Provided by: certmonger_0.79.17-2_amd64 bug

NAME

       scep-submit

SYNOPSIS

       scep-submit  -u  SERVER-URL  [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] [-N
       ca-cert-file] [-i ca-identifier] [-v] [-n] [-c|-C|-g|-p] [pkimessage-filename]

DESCRIPTION

       scep-submit is the helper which certmonger can use to transmit certificate enrollment  and
       renewal  requests to servers using SCEP.  It is not normally run interactively, but it can
       be for troubleshooting purposes.

       The request which is to be submitted should be a PEM-encoded SCEP pkiMessage either  in  a
       file whose name is given as an argument, or fed into scep-submit via stdin.

MODES

       -c, --retrieve-ca-capabilities
              scep-submit will issue a GetCACaps request to the server and print the results.

       -C, --retrieve-ca-certificates
              scep-submit  will  issue a GetCACert request to the server, parse the response, and
              then print, in order, the RA certificate, the CA certificate,  and  any  additional
              certificates.

       -p, --pki-message
              scep-submit  will  issue  a  PKIOperation request to the server using the passed-in
              message as the message content.  It will parse the server's  response,  verify  the
              signature,  and  if the response includes an issued certificate, it will output the
              pkcsPKIEnvelope in PEM format.  If the response indicates an error, it  will  print
              the error.

       -g, --get-initial-cert
              scep-submit  will  issue  a  PKIOperation request to the server using the passed-in
              message as the message content.  It will parse the server's  response,  verify  the
              signature,  and  if the response includes an issued certificate, it will output the
              pkcsPKIEnvelope in PEM format.  If the response indicates an error, it  will  print
              the error.

OPTIONS

       -u URL, --url=URL
              The  location  of  the  SCEP  interface  provided  by  the  CA.   This is typically
              http://SERVER/cgi-bin/PKICLIENT.EXE or http://SERVER/certsrv/mscep/mscep.dll.  This
              option is always required.

       -R FILE, --cacert=FILE
              The  location  of  the CA certificate which was used to issue the SCEP web server's
              certificate in PEM form. If the URL specified with the -u option is an  https  URL,
              then this option is required.

       -N FILE, --signingca=FILE
              The  location  of  a  PEM-formatted  copy  of  the SCEP server's CA certificate.  A
              discovered value is normally supplied by the certmonger  daemon,  but  one  can  be
              specified for troubleshooting purposes.

       -r FILE, --racert=FILE
              The  location of the SCEP server's RA certificate, which is expected to be used for
              signing responses sent by the SCEP server back  to  the  client.   This  option  is
              required when either the -g flag or the -p flag is specified.

       -I FILE, --other-certs=FILE
              The  location  of  a  file containing other PEM-formatted certificates which may be
              needed in order to properly verify signed responses sent by the SCEP server back to
              the client.  This option may be necessary when either the -g flag or the -p flag is
              specified.

       -i NAME, --ca-identifier=NAME
              When called with the -c or -C flag, this option can  be  used  to  specify  the  CA
              identifier  which  is  passed  to  the server as part of the client's request.  The
              default is "0".

       -n, --non-renewal
              The SCEP Renewal feature allows a client with a  previously-issued  certificate  to
              use  that  certificate  and the associated private key to request a new certificate
              for a different key pair, and can be used to support certmonger's rekeying  feature
              if  the  SCEP server advertises support for it.  This option forces the scep-submit
              helper to prefer to issue requests which do not make use of this feature.

       -v, --verbose
              Increases the logging level.  Use twice for more logging.  This  option  is  mainly
              useful for troubleshooting.

EXIT STATUS

       0      if  the  certificate was issued. The pkcsPKIEnvelope will be printed in PEM-encoded
              form.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if the CA is still thinking.  A suggested poll delay (specified in seconds)  and  a
              cookie (state) value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read one.

       17     if  the  CA  indicates  that the client needs to attempt enrollment using a new key
              pair.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)   getcert-list-cas(1)
       getcert-list(1)      getcert-modify-ca(1)     getcert-refresh-ca(1)     getcert-refresh(1)
       getcert-rekey(1)   getcert-remove-ca(1)   getcert-resubmit(1)    getcert-start-tracking(1)
       getcert-status(1)         getcert-stop-tracking(1)         certmonger-certmaster-submit(8)
       certmonger-dogtag-ipa-renew-agent-submit(8)                    certmonger-dogtag-submit(8)
       certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)