dogtag-ipa-renew-agent-submit
dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir]
[-n nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p
pinfile] [-P pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
profile] [-O param=value] [-N | -R] [-t] [-o option=value] [-a] [-u uid] [-U
udn] [-W pwd] [-w pwdfile] [-Y pin] [-y pinfile] [csrfile]
dogtag-ipa-renew-agent-submit is the helper which
certmonger uses to make certificate renewal requests to Dogtag
instances running on IPA servers. It is not normally run interactively, but
it can be for troubleshooting purposes.
The preferred option is to request a renewal of an already-issued
certificate, using its serial number, which can be read from a PEM-formatted
certificate provided in the CERTMONGER_CERTIFICATE environment
variable, or via the -s or -D option on the command line. If
no serial number is provided, then the client will attempt to obtain a new
certificate by submitting a signing request to the CA.
The signing request which is to be submitted should either be in a
file whose name is given as an argument, or fed into
dogtag-ipa-renew-agent-submit via stdin.
certmonger does not yet support retrieving trust
information from Dogtag CAs.
- -E EE-URL,
--ee-url=EE-URL
- The top-level URL for the end-entity interface provided by the CA. In IPA
installations, this is typically
http://SERVER:EEPORT/ca/ee/ca. If no
URL is specified, the host named in the [global] section in
the /etc/ipa/default.conf file is used as the value of
SERVER, and the value of EEPORT will be inferred based on
the value of the dogtag_version in the [global] section in
the /etc/ipa/default.conf file: if dogtag_version is set to
10 or more, EEPORT will be set to 8080. Otherwise it will be
9180.
- -A AGENT-URL,
--agent-url=AGENT-URL
- The top-level URL for the agent interface provided by the CA. In IPA
installations, this is typically
https://SERVER:AGENTPORT/ca/agent/ca.
If no URL is specified, the host named in the [global]
section in the /etc/ipa/default.conf file is used as the value of
SERVER, and the value of AGENTPORT will be inferred based on
the value of the dogtag_version in the [global] section in
the /etc/ipa/default.conf file: if dogtag_version is set to
10 or more, AGENTPORT will be set to 8443. Otherwise it will
be 9443.
- -i FILE,
--cafile=PATH
- The location of a file containing a copy of the CA's certificate, against
which the CA server's certificate will be verified. The default is
/etc/ipa/ca.crt.
- -C DIR,
--capath=DIR
- The location of a directory containing a copy of the CA's certificate,
against which the CA server's certificate will be verified.
- -s NUMBER,
--hex-serial=NUMBER
- The serial number of an already-issued certificate for which the client
should attempt to obtain a new certificate, in hexidecimal form, if one
can not be read from the CERTMONGER_CERTIFICATE environment
variable.
- -D NUMBER,
--serial=NUMBER
- The serial number of an already-issued certificate for which the client
should attempt to obtain a new certificate, in decimal form, if one can
not be read from the CERTMONGER_CERTIFICATE environment
variable.
- -S STATE-VALUE,
--state=STATE-VALUE
- A cookie value provided by a previous instance of this helper, if the
helper is being asked to continue a multi-step enrollment process. If the
CERTMONGER_COOKIE environment variable is set, its value is
used.
- -T NAME,
--profile=NAME
- The name of the type of certificate which the client should request from
the CA if it is not renewing a certificate (per the -s option
above). If the CERTMONGER_CA_PROFILE environment variable is set,
its value is used. Otherwise, the default value is
caServerCert.
- -t,
--profile-list
- Instead of attempting to obtain a new certificate, query the server for a
list of the enabled enrollment profiles.
- -O param=value,
--approval-option=param=value
- An additional parameter to pass to the server when approving the signing
request using the agent's credentials. By default, any server-supplied
default settings are applied. This option can be used either to override a
server-supplied default setting, or to supply one which would otherwise
have not been used.
- -N,
--force-new
- Even if an already-issued certificate is available in the
CERTMONGER_CERTIFICATE environment variable, or a serial number has
been provided, don't attempt to renew a certificate using its serial
number. Instead, attempt to obtain a new certificate using the signing
request. The default behavior is to request a renewal if possible.
- -R,
--force-renew
- Negates the effect of the -N flag.
- -o param=value,
--submit-option=param=value
- When initially submitting a request to the CA, add the specified parameter
and value along with any request parameters which would otherwise be sent.
This option is not typically used.
- -a,
--agent-submit
- Use agent credentials, specified using some combination of the -d,
-n, -c, and -k flags, to authenticate to the CA when
initially submitting a request to the CA or retrieving the list of enabled
enrollment profiles. This is typically required when the enrollment
profile being used uses AgentCertAuth-based authentication, and
requires that the URL specified using the -E flag be an HTTPS URL,
or when the URL specified using the -E flag is an HTTPS URL.
- -u username,
--uid=username
- When initially submitting a request to the CA, supply the specified value
as a user name. This is typically required when the enrollment profile
being used uses UidPwdDirAuth-based or NISAuth-based
authentication..TP -U userdn, --upn=userdn
When initially submitting a request to the CA, supply the specified value
as the DN (distinguished name) of the user's entry in a directory server
which the CA is configured to use for checking the user's password. This
is typically required when the enrollment profile being used uses
UdnPwdDirAuth-based authentication.
- -W PASSWORD,
--userpwd=PASSWORD
- When initially submitting a request to the CA, supply the specified value
as the password for the user whose name is specified with the -u
option, or whose DN is specified with the -U option. This is
typically only required when the enrollment profile being used uses
UidPwdDirAuth-based, UserPwdDirAuth-based, or
NISAuth-based authentication. If the URL specified using the
-E flag is not an HTTPS URL, this value will not be encrypted.
- -w FILE,
--userpwdfile=FILE
- When initially submitting a request to the CA, read from the specified
file a password to supply for the user whose name is specified with the
-u option, or whose DN is specified with the -U option. This
is typically only required when the enrollment profile being used uses
UidPwdDirAuth-based, UserPwdDirAuth-based, or
NISAuth-based authentication. If the URL specified using the
-E flag is not an HTTPS URL, this value will not be encrypted.
- -Y PIN,
--userpin=PIN
- When initially submitting a request to the CA, supply the specified value
as the PIN for the user whose name is specified with the -u option,
or whose DN is specified with the -U option. This is typically only
required when the enrollment profile being used uses
UidPwdPinDirAuth-based authentication. If the URL specified using
the -E flag is not an HTTPS URL, this value will not be encrypted.
-y FILE, --userpinfile=FILE When initially
submitting a request to the CA, read from the specified file a PIN to
supply for the user whose name is specified with the -u option, or
whose DN is specified with the -U option. This is typically only
required when the enrollment profile being used uses
UidPwdPinDirAuth-based authentication. If the URL specified using
the -E flag is not an HTTPS URL, this value will not be
encrypted.
- -v, --verbose
- Increases the logging level. Use twice for more logging. This option is
mainly useful for troubleshooting.
Options that provide the location for the private key and public
certificate which the client should use to authenticate to the CA's agent
interface. The values to use depend on which cryptography library your copy
of libcurl was linked with.
- If none of these options are
specified, and none of the -p, -P, -i, nor -C
options are specified, then this set of defaults is used:
-
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
- -d dbdir,
--dbdir=dbdir
- Use an NSS database in the specified directory for this certificate and
key. Only valid with -n.
- -n NAME,
--nickname=NAME
- Use the NSS key with this nickname. Only valid with -d.
- -c FILE,
--certfile=FILE
- The PEM file that contains the public certificate. Only valid with
-k.
- -k FILE,
--keyfile=FILE
- The PEM file that contains the private certificate. Only valid with
-c.
- -p FILE,
--sslpinfile=FILE
- The name of a file which contains a PIN/password which will be needed in
order to make use of the agent credentials.
- -P PIN,
--sslpin=PIN
- The name of a file which contains a PIN/password which will be needed in
order to make use of the agent credentials.
- 0
- if the certificate was issued. The certificate will be printed.
- 1
- if the CA is still thinking. A cookie (state) value will be printed.
- 2
- if the CA rejected the request. An error message may be printed.
- 3
- if the CA was unreachable. An error message may be printed.
- 4
- if critical configuration information is missing. An error message may be
printed.
- 5
- if the CA is still thinking. A suggested poll delay (specified in seconds)
and a cookie (state) value will be printed.
- 17
- if the CA indicates that the client needs to attempt enrollment using a
new key pair.
- /etc/ipa/default.conf
- is the IPA client configuration file. This file is consulted to determine
the URL for the Dogtag server's end-entity and agent interfaces if they
are not supplied as arguments.
Please file tickets for any that you find at
https://fedorahosted.org/certmonger/