SYNOPSIS¶
ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] [[-K] | [-t
keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile]
[csrfile]
DESCRIPTION¶
ipa-submit is the helper which certmonger uses to make requests to
IPA-based CAs. It is not normally run interactively, but it can be for
troubleshooting purposes. The signing request which is to be submitted should
either be in a file whose name is given as an argument, or fed into
ipa-submit via stdin.
certmonger supports retrieving trusted certificates from
IPA CAs. See getcert-request(1) and getcert-resubmit(1) for
information about specifying where those certificates should be stored on
the local system. Trusted certificates are retrieved from the
caCertificate attribute of entries present at and below
cn=cacert,cn=ipa,cn=etc,$BASE in the IPA LDAP server's directory
tree, where $BASE defaults to the value of the basedn setting in
/etc/ipa/default.conf.
OPTIONS¶
- -P csrPrincipal
- Identifies the principal name of the service for which the certificate is
being issued. This setting is required by IPA and must always be
specified.
- -T profile
- Requests that the certificate be processed using the specified certificate
profile. By default, if this flag is not specified, and the
CERTMONGER_CA_PROFILE variable is set in the environment, then the
value of the environment variable will be used. This setting is optional,
and if a server returns error 3005, indicating that it does not understand
multiple profiles, the request will be re-submitted without specifying a
profile.
- -h serverHost
- Submit the request to the IPA server running on the named host. The
default is to read the location of the host from
/etc/ipa/default.conf.
- -H serverURL
- Submit the request to the IPA server at the specified location. The
default is to read the location of the host from
/etc/ipa/default.conf.
- -c cafile
- The server's certificate was issued by the CA whose certificate is in the
named file. The default value is /etc/ipa/ca.crt.
- -C capath
- Trust the server if its certificate was issued by a CA whose certificate
is in a file in the named directory. There is no default for this option,
and it is not expected to be necessary.
- -t keytab
- Authenticate to the IPA server using credentials derived from keys stored
in the named keytab. The default value can vary, but it is usually
/etc/krb5.keytab. This option conflicts with the -K
option.
- -k authPrincipal
- Authenticate to the IPA server using credentials derived from keys stored
in the named keytab for this principal name. The default value is the
host service for the local host in the local realm. This option
conflicts with the -K option.
- -K
- Authenticate to the IPA server using credentials derived from the default
credential cache rather than a keytab. This option conflicts with the
-k option.
EXIT STATUS¶
- 0
- if the certificate was issued. The certificate will be printed.
- 1
- if the CA is still thinking. A cookie value will be printed.
- 2
- if the CA rejected the request. An error message may be printed.
- 3
- if the CA was unreachable. An error message may be printed.
- 4
- if critical configuration information is missing. An error message may be
printed.
- 17
- if the CA indicates that the client needs to attempt enrollment using a
new key pair.
FILES¶
- /etc/ipa/default.conf
- is the IPA client configuration file. This file is consulted to determine
the URL for the IPA server's XML-RPC interface.