
              certificate,  if  it  is  self-signed,  in PEM form.  If the URL
              specified with the -u option is an https URL, then  this  option
              is required.

       -r RA-certificate-file
              The  location  of  the  SCEP  server's  RA certificate, which is
              expected to be used for  signing  responses  sent  by  the  SCEP
              server  back to the client.  This option is required when either
              the -g flag or the -p flag is specified.

       -I other-certificates-file
              The  location  of  a   file   containing   other   PEM-formatted
              certificates  which  may  be  needed in order to properly verify
              signed responses sent by the SCEP server  back  to  the  client.
              This  option  may be necessary when either the -g flag or the -p
              flag is specified.

       -i ca-identifier
              When called with the -c or -C flag, this option can be  used  to
              specify  the CA identifier which is passed to the server as part
              of the client's request.  The default is "0".

       -n     The SCEP Renewal feature allows  a  client  with  a  previously-
              issued  certificate  to  use that certificate and the associated
              private key to request a new certificate  for  a  different  key
              pair,  and  can be used to support certmonger's rekeying feature
              if the SCEP server  advertises  support  for  it.   This  option
              forces  the scep-submit helper to prefer to issue requests which
              do not make use of this feature.

       -v     Increases the logging level.  Use twice for more logging.   This
              option is mainly useful for troubleshooting.

EXIT STATUS

       0      if  the  certificate  was  issued.  The  pkcsPKIEnvelope will be
              printed in PEM-encoded form.

       1      if the CA is still thinking.  A cookie  (state)  value  will  be
              printed.

       2      if  the  CA  rejected  the  request.   An  error  message may be
              printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration  information  is  missing.   An  error
              message may be printed.

       5      if  the CA is still thinking.  A suggested poll delay (specified
              in seconds) and a cookie (state) value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read one.

       17     if the CA indicates that the client needs to attempt  enrollment
              using a new key pair.

BUGS

       Please     file     tickets     for    any    that    you    find    at
       https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
       refresh-ca(1) getcert-remove-ca(1)  getcert-resubmit(1)  getcert-start-
       tracking(1)   getcert-status(1)   getcert-stop-tracking(1)  certmonger-
       certmaster-submit(8)        certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-dogtag-submit(8)  certmonger-ipa-submit(8) certmonger-local-
       submit(8) certmonger_selinux(8)