NAME

       ipa-submit

SYNOPSIS

       ipa-submit [-h serverHost] [-H serverURL] [-d domain] [-L ldapurl] [-b basedn] [-c cafile]
       [-C capath] [[-K] | [-t keytab] [-k submitterPrincipal]] [-u UID] [-W PASSWORD] [-w  FILE]
       [-P principalOfRequest] [-T profile] [-X issuer] [csrfile]

DESCRIPTION

       ipa-submit  is  the helper which certmonger uses to make requests to IPA-based CAs.  It is
       not normally run interactively, but it can be for troubleshooting purposes.   The  signing
       request  which  is  to  be  submitted should either be in a file whose name is given as an
       argument, or fed into ipa-submit via stdin.

       certmonger supports retrieving trusted certificates from IPA CAs.  See  getcert-request(1)
       and  getcert-resubmit(1)  for information about specifying where those certificates should
       be stored on the local system.  Trusted certificates are retrieved from the  caCertificate
       attribute  of  entries  present at and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA LDAP
       server's directory tree, where $BASE defaults to  the  value  of  the  basedn  setting  in
       /etc/ipa/default.conf.

OPTIONS

       -P PRINCIPAL, --principal-of-request=PRINCIPAL
              Identifies  the  principal  name  of the service for which the certificate is being
              issued.  This setting is required by IPA and must always be specified.

       -X NAME, --issuer=NAME
              Requests that the certificate be processed by the specified certificate issuer.  By
              default,  if  this  flag is not specified, and the CERTMONGER_CA_ISSUER variable is
              set in the environment, then the value of the environment variable  will  be  used.
              This  setting  is  optional, and if a server returns error 3005, indicating that it
              does not understand multiple profiles, the request  will  be  re-submitted  without
              specifying an issuer name.

       -T NAME, --profile=NAME
              Requests that the certificate be processed using the specified certificate profile.
              By default, if this flag is not specified, and the  CERTMONGER_CA_PROFILE  variable
              is set in the environment, then the value of the environment variable will be used.
              This setting is optional, and if a server returns error 3005,  indicating  that  it
              does  not  understand  multiple  profiles, the request will be re-submitted without
              specifying a profile.

       -h HOSTNAME, --host=HOSTNAME
              Submit the request to the IPA server running on the named host.  The default is  to
              read  the  location  of  the  host  from  /etc/ipa/default.conf.   If  no server is
              configured, or the configured server cannot be reached, the client will attempt  to
              use DNS discovery to locate LDAP servers for the IPA domain.  If servers are found,
              they will be searched for entries pointing to IPA masters running the "CA" service,
              and the client will attempt to contact each of those in turn.

       -H URL, --xmlrpc-url=URL
              Submit  the request to the IPA server at the specified location.  The default is to
              read the location  of  the  host  from  /etc/ipa/default.conf.   If  no  server  is
              configured,  or the configured server cannot be reached, the client will attempt to
              use DNS discovery to locate LDAP servers for the IPA domain.  If servers are found,
              they will be searched for entries pointing to IPA masters running the "CA" service,
              and the client will attempt to contact each of those in turn.

       -L URL, --ldap-url=URL
              Provide the IPA LDAP service location rather than using DNS discovery.  The default
              is  to  read  the  location  of  the  host  from  /etc/ipa/default.conf and use DNS
              discovery to find the set of _ldap._tcp.DOMAIN values and pick one for use.

       -d DOMAIN, --domain=DOMAIN
              Use this domain when doing DNS  discovery  to  locate  LDAP  servers  for  the  IPA
              installation.   The   default   is   to   read   the  location  of  the  host  from
              /etc/ipa/default.conf.

       -b BASEDN, --basedn=BASEDN
              Use this basedn to search for an IPA installation in LDAP. The default is  to  read
              the location of the host from /etc/ipa/default.conf.

       -c FILE, --cafile=FILE
              The  server's  certificate  was  issued by the CA whose certificate is in the named
              file.  The default value is /etc/ipa/ca.crt.

       -C PATH, --capath=DIR
              Trust the server if its certificate was issued by a CA whose certificate  is  in  a
              file  in  the  named directory.  There is no default for this option, and it is not
              expected to be necessary.

       -t KEYTAB, --keytab=KEYTAB
              Authenticate to the IPA server using Kerberos with credentials  derived  from  keys
              stored  in  the  named  keytab.   The  default  value  can  vary, but it is usually
              /etc/krb5.keytab.  This option conflicts with the -K, -u, -W, and -w options.

       -k PRINCIPAL, --submitter-principal=PRINCIPAL
              Authenticate to the IPA server using Kerberos with credentials  derived  from  keys
              stored  in the named keytab for this principal name.  The default value is the host
              service for the local host in the local realm.  This option conflicts with the  -K,
              -u, -W, and -w options.

       -K, --use-ccache-creds
              Authenticate  to  the  IPA  server using Kerberos with credentials derived from the
              default credential cache rather than a keytab.  This option conflicts with the  -k,
              -u, -W, and -w options.

       -u USERNAME, --uid=USERNAME
              Authenticate  to the IPA server using a user name and password, using the specified
              value as the user name.  This option conflicts with the -k, -K, and -t options.

       -W PASSWORD, --pwd=PASSWORD
              Authenticate to the IPA server using a user name and password, using the  specified
              value as the password.  This option conflicts with the -k, -K, -t, and -w options.

       -w FILE, --pwdfile=FILE
              Authenticate to the IPA server using a user name and password, reading the password
              from the specified file.  This option  conflicts  with  the  -k,  -K,  -t,  and  -W
              options.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       17     if  the  CA  indicates  that the client needs to attempt enrollment using a new key
              pair.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to determine the  URL
              for the IPA server's XML-RPC interface.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)
       getcert-list(1)     getcert-modify-ca(1)     getcert-refresh-ca(1)      getcert-refresh(1)
       getcert-rekey(1)      getcert-remove-ca(1)      getcert-request(1)     getcert-resubmit(1)
       getcert-start-tracking(1)            getcert-status(1)            getcert-stop-tracking(1)
       certmonger-certmaster-submit(8)                certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-dogtag-submit(8)      certmonger-local-submit(8)      certmonger-scep-submit(8)
       certmonger_selinux(8)