oracular (8) certmonger-ipa-submit.8.gz

Provided by: certmonger_0.79.19-1build4_amd64 bug

NAME
       ipa-submit


SYNOPSIS
       ipa-submit  [-h  serverHost]  [-H serverURL] [-d domain] [-L ldapurl] [-b basedn] [-c cafile] [-C capath]
       [[-K] | [-t keytab] [-k submitterPrincipal]] [-u UID] [-W PASSWORD] [-w FILE] [-P principalOfRequest] [-T
       profile] [-X issuer] [csrfile]


DESCRIPTION
       ipa-submit is the helper which certmonger uses to make requests to IPA-based CAs.  It is not normally run
       interactively, but it can be for troubleshooting purposes.  The signing request which is to be  submitted
       should either be in a file whose name is given as an argument, or fed into ipa-submit via stdin.

       certmonger   supports   retrieving  trusted  certificates  from  IPA  CAs.   See  getcert-request(1)  and
       getcert-resubmit(1) for information about specifying where those certificates should  be  stored  on  the
       local  system.  Trusted certificates are retrieved from the caCertificate attribute of entries present at
       and below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA LDAP server's directory tree, where $BASE defaults  to
       the value of the basedn setting in /etc/ipa/default.conf.


OPTIONS
       -P PRINCIPAL, --principal-of-request=PRINCIPAL
              Identifies  the  principal  name  of  the service for which the certificate is being issued.  This
              setting is required by IPA and must always be specified.

       -X NAME, --issuer=NAME
              Requests that the certificate be processed by the specified certificate issuer.   By  default,  if
              this  flag is not specified, and the CERTMONGER_CA_ISSUER variable is set in the environment, then
              the value of the environment variable will be used.  This setting is optional,  and  if  a  server
              returns  error 3005, indicating that it does not understand multiple profiles, the request will be
              re-submitted without specifying an issuer name.

       -T NAME, --profile=NAME
              Requests that the certificate be processed using the specified certificate profile.   By  default,
              if  this  flag is not specified, and the CERTMONGER_CA_PROFILE variable is set in the environment,
              then the value of the environment variable will be used.  This  setting  is  optional,  and  if  a
              server  returns  error 3005, indicating that it does not understand multiple profiles, the request
              will be re-submitted without specifying a profile.

       -h HOSTNAME, --host=HOSTNAME
              Submit the request to the IPA server running on the named  host.   The  default  is  to  read  the
              location  of  the  host from /etc/ipa/default.conf.  If no server is configured, or the configured
              server cannot be reached, the client will attempt to use DNS discovery to locate LDAP servers  for
              the  IPA  domain.  If servers are found, they will be searched for entries pointing to IPA masters
              running the "CA" service, and the client will attempt to contact each of those in turn.

       -H URL, --xmlrpc-url=URL
              Submit the request to the IPA server at the specified  location.   The  default  is  to  read  the
              location  of  the  host from /etc/ipa/default.conf.  If no server is configured, or the configured
              server cannot be reached, the client will attempt to use DNS discovery to locate LDAP servers  for
              the  IPA  domain.  If servers are found, they will be searched for entries pointing to IPA masters
              running the "CA" service, and the client will attempt to contact each of those in turn.

       -L URL, --ldap-url=URL
              Provide the IPA LDAP service location rather than using DNS discovery.  The default is to read the
              location  of  the  host  from  /etc/ipa/default.conf  and  use  DNS  discovery  to find the set of
              _ldap._tcp.DOMAIN values and pick one for use.

       -d DOMAIN, --domain=DOMAIN
              Use this domain when doing DNS discovery to locate LDAP servers  for  the  IPA  installation.  The
              default is to read the location of the host from /etc/ipa/default.conf.

       -b BASEDN, --basedn=BASEDN
              Use  this basedn to search for an IPA installation in LDAP. The default is to read the location of
              the host from /etc/ipa/default.conf.

       -c FILE, --cafile=FILE
              The server's certificate was issued by the CA whose certificate is in the named file.  The default
              value is /etc/ipa/ca.crt.

       -C PATH, --capath=DIR
              Trust the server if its certificate was issued by a CA whose certificate is in a file in the named
              directory.  There is no default for this option, and it is not expected to be necessary.

       -t KEYTAB, --keytab=KEYTAB
              Authenticate to the IPA server using Kerberos with credentials derived from  keys  stored  in  the
              named  keytab.   The  default  value  can  vary,  but it is usually /etc/krb5.keytab.  This option
              conflicts with the -K, -u, -W, and -w options.

       -k PRINCIPAL, --submitter-principal=PRINCIPAL
              Authenticate to the IPA server using Kerberos with credentials derived from  keys  stored  in  the
              named keytab for this principal name.  The default value is the host service for the local host in
              the local realm.  This option conflicts with the -K, -u, -W, and -w options.

       -K, --use-ccache-creds
              Authenticate to the IPA server using Kerberos with credentials derived from the default credential
              cache rather than a keytab.  This option conflicts with the -k, -u, -W, and -w options.

       -u USERNAME, --uid=USERNAME
              Authenticate  to  the  IPA server using a user name and password, using the specified value as the
              user name.  This option conflicts with the -k, -K, and -t options.

       -W PASSWORD, --pwd=PASSWORD
              Authenticate to the IPA server using a user name and password, using the specified  value  as  the
              password.  This option conflicts with the -k, -K, -t, and -w options.

       -w FILE, --pwdfile=FILE
              Authenticate  to  the  IPA  server  using  a user name and password, reading the password from the
              specified file.  This option conflicts with the -k, -K, -t, and -W options.


EXIT STATUS
       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.


FILES
       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to determine the  URL  for  the  IPA
              server's XML-RPC interface.


BUGS
       Please file tickets for any that you find at https://fedorahosted.org/certmonger/


SEE ALSO
       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1) getcert-list(1)
       getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)   getcert-rekey(1)   getcert-remove-ca(1)
       getcert-request(1)         getcert-resubmit(1)         getcert-start-tracking(1)        getcert-status(1)
       getcert-stop-tracking(1)   certmonger-certmaster-submit(8)    certmonger-dogtag-ipa-renew-agent-submit(8)
       certmonger-dogtag-submit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)