NAME¶
dogtag-ipa-renew-agent-submit
SYNOPSIS¶
dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n nickname]
[-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pinfile] [-P pin] [-s
serial (hex)] [-D serial (decimal)] [-S state] [-T profile] [-v] [csrfile]
DESCRIPTION¶
dogtag-ipa-renew-agent-submit is the helper which
certmonger uses
to make certificate renewal requests to Dogtag instances running on IPA
servers. It is not normally run interactively, but it can be for
troubleshooting purposes.
The preferred option is to request a renewal of an already-issued certificate,
using its serial number, which can be read from a PEM-formatted certificate
provided in the
CERTMONGER_CERTIFICATE environment variable, or via the
-s or
-D option on the command line. If no serial number is
provided, then the client will attempt to obtain a new certificate by
submitting a signing request to the CA.
The signing request which is to be submitted should either be in a file whose
name is given as an argument, or fed into
dogtag-ipa-renew-agent-submit
via stdin.
certmonger does not yet support retrieving trust information from Dogtag
CAs.
OPTIONS¶
- -E EE-URL
- The top-level URL for the end-entity interface provided by the CA. In IPA
installations, this is typically
http://SERVER:EEPORT /ca/ee/ca. If no
URL is specified, the host named in the [global] section in
the /etc/ipa/default.conf file is used as the value of
SERVER, and the value of EEPORT will be inferred based on
the value of the dogtag_version in the [global] section in
the /etc/ipa/default.conf file: if dogtag_version is set to
10 or more, EEPORT will be set to 8080. Otherwise it will be
9180.
- -A AGENT-URL
- The top-level URL for the agent interface provided by the CA. In IPA
installations, this is typically
https://SERVER:AGENTPORT /ca/agent/ca.
If no URL is specified, the host named in the [global]
section in the /etc/ipa/default.conf file is used as the value of
SERVER, and the value of AGENTPORT will be inferred based on
the value of the dogtag_version in the [global] section in
the /etc/ipa/default.conf file: if dogtag_version is set to
10 or more, AGENTPORT will be set to 8443. Otherwise it will
be 9443.
- -d dbdir -n nickname -c certfile -k
keyfile
- The location of the key and certificate which the client should use to
authenticate to the CA's agent interface. Exactly which values are
meaningful depend on which cryptography library your copy of libcurl was
linked with.
If none of these options are specified, and none of the -p,
-P, -i, nor -C options are specified, then this set
of defaults is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
- -p pinfile
- The name of a file which contains a PIN/password which will be needed in
order to make use of the agent credentials.
If this option is not specified, and none of the -d, -n,
-c, -k, -P, -i, nor -C options are
specified, then this set of defaults is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
- -i cainfo -C capath
- The location of a file containing a copy of the CA's certificate, against
which the CA server's certificate will be verified, or a directory
containing, among other things, such a file.
If these options are not specified, and none of the -d, -n,
-c, -k, -p, nor -P options are specified, then
this set of defaults is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
- -s serial
- The serial number of an already-issued certificate for which the client
should attempt to obtain a new certificate, in hexadecimal form, if one
can not be read from the CERTMONGER_CERTIFICATE environment
variable.
- -D serial
- The serial number of an already-issued certificate for which the client
should attempt to obtain a new certificate, in decimal form, if one can
not be read from the CERTMONGER_CERTIFICATE environment
variable.
- -S state
- A cookie value provided by a previous instance of this helper, if the
helper is being asked to continue a multi-step enrollment process. If the
CERTMONGER_COOKIE environment variable is set, its value is
used.
- -T profile/template
- The name of the type of certificate which the client should request from
the CA if it is not renewing a certificate (per the -s option
above). The default value is caServerCert.
- -v
- Increases the logging level. Use twice for more logging. This option is
mainly useful for troubleshooting.
EXIT STATUS¶
- 0
- if the certificate was issued. The certificate will be printed.
- 1
- if the CA is still thinking. A cookie value will be printed.
- 2
- if the CA rejected the request. An error message may be printed.
- 3
- if the CA was unreachable. An error message may be printed.
- 4
- if critical configuration information is missing. An error message may be
printed.
- 5
- if the CA is still thinking. A suggested poll delay (specified in seconds)
and a cookie value will be printed.
FILES¶
- /etc/ipa/default.conf
- is the IPA client configuration file. This file is consulted to determine
the URL for the Dogtag server's end-entity and agent interfaces if they
are not supplied as arguments.
BUGS¶
Please file tickets for any that you find at
https://fedorahosted.org/certmonger/
SEE ALSO¶
certmonger(8) getcert(1) getcert-list(1)
getcert-list-cas(1) getcert-refresh-ca(1)
getcert-resubmit(1) getcert-start-tracking(1)
getcert-status(1) getcert-stop-tracking(1)
certmonger-certmaster-submit(8) certmonger-ipa-submit(8)
certmonger_selinux(8)