Provided by: certmonger_0.79.5-3ubuntu1_amd64 bug

NAME
       scep-submit


SYNOPSIS
       scep-submit  -u  SERVER-URL  [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] [-i ca-identifier]
       [-v] [-n] [-c|-C|-g|-p] [pkimessage-filename]


DESCRIPTION
       scep-submit is the helper which certmonger  can  use  to  transmit  certificate  enrollment  and  renewal
       requests  to servers using SCEP.  It is not normally run interactively, but it can be for troubleshooting
       purposes.

       The request which is to be submitted should be a PEM-encoded SCEP pkiMessage either in a file whose  name
       is given as an argument, or fed into scep-submit via stdin.


MODES
       -c     scep-submit will issue a GetCACaps request to the server and print the results.

       -C     scep-submit  will  issue GetCACert and GetCAChain requests to the server, parse the responses, and
              then print, in order, the RA certificate, the CA certificate, and any additional certificates.

       -p     scep-submit will issue a PKIOperation request to the server using the  passed-in  message  as  the
              message  content.   It will parse the server's response, verify the signature, and if the response
              includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response
              indicates an error, it will print the error.

       -g     scep-submit  will  issue  a  PKIOperation request to the server using the passed-in message as the
              message content.  It will parse the server's response, verify the signature, and if  the  response
              includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response
              indicates an error, it will print the error.


OPTIONS
       -u SERVER-URL
              The location of the SCEP interface provided by  the  CA.   This  is  typically  http://SERVER/cgi-
              bin/PKICLIENT.EXE or http://SERVER/certsrv/mscep/mscep.dll.  This option is always required.

       -R CA-certificate-file
              The  location  of  the  SCEP  server's  CA  certificate, which was used to issue the SCEP server's
              certificate, or the SCEP server's own certificate, if it is self-signed, in PEM form.  If the  URL
              specified with the -u option is an https URL, then this option is required.

       -r RA-certificate-file
              The  location  of  the  SCEP  server's  RA  certificate,  which is expected to be used for signing
              responses sent by the SCEP server back to the client.  This option is required when either the  -g
              flag or the -p flag is specified.

       -I other-certificates-file
              The location of a file containing other PEM-formatted certificates which may be needed in order to
              properly verify signed responses sent by the SCEP server back to the client.  This option  may  be
              necessary when either the -g flag or the -p flag is specified.

       -i ca-identifier
              When  called with the -c or -C flag, this option can be used to specify the CA identifier which is
              passed to the server as part of the client's request.  The default is "0".

       -n     The SCEP Renewal feature allows  a  client  with  a  previously-issued  certificate  to  use  that
              certificate  and the associated private key to request a new certificate for a different key pair,
              and can be used to support certmonger's rekeying feature if the SCEP server advertises support for
              it.   This  option forces the scep-submit helper to prefer to issue requests which do not make use
              of this feature.

       -v     Increases the logging level.  Use twice for more  logging.   This  option  is  mainly  useful  for
              troubleshooting.


EXIT STATUS
       0      if the certificate was issued. The pkcsPKIEnvelope will be printed in PEM-encoded form.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a cookie (state)
              value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read one.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.


BUGS
       Please file tickets for any that you find at https://fedorahosted.org/certmonger/


SEE ALSO
       certmonger(8) getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)  getcert-list(1)
       getcert-modify-ca(1)   getcert-refresh-ca(1)   getcert-refresh(1)  getcert-rekey(1)  getcert-remove-ca(1)
       getcert-resubmit(1)  getcert-start-tracking(1)  getcert-status(1)  getcert-stop-tracking(1)   certmonger-
       certmaster-submit(8)  certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-
       ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)