Provided by: certmonger_0.79.16-1build1_amd64 
NAME
dogtag-submit
SYNOPSIS
dogtag-submit -E EE-URL -A AGENT-URL [-d DIR] [-n NAME] [-i FILE] [-C DIR] [-c FILE] [-k
FILE] [-p FILE] [-P PIN] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T profile]
[-O param=value] [-N | -R] [-t] [-o option=value] [-a] [-u username] [-U userdn] [-W
PASSWORD] [-w FILE] [-Y PIN] [-y FILE] [-v] [csrfile]
DESCRIPTION
dogtag-submit is the helper which certmonger can use to make certificate enrollment and
renewal requests to Dogtag servers. It is not normally run interactively, but it can be
for troubleshooting purposes.
The preferred option is to request a renewal of an already-issued certificate, using its
serial number, which can be read from a PEM-formatted certificate provided in the
CERTMONGER_CERTIFICATE environment variable, or via the -s or -D option on the command
line. If no serial number is provided, then the client will attempt to obtain a new
certificate by submitting a signing request to the CA.
The signing request which is to be submitted should either be in a file whose name is
given as an argument, or fed into dogtag-submit via stdin.
certmonger does not yet support retrieving trust information from Dogtag CAs.
OPTIONS
-E EE-URL, --ee-url=EE-URL
The top-level URL for the end-entity interface provided by the CA, through which
the initial enrollment request will be submitted. This is typically
http://SERVER:EEPORT/ca/ee/ca.
-A AGENT-URL, --agent-url=AGENT-URL
The top-level URL for the agent interface provided by the CA, through which the
request can be approved using agent credentials. This is typically
https://SERVER:AGENTPORT/ca/agent/ca.
-i FILE, --cafile=FILE
The location of a file containing a copy of the CA's certificate, against which the
CA server's certificate will be verified.
-C DIR, --capath=DIR
The location of a directory containing a copy of the CA's certificate(s), against
which the CA server's certificate will be verified.
-D SERIAL, --serial=SERIAL
The serial number of an already-issued certificate for which the client should
attempt to obtain a new certificate, in decimal form, if one can not be read from
the CERTMONGER_CERTIFICATE environment variable.
-s SERIAL, --hex-serial=SERIAL
The serial number of an already-issued certificate for which the client should
attempt to obtain a new certificate, in hexadecimal form, if one can not be read
from the CERTMONGER_CERTIFICATE environment variable.
-S STATE, --state=STATE
A cookie value provided by a previous instance of this helper, if the helper is
being asked to continue a multi-step enrollment process. If the CERTMONGER_COOKIE
environment variable is set, its value is used.
-T NAME, --profile=NAME
The name of the type of certificate which the client should request from the CA if
it is not renewing a certificate (per the -s option above). If the
CERTMONGER_CA_PROFILE environment variable is set, its value is used. Otherwise,
the default value is caServerCert.
-O param=value, --approval-options=param=value
An additional parameter to pass to the server when approving the signing request
using agent credentials. By default, any server-supplied default settings are
applied. This option can be used either to override a server-supplied default
setting, or to supply one which would otherwise have not been used. Requires the
-A option.
-N, --force-new
Even if an already-issued certificate is available in the CERTMONGER_CERTIFICATE
environment variable, or a serial number has been provided, don't attempt to renew
a certificate using its serial number. Instead, attempt to obtain a new
certificate using the signing request. The default behavior is to request a
renewal if possible.
-R, --force-renew
Negates the effect of the -N flag.
-t, --profile-list
Instead of attempting to obtain a new certificate, query the server for a list of
the enabled enrollment profiles.
-o param=value, --submit-option=param=value
When initially submitting a request to the CA, add the specified parameter and
value along with any request parameters which would otherwise be sent.
-a, --agent-submit
Use agent credentials, specified using some combination of the -d, -n, -c, and -k
flags, to authenticate to the CA when initially submitting a request to the CA or
retrieving the list of enabled enrollment profiles. This is typically required
when the enrollment profile being used uses AgentCertAuth-based authentication, and
requires that the URL specified using the -E flag be an HTTPS URL, or when the URL
specified using the -E flag is an HTTPS URL.
-u username, --uid=username
When initially submitting a request to the CA, supply the specified value as a user
name. This is typically required when the enrollment profile being used uses
UidPwdDirAuth-based or NISAuth-based authentication.
-U userdn, --upn=userdn
When initially submitting a request to the CA, supply the specified value as the DN
(distinguished name) of the user's entry in a directory server which the CA is
configured to use for checking the user's password. This is typically required
when the enrollment profile being used uses UdnPwdDirAuth-based authentication.
-W PASSWORD, --userpwd=PASSWORD
When initially submitting a request to the CA, supply the specified value as the
password for the user whose name is specified with the -u option, or whose DN is
specified with the -U option. This is typically only required when the enrollment
profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or NISAuth-based
authentication. If the URL specified using the -E flag is not an HTTPS URL, this
value will not be encrypted.
-w FILE, --userpwdfile=FILE
When initially submitting a request to the CA, read from the specified file a
password to supply for the user whose name is specified with the -u option, or
whose DN is specified with the -U option. This is typically only required when the
enrollment profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or
NISAuth-based authentication. If the URL specified using the -E flag is not an
HTTPS URL, this value will not be encrypted.
-Y PIN, --userpin=PIN
When initially submitting a request to the CA, supply the specified value as the
PIN for the user whose name is specified with the -u option, or whose DN is
specified with the -U option. This is typically only required when the enrollment
profile being used uses UidPwdPinDirAuth-based authentication. If the URL
specified using the -E flag is not an HTTPS URL, this value will not be encrypted.
-y FILE, --userpinfile=FILE
When initially submitting a request to the CA, read from the specified file a PIN
to supply for the user whose name is specified with the -u option, or whose DN is
specified with the -U option. This is typically only required when the enrollment
profile being used uses UidPwdPinDirAuth-based authentication. If the URL
specified using the -E flag is not an HTTPS URL, this value will not be encrypted.
-v, --verbose
Increases the logging level. Use twice for more logging. This option is mainly
useful for troubleshooting.
AGENT KEY AND CERTIFICATE OPTIONS
Options that provide the location for the private key and public certificate which the
client should use to authenticate to the CA's agent interface. The values to use depend
on which cryptography library your copy of libcurl was linked with.
-d DIR, --dbdir=DIR
Use an NSS database in the specified directory for this certificate and key. Only
valid with -n.
-n NAME, --nickname=NAME
Use the NSS key with this nickname. Only valid with -d.
-c FILE, --certfile=FILE
The PEM file that contains the public certificate. Only valid with -k.
-k FILE, --keyfile=FILE
The PEM file that contains the private certificate. Only valid with -c.
-p FILE, --sslpinfile=FILE
The name of a file which contains a PIN/password which will be needed in order to
make use of the agent credentials.
-P PIN, --sslpin=PIN
The name of a file which contains a PIN/password which will be needed in order to
make use of the agent credentials.
EXIT STATUS
0 if the certificate was issued. The certificate will be printed.
1 if the CA is still thinking. A cookie (state) value will be printed.
2 if the CA rejected the request. An error message may be printed.
3 if the CA was unreachable. An error message may be printed.
4 if critical configuration information is missing. An error message may be printed.
5 if the CA is still thinking. A suggested poll delay (specified in seconds) and a
cookie (state) value will be printed.
17 if the CA indicates that the client needs to attempt enrollment using a new key
pair.
BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
SEE ALSO
certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1) getcert-list-cas(1)
getcert-list(1) getcert-modify-ca(1) getcert-refresh-ca(1) getcert-refresh(1)
getcert-rekey(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-tracking(1)
getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8)
certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-ipa-submit(8)
certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)