Provided by: certmonger_0.74-0ubuntu1_amd64 bug

NAME

       dogtag-ipa-renew-agent-submit

SYNOPSIS

       dogtag-ipa-renew-agent-submit  -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i cainfo]
       [-C capath] [-c certfile] [-k keyfile] [-p pinfile] [-P pin] [-s serial (hex)] [-D  serial
       (decimal)] [-S state] [-T profile] [-v] [csrfile]

DESCRIPTION

       dogtag-ipa-renew-agent-submit  is  the  helper  which  certmonger uses to make certificate
       renewal requests to Dogtag instances running on IPA  servers.   It  is  not  normally  run
       interactively, but it can be for troubleshooting purposes.

       The  preferred  option is to request a renewal of an already-issued certificate, using its
       serial number, which can  be  read  from  a  PEM-formatted  certificate  provided  in  the
       CERTMONGER_CERTIFICATE  environment  variable,  or  via the -s or -D option on the command
       line.  If no serial number is provided, then the client  will  attempt  to  obtain  a  new
       certificate by submitting a signing request to the CA.

       The  signing  request  which  is  to be submitted should either be in a file whose name is
       given as an argument, or fed into dogtag-ipa-renew-agent-submit via stdin.

OPTIONS

       -E EE-URL
              The top-level URL for  the  end-entity  interface  provided  by  the  CA.   In  IPA
              installations,  this  is  typically  http://SERVER:EEPORT/ca/ee/ca.   If  no URL is
              specified, the host named in the [global] section in the /etc/ipa/default.conf file
              is  used  as the value of SERVER, and the value of EEPORT will be inferred based on
              the   value   of   the   dogtag_version   in   the   [global]   section   in    the
              /etc/ipa/default.conf  file: if dogtag_version is set to 10 or more, EEPORT will be
              set to 8080.  Otherwise it will be 9180.

       -A AGENT-URL
              The  top-level  URL  for  the  agent  interface  provided  by  the  CA.    In   IPA
              installations,  this  is typically https://SERVER:AGENTPORT/ca/agent/ca.  If no URL
              is specified, the host named in the [global] section in  the  /etc/ipa/default.conf
              file  is  used  as the value of SERVER, and the value of AGENTPORT will be inferred
              based  on  the  value  of  the  dogtag_version  in  the  [global]  section  in  the
              /etc/ipa/default.conf  file: if dogtag_version is set to 10 or more, AGENTPORT will
              be set to 8443.  Otherwise it will be 9443.

       -d dbdir -n nickname -c certfile -k keyfile
              The location of the key and certificate which the client should use to authenticate
              to  the  CA's agent interface.  Exactly which values are meaningful depend on which
              cryptography library your copy of libcurl was linked with.

              If none of these options are specified, and none of the -p, -P, -i, nor -C  options
              are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -p pinfile
              The  name  of a file which contains a PIN/password which will be needed in order to
              make use of the agent credentials.

              If this option is not specified, and none of the -d, -n, -c, -k,  -P,  -i,  nor  -C
              options are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -i cainfo -C capath
              The location of a file containing a copy of the CA's certificate, against which the
              CA server's certificate will be verified, or a directory  containing,  among  other
              things, such a file.

              If  these  options  are  not  specified, and none of the -d, -n, -c, -k, -p, nor -P
              options are specified, then this set of defaults is used:
               -i /etc/ipa/ca.crt
               -d /etc/httpd/alias
               -n ipaCert
               -p /etc/httpd/alias/pwdfile.txt

       -s serial
              The serial number of an already-issued certificate  for  which  the  client  should
              attempt  to  obtain  a new certificate, in hexadecimal form, if one can not be read
              from the CERTMONGER_CERTIFICATE environment variable.

       -D serial
              The serial number of an already-issued certificate  for  which  the  client  should
              attempt  to  obtain a new certificate, in decimal form, if one can not be read from
              the CERTMONGER_CERTIFICATE environment variable.

       -S state
              A cookie value provided by a previous instance of this helper,  if  the  helper  is
              being  asked to continue a multi-step enrollment process.  If the CERTMONGER_COOKIE
              environment variable is set, its value is used.

       -T profile/template
              The name of the type of certificate which the client should request from the CA  if
              it  is  not renewing a certificate (per the -s option above).  The default value is
              caServerCert.

       -v     Increases the logging level.  Use twice for more logging.  This  option  is  mainly
              useful for troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a
              cookie value will be printed.

FILES

       /etc/ipa/default.conf
              is the IPA client configuration file.  This file is consulted to determine the  URL
              for the Dogtag server's end-entity and agent interfaces if they are not supplied as
              arguments.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8) getcert(1) getcert-list(1) getcert-list-cas(1) getcert-resubmit(1)  getcert-
       start-tracking(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-ipa-
       submit(8) certmonger_selinux(8)