Ubuntu Manpage: dogtag-submit

NAME

       dogtag-submit

SYNOPSIS

       dogtag-submit  -E  EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i cainfo] [-C capath] [-c certfile] [-k
       keyfile] [-p pinfile] [-P pin] [-s serial (hex)] [-D  serial  (decimal)]  [-S  state]  [-T  profile]  [-O
       param=value]  [-N  |  -R]  [-t]  [-o  option=value] [-a ] [-u username] [-U userdn] [-W userpassword] [-w
       userpasswordfile] [-Y userpin] [-y userpinfile] [-v] [csrfile]

DESCRIPTION

       dogtag-submit is the helper which certmonger can use to make certificate enrollment and renewal  requests
       to Dogtag servers.  It is not normally run interactively, but it can be for troubleshooting purposes.

       The  preferred  option is to request a renewal of an already-issued certificate, using its serial number,
       which can be read from a PEM-formatted certificate provided  in  the  CERTMONGER_CERTIFICATE  environment
       variable,  or  via  the  -s  or -D option on the command line.  If no serial number is provided, then the
       client will attempt to obtain a new certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in  a  file  whose  name  is  given  as  an
       argument, or fed into dogtag-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

OPTIONS

-E EE-URL
The top-level URL for the end-entity interface provided by the CA, through which the initial
enrollment request will be submitted. This is typically http://SERVER:EEPORT/ca/ee/ca.

-A AGENT-URL
The top-level URL for the agent interface provided by the CA, through which the request can be
approved using agent credentials. This is typically https://SERVER:AGENTPORT/ca/agent/ca.

-d dbdir -n nickname -c certfile -k keyfile
The location of the key and certificate which the client should use to authenticate to the CA's
agent interface. Exactly which values are meaningful depend on which cryptography library your
copy of libcurl was linked with.

-p pinfile
The name of a file which contains a PIN/password which will be needed in order to make use of the
agent credentials.

-i cainfo -C capath
The location of a file containing a copy of the CA's certificate, against which the CA server's
certificate will be verified, or a directory containing, among other things, such a file.

-s serial
The serial number of an already-issued certificate for which the client should attempt to obtain a
new certificate, in hexadecimal form, if one can not be read from the CERTMONGER_CERTIFICATE
environment variable.

-D serial
The serial number of an already-issued certificate for which the client should attempt to obtain a
new certificate, in decimal form, if one can not be read from the CERTMONGER_CERTIFICATE
environment variable.

-S state
A cookie value provided by a previous instance of this helper, if the helper is being asked to
continue a multi-step enrollment process. If the CERTMONGER_COOKIE environment variable is set,
its value is used.

-T profile/template
The name of the type of certificate which the client should request from the CA if it is not
renewing a certificate (per the -s option above). If the CERTMONGER_CA_PROFILE environment
variable is set, its value is used. Otherwise, the default value is caServerCert.

-O param=value
An additional parameter to pass to the server when approving the signing request using agent
credentials. By default, any server-supplied default settings are applied. This option can be
used either to override a server-supplied default setting, or to supply one which would otherwise
have not been used. Requires the -A option.

-N Even if an already-issued certificate is available in the CERTMONGER_CERTIFICATE environment
variable, or a serial number has been provided, don't attempt to renew a certificate using its
serial number. Instead, attempt to obtain a new certificate using the signing request. The
default behavior is to request a renewal if possible.

-R Negates the effect of the -N flag.

-t Instead of attempting to obtain a new certificate, query the server for a list of the enabled
enrollment profiles.

-o param=value
When initially submitting a request to the CA, add the specified parameter and value along with
any request parameters which would otherwise be sent.

-a Use agent credentials, specified using some combination of the -d, -n, -c, and -k flags, to
authenticate to the CA when initially submitting a request to the CA or retrieving the list of
enabled enrollment profiles. This is typically required when the enrollment profile being used
uses AgentCertAuth-based authentication, and requires that the URL specified using the -E flag be
an HTTPS URL, or when the URL specified using the -E flag is an HTTPS URL.

-u username
When initially submitting a request to the CA, supply the specified value as a user name. This is
typically required when the enrollment profile being used uses UidPwdDirAuth-based or NISAuth-
based authentication.

-U userdn
When initially submitting a request to the CA, supply the specified value as the DN (distinguished
name) of the user's entry in a directory server which the CA is configured to use for checking the
user's password. This is typically required when the enrollment profile being used uses
UdnPwdDirAuth-based authentication.

-W userpassword
When initially submitting a request to the CA, supply the specified value as the password for the
user whose name is specified with the -u option, or whose DN is specified with the -U option.
This is typically only required when the enrollment profile being used uses UidPwdDirAuth-based,
UserPwdDirAuth-based, or NISAuth-based authentication. If the URL specified using the -E flag is
not an HTTPS URL, this value will not be encrypted.

-w userpasswordfile
When initially submitting a request to the CA, read from the specified file a password to supply
for the user whose name is specified with the -u option, or whose DN is specified with the -U
option. This is typically only required when the enrollment profile being used uses
UidPwdDirAuth-based, UserPwdDirAuth-based, or NISAuth-based authentication. If the URL specified
using the -E flag is not an HTTPS URL, this value will not be encrypted.

-Y userpin
When initially submitting a request to the CA, supply the specified value as the PIN for the user
whose name is specified with the -u option, or whose DN is specified with the -U option. This is
typically only required when the enrollment profile being used uses UidPwdPinDirAuth-based
authentication. If the URL specified using the -E flag is not an HTTPS URL, this value will not
be encrypted.

-y userpinfile
When initially submitting a request to the CA, read from the specified file a PIN to supply for
the user whose name is specified with the -u option, or whose DN is specified with the -U option.
This is typically only required when the enrollment profile being used uses UidPwdPinDirAuth-based
authentication. If the URL specified using the -E flag is not an HTTPS URL, this value will not
be encrypted.

-v Increases the logging level. Use twice for more logging. This option is mainly useful for
troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a cookie (state)
              value will be printed.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.

BUGS