bionic (8) certmonger-dogtag-ipa-renew-agent-submit.8.gz

Provided by: certmonger_0.79.5-3ubuntu1_amd64 bug

NAME

       dogtag-ipa-renew-agent-submit

SYNOPSIS

       dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i cainfo] [-C capath] [-c
       certfile] [-k keyfile] [-p pinfile] [-P pin] [-s serial (hex)]  [-D  serial  (decimal)]  [-S  state]  [-T
       profile] [-O param=value] [-N | -R] [-t] [-o option=value] [-v] [csrfile]

DESCRIPTION

       dogtag-ipa-renew-agent-submit is the helper which certmonger uses to make certificate renewal requests to
       Dogtag instances running on IPA servers.  It is not  normally  run  interactively,  but  it  can  be  for
       troubleshooting purposes.

       The  preferred  option is to request a renewal of an already-issued certificate, using its serial number,
       which can be read from a PEM-formatted certificate provided  in  the  CERTMONGER_CERTIFICATE  environment
       variable,  or  via  the  -s  or -D option on the command line.  If no serial number is provided, then the
       client will attempt to obtain a new certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in  a  file  whose  name  is  given  as  an
       argument, or fed into dogtag-ipa-renew-agent-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

OPTIONS

       -E EE-URL
              The  top-level URL for the end-entity interface provided by the CA.  In IPA installations, this is
              typically http://SERVER:EEPORT/ca/ee/ca.  If no URL is specified, the host named in  the  [global]
              section  in the /etc/ipa/default.conf file is used as the value of SERVER, and the value of EEPORT
              will be inferred based on the  value  of  the  dogtag_version  in  the  [global]  section  in  the
              /etc/ipa/default.conf  file:  if  dogtag_version is set to 10 or more, EEPORT will be set to 8080.
              Otherwise it will be 9180.

       -A AGENT-URL
              The top-level URL for the agent interface provided by the  CA.   In  IPA  installations,  this  is
              typically  https://SERVER:AGENTPORT/ca/agent/ca.   If  no  URL is specified, the host named in the
              [global] section in the /etc/ipa/default.conf file is used as the value of SERVER, and  the  value
              of  AGENTPORT will be inferred based on the value of the dogtag_version in the [global] section in
              the /etc/ipa/default.conf file: if dogtag_version is set to 10 or more, AGENTPORT will be  set  to
              8443.  Otherwise it will be 9443.

       -d dbdir -n nickname -c certfile -k keyfile
              The  location  of  the key and certificate which the client should use to authenticate to the CA's
              agent interface.  Exactly which values are meaningful depend on which  cryptography  library  your
              copy of libcurl was linked with.

              If  none of these options are specified, and none of the -p, -P, -i, nor -C options are specified,
              then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -p pinfile
              The name of a file which contains a PIN/password which will be needed in order to make use of  the
              agent credentials.

              If  this  option  is  not  specified,  and  none of the -d, -n, -c, -k, -P, -i, nor -C options are
              specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -i cainfo -C capath
              The location of a file containing a copy of the CA's certificate, against which  the  CA  server's
              certificate will be verified, or a directory containing, among other things, such a file.

              If  these  options  are  not  specified,  and  none  of the -d, -n, -c, -k, -p, nor -P options are
              specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -s serial
              The serial number of an already-issued certificate for which the client should attempt to obtain a
              new  certificate,  in  hexadecimal  form,  if  one can not be read from the CERTMONGER_CERTIFICATE
              environment variable.

       -D serial
              The serial number of an already-issued certificate for which the client should attempt to obtain a
              new  certificate,  in  decimal  form,  if  one  can  not  be  read from the CERTMONGER_CERTIFICATE
              environment variable.

       -S state
              A cookie value provided by a previous instance of this helper, if the helper  is  being  asked  to
              continue  a  multi-step enrollment process.  If the CERTMONGER_COOKIE environment variable is set,
              its value is used.

       -T profile/template
              The name of the type of certificate which the client should request from  the  CA  if  it  is  not
              renewing  a  certificate  (per  the  -s  option  above).  If the CERTMONGER_CA_PROFILE environment
              variable is set, its value is used.  Otherwise, the default value is caServerCert.

       -O param=value
              An additional parameter to pass to the server when approving the signing request using the agent's
              credentials.   By  default,  any server-supplied default settings are applied.  This option can be
              used either to override a server-supplied default setting, or to supply one which would  otherwise
              have not been used.

       -N     Even  if  an  already-issued  certificate  is  available in the CERTMONGER_CERTIFICATE environment
              variable, or a serial number has been provided, don't attempt to renew  a  certificate  using  its
              serial  number.   Instead,  attempt  to  obtain  a new certificate using the signing request.  The
              default behavior is to request a renewal if possible.

       -R     Negates the effect of the -N flag.

       -t     Instead of attempting to obtain a new certificate, query the server for  a  list  of  the  enabled
              enrollment profiles.

       -o param=value
              When  initially  submitting  a request to the CA, add the specified parameter and value along with
              any request parameters which would otherwise be sent.  This option is not typically used.

       -v     Increases the logging level.  Use twice for more  logging.   This  option  is  mainly  useful  for
              troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a cookie (state)
              value will be printed.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to determine the URL for the  Dogtag
              server's end-entity and agent interfaces if they are not supplied as arguments.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1) getcert-list(1)
       getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)   getcert-rekey(1)   getcert-remove-ca(1)
       getcert-resubmit(1)   getcert-start-tracking(1)  getcert-status(1)  getcert-stop-tracking(1)  certmonger-
       certmaster-submit(8)  certmonger-dogtag-submit(8)   certmonger-ipa-submit(8)   certmonger-local-submit(8)
       certmonger-scep-submit(8) certmonger_selinux(8)