Ubuntu Manpage: ipa-submit

NAME

       ipa-submit

SYNOPSIS

       ipa-submit   [-h   serverHost]  [-H  serverURL]  [-c  cafile]  [-C  capath]  [[-K]   |  [-t  keytab]  [-k
       submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]

DESCRIPTION

       ipa-submit is the helper which certmonger uses to make requests to IPA-based CAs.  It is not normally run
       interactively, but it can be for troubleshooting purposes.  The signing request which is to be  submitted
       should either be in a file whose name is given as an argument, or fed into ipa-submit via stdin.

       certmonger  supports  retrieving  trusted certificates from IPA CAs.  See getcert-request(1) and getcert-
       resubmit(1) for information about specifying where those certificates  should  be  stored  on  the  local
       system.   Trusted  certificates  are retrieved from the caCertificate attribute of entries present at and
       below cn=cacert,cn=ipa,cn=etc,$BASE in the IPA LDAP server's directory tree, where $BASE defaults to  the
       value of the basedn setting in /etc/ipa/default.conf.

OPTIONS

-P csrPrincipal
Identifies the principal name of the service for which the certificate is being issued. This
setting is required by IPA and must always be specified.

-T profile
Requests that the certificate be processed using the specified certificate profile. By default,
if this flag is not specified, and the CERTMONGER_CA_PROFILE variable is set in the environment,
then the value of the environment variable will be used. This setting is optional, and if a
server returns error 3005, indicating that it does not understand multiple profiles, the request
will be re-submitted without specifying a profile.

-h serverHost
Submit the request to the IPA server running on the named host. The default is to read the
location of the host from /etc/ipa/default.conf.

-H serverURL
Submit the request to the IPA server at the specified location. The default is to read the
location of the host from /etc/ipa/default.conf.

-c cafile
The server's certificate was issued by the CA whose certificate is in the named file. The default
value is /etc/ipa/ca.crt.

-C capath
Trust the server if its certificate was issued by a CA whose certificate is in a file in the named
directory. There is no default for this option, and it is not expected to be necessary.

-t keytab
Authenticate to the IPA server using credentials derived from keys stored in the named keytab.
The default value can vary, but it is usually /etc/krb5.keytab. This option conflicts with the -K
option.

-k authPrincipal
Authenticate to the IPA server using credentials derived from keys stored in the named keytab for
this principal name. The default value is the host service for the local host in the local realm.
This option conflicts with the -K option.

-K Authenticate to the IPA server using credentials derived from the default credential cache rather
than a keytab. This option conflicts with the -k option.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.

FILES

       /etc/ipa/default.conf
              is  the  IPA  client  configuration file.  This file is consulted to determine the URL for the IPA
              server's XML-RPC interface.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/