Provided by: certmonger_0.79.17-2_amd64 bug

NAME

       dogtag-submit

SYNOPSIS

       dogtag-submit  -E  EE-URL -A AGENT-URL [-d DIR] [-n NAME] [-i FILE] [-C DIR] [-c FILE] [-k
       FILE] [-p FILE] [-P PIN] [-s serial (hex)] [-D serial (decimal)] [-S state]  [-T  profile]
       [-O  param=value]  [-N  |  -R]  [-t]  [-o option=value] [-a] [-u username] [-U userdn] [-W
       PASSWORD] [-w FILE] [-Y PIN] [-y FILE] [-v] [csrfile]

DESCRIPTION

       dogtag-submit is the helper which certmonger can use to make  certificate  enrollment  and
       renewal  requests  to Dogtag servers.  It is not normally run interactively, but it can be
       for troubleshooting purposes.

       The preferred option is to request a renewal of an already-issued certificate,  using  its
       serial  number,  which  can  be  read  from  a  PEM-formatted  certificate provided in the
       CERTMONGER_CERTIFICATE environment variable, or via the -s or -D  option  on  the  command
       line.   If  no  serial  number  is  provided, then the client will attempt to obtain a new
       certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in  a  file  whose  name  is
       given as an argument, or fed into dogtag-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

OPTIONS

       -E EE-URL, --ee-url=EE-URL
              The  top-level  URL  for the end-entity interface provided by the CA, through which
              the  initial  enrollment  request   will   be   submitted.    This   is   typically
              http://SERVER:EEPORT/ca/ee/ca.

       -A AGENT-URL, --agent-url=AGENT-URL
              The  top-level  URL  for  the agent interface provided by the CA, through which the
              request  can  be   approved   using   agent   credentials.    This   is   typically
              https://SERVER:AGENTPORT/ca/agent/ca.

       -i FILE, --cafile=FILE
              The location of a file containing a copy of the CA's certificate, against which the
              CA server's certificate will be verified.

       -C DIR, --capath=DIR
              The location of a directory containing a copy of the CA's  certificate(s),  against
              which the CA server's certificate will be verified.

       -D SERIAL, --serial=SERIAL
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in decimal form, if one can not be  read  from
              the CERTMONGER_CERTIFICATE environment variable.

       -s SERIAL, --hex-serial=SERIAL
              The  serial  number  of  an  already-issued certificate for which the client should
              attempt to obtain a new certificate, in hexadecimal form, if one can  not  be  read
              from the CERTMONGER_CERTIFICATE environment variable.

       -S STATE, --state=STATE
              A  cookie  value  provided  by a previous instance of this helper, if the helper is
              being asked to continue a multi-step enrollment process.  If the  CERTMONGER_COOKIE
              environment variable is set, its value is used.

       -T NAME, --profile=NAME
              The  name of the type of certificate which the client should request from the CA if
              it  is  not  renewing  a  certificate  (per  the  -s   option   above).    If   the
              CERTMONGER_CA_PROFILE  environment  variable is set, its value is used.  Otherwise,
              the default value is caServerCert.

       -O param=value, --approval-options=param=value
              An additional parameter to pass to the server when approving  the  signing  request
              using  agent  credentials.   By  default,  any server-supplied default settings are
              applied.  This option can be used either  to  override  a  server-supplied  default
              setting,  or  to supply one which would otherwise have not been used.  Requires the
              -A option.

       -N, --force-new
              Even if an already-issued certificate is available  in  the  CERTMONGER_CERTIFICATE
              environment  variable, or a serial number has been provided, don't attempt to renew
              a  certificate  using  its  serial  number.   Instead,  attempt  to  obtain  a  new
              certificate  using  the  signing  request.   The  default  behavior is to request a
              renewal if possible.

       -R, --force-renew
              Negates the effect of the -N flag.

       -t, --profile-list
              Instead of attempting to obtain a new certificate, query the server for a  list  of
              the enabled enrollment profiles.

       -o param=value, --submit-option=param=value
              When  initially  submitting  a  request  to the CA, add the specified parameter and
              value along with any request parameters which would otherwise be sent.

       -a, --agent-submit
              Use agent credentials, specified using some combination of the -d, -n, -c,  and  -k
              flags,  to  authenticate to the CA when initially submitting a request to the CA or
              retrieving the list of enabled enrollment profiles.   This  is  typically  required
              when the enrollment profile being used uses AgentCertAuth-based authentication, and
              requires that the URL specified using the -E flag be an HTTPS URL, or when the  URL
              specified using the -E flag is an HTTPS URL.

       -u username, --uid=username
              When initially submitting a request to the CA, supply the specified value as a user
              name.  This is typically required when  the  enrollment  profile  being  used  uses
              UidPwdDirAuth-based or NISAuth-based authentication.

       -U userdn, --upn=userdn
              When initially submitting a request to the CA, supply the specified value as the DN
              (distinguished name) of the user's entry in a directory  server  which  the  CA  is
              configured  to  use  for  checking the user's password.  This is typically required
              when the enrollment profile being used uses UdnPwdDirAuth-based authentication.

       -W PASSWORD, --userpwd=PASSWORD
              When initially submitting a request to the CA, supply the specified  value  as  the
              password  for  the  user whose name is specified with the -u option, or whose DN is
              specified with the -U option.  This is typically only required when the  enrollment
              profile being used uses UidPwdDirAuth-based, UserPwdDirAuth-based, or NISAuth-based
              authentication.  If the URL specified using the -E flag is not an HTTPS  URL,  this
              value will not be encrypted.

       -w FILE, --userpwdfile=FILE
              When  initially  submitting  a  request  to  the CA, read from the specified file a
              password to supply for the user whose name is specified  with  the  -u  option,  or
              whose DN is specified with the -U option.  This is typically only required when the
              enrollment profile being used uses  UidPwdDirAuth-based,  UserPwdDirAuth-based,  or
              NISAuth-based  authentication.   If  the  URL specified using the -E flag is not an
              HTTPS URL, this value will not be encrypted.

       -Y PIN, --userpin=PIN
              When initially submitting a request to the CA, supply the specified  value  as  the
              PIN  for  the  user  whose  name  is  specified  with the -u option, or whose DN is
              specified with the -U option.  This is typically only required when the  enrollment
              profile   being  used  uses  UidPwdPinDirAuth-based  authentication.   If  the  URL
              specified using the -E flag is not an HTTPS URL, this value will not be encrypted.

       -y FILE, --userpinfile=FILE
              When initially submitting a request to the CA, read from the specified file  a  PIN
              to  supply  for the user whose name is specified with the -u option, or whose DN is
              specified with the -U option.  This is typically only required when the  enrollment
              profile   being  used  uses  UidPwdPinDirAuth-based  authentication.   If  the  URL
              specified using the -E flag is not an HTTPS URL, this value will not be encrypted.

       -v, --verbose
              Increases the logging level.  Use twice for more logging.  This  option  is  mainly
              useful for troubleshooting.

AGENT KEY AND CERTIFICATE OPTIONS

       Options  that  provide  the  location for the private key and public certificate which the
       client should use to authenticate to the CA's agent interface.  The values to  use  depend
       on which cryptography library your copy of libcurl was linked with.

       -d DIR, --dbdir=DIR
              Use  an  NSS database in the specified directory for this certificate and key. Only
              valid with -n.

       -n NAME, --nickname=NAME
              Use the NSS key with this nickname. Only valid with -d.

       -c FILE, --certfile=FILE
              The PEM file that contains the public certificate. Only valid with -k.

       -k FILE, --keyfile=FILE
              The PEM file that contains the private certificate. Only valid with -c.

       -p FILE, --sslpinfile=FILE
              The name of a file which contains a PIN/password which will be needed in  order  to
              make use of the agent credentials.

       -P PIN, --sslpin=PIN
              The  name  of a file which contains a PIN/password which will be needed in order to
              make use of the agent credentials.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if the CA is still thinking.  A suggested poll delay (specified in seconds)  and  a
              cookie (state) value will be printed.

       17     if  the  CA  indicates  that the client needs to attempt enrollment using a new key
              pair.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)   getcert-list-cas(1)
       getcert-list(1)      getcert-modify-ca(1)     getcert-refresh-ca(1)     getcert-refresh(1)
       getcert-rekey(1)   getcert-remove-ca(1)   getcert-resubmit(1)    getcert-start-tracking(1)
       getcert-status(1)         getcert-stop-tracking(1)         certmonger-certmaster-submit(8)
       certmonger-dogtag-ipa-renew-agent-submit(8)                       certmonger-ipa-submit(8)
       certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)