certmonger(8) System Manager's Manual certmonger(8)NAME
certmaster-submit
SYNOPSIS
certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]
DESCRIPTION
certmaster-submit is the helper which certmonger uses to make requests to certmaster-based CAs. It is not normally run interactively, but
it can be for troubleshooting purposes. The signing request which is to be submitted should either be in a file whose name is given as an
argument, or fed into certmaster-submit via stdin.
OPTIONS -h serverHost
Submit the request to the certmaster instance running on the named host. The default is localhost:51235 if a file named
/var/run/certmaster.pid is found on the local system, and is read from /etc/certmaster/minion.conf if that file is not found.
-c cafile
Submit the request over HTTPS instead of HTTP, and only trust the server if its certificate was issued by the CA whose certificate
is in the named file.
-C capath
Submit the request over HTTPS instead of HTTP, and only trust the server if its certificate was issued by a CA whose certificate is
in a file in the named directory.
EXIT STATUS
0 if the certificate was issued. The certificate will be printed.
1 if the CA is still thinking. A cookie value will be printed.
2 if the CA rejected the request. An error message may be printed.
3 if the CA was unreachable. An error message may be printed.
4 if critical configuration information is missing. An error message may be printed.
FILES
/var/run/certmaster.pid
the certmaster service's PID file. Its presence is taken to indicate that this system is a CA, and that requests should be submit-
ted to a certmaster server running on the local system.
/etc/certmaster/minion.conf
the certmaster minion configuration file. If there is no indication that the local system is a certmaster server, then this file is
consulted to determine the location of the certmaster server.
KNOWN BUGS
Checking for the existence of certmaster's PID file is a terrible way to figure out whether we're a minion or not.
BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
SEE ALSO certmonger(8)getcert(1)getcert-list(1)getcert-list-cas(1)getcert-resubmit(1)getcert-start-tracking(1)getcert-stop-tracking(1) cert-
monger-dogtag-ipa-renew-agent-submit(8)certmonger-ipa-submit(8)certmonger_selinux(8)certmonger Manual 7 June 2010 certmonger(8)
Check Out this Related Man Page
certmonger(8) System Manager's Manual certmonger(8)NAME
dogtag-ipa-renew-agent-submit
SYNOPSIS
dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pin-
file] [-P pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T profile] [-v] [csrfile]
DESCRIPTION
dogtag-ipa-renew-agent-submit is the helper which certmonger uses to make certificate renewal requests to Dogtag instances running on IPA
servers. It is not normally run interactively, but it can be for troubleshooting purposes.
The preferred option is to request a renewal of an already-issued certificate, using its serial number, which can be read from a PEM-for-
matted certificate provided in the CERTMONGER_CERTIFICATE environment variable, or via the -s or -D option on the command line. If no
serial number is provided, then the client will attempt to obtain a new certificate by submitting a signing request to the CA.
The signing request which is to be submitted should either be in a file whose name is given as an argument, or fed into dogtag-ipa-renew-
agent-submit via stdin.
OPTIONS -E EE-URL
The top-level URL for the end-entity interface provided by the CA. In IPA installations, this is typically
http://SERVER:EEPORT/ca/ee/ca. If no URL is specified, the host named in the [global] section in the /etc/ipa/default.conf file is
used as the value of SERVER, and the value of EEPORT will be inferred based on the value of the dogtag_version in the [global] sec-
tion in the /etc/ipa/default.conf file: if dogtag_version is set to 10 or more, EEPORT will be set to 8080. Otherwise it will be
9180.
-A AGENT-URL
The top-level URL for the agent interface provided by the CA. In IPA installations, this is typically https://SERVER:AGENT-
PORT/ca/agent/ca. If no URL is specified, the host named in the [global] section in the /etc/ipa/default.conf file is used as the
value of SERVER, and the value of AGENTPORT will be inferred based on the value of the dogtag_version in the [global] section in the
/etc/ipa/default.conf file: if dogtag_version is set to 10 or more, AGENTPORT will be set to 8443. Otherwise it will be 9443.
-d dbdir -n nickname -c certfile -k keyfile
The location of the key and certificate which the client should use to authenticate to the CA's agent interface. Exactly which val-
ues are meaningful depend on which cryptography library your copy of libcurl was linked with.
If none of these options are specified, and none of the -p, -P, -i, nor -C options are specified, then this set of defaults is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-p pinfile
The name of a file which contains a PIN/password which will be needed in order to make use of the agent credentials.
If this option is not specified, and none of the -d, -n, -c, -k, -P, -i, nor -C options are specified, then this set of defaults is
used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-i cainfo -C capath
The location of a file containing a copy of the CA's certificate, against which the CA server's certificate will be verified, or a
directory containing, among other things, such a file.
If these options are not specified, and none of the -d, -n, -c, -k, -p, nor -P options are specified, then this set of defaults is
used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-s serial
The serial number of an already-issued certificate for which the client should attempt to obtain a new certificate, in hexadecimal
form, if one can not be read from the CERTMONGER_CERTIFICATE environment variable.
-D serial
The serial number of an already-issued certificate for which the client should attempt to obtain a new certificate, in decimal form,
if one can not be read from the CERTMONGER_CERTIFICATE environment variable.
-S state
A cookie value provided by a previous instance of this helper, if the helper is being asked to continue a multi-step enrollment
process. If the CERTMONGER_COOKIE environment variable is set, its value is used.
-T profile/template
The name of the type of certificate which the client should request from the CA if it is not renewing a certificate (per the -s
option above). The default value is caServerCert.
-v Increases the logging level. Use twice for more logging. This option is mainly useful for troubleshooting.
EXIT STATUS
0 if the certificate was issued. The certificate will be printed.
1 if the CA is still thinking. A cookie value will be printed.
2 if the CA rejected the request. An error message may be printed.
3 if the CA was unreachable. An error message may be printed.
4 if critical configuration information is missing. An error message may be printed.
5 if the CA is still thinking. A suggested poll delay (specified in seconds) and a cookie value will be printed.
FILES
/etc/ipa/default.conf
is the IPA client configuration file. This file is consulted to determine the URL for the Dogtag server's end-entity and agent
interfaces if they are not supplied as arguments.
BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
SEE ALSO certmonger(8)getcert(1)getcert-list(1)getcert-list-cas(1)getcert-resubmit(1)getcert-start-tracking(1)getcert-stop-tracking(1) cert-
monger-certmaster-submit(8)certmonger-ipa-submit(8)certmonger_selinux(8)certmonger Manual 26 June 2012 certmonger(8)