certmonger(8)certmonger(8)NAME
dogtag-ipa-renew-agent-submit
SYNOPSIS
dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL [-d dbdir] [-n
nickname] [-i cainfo] [-C capath] [-c certfile] [-k keyfile] [-p pin‐
file] [-P pin] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T
profile] [-v] [csrfile]
DESCRIPTION
dogtag-ipa-renew-agent-submit is the helper which certmonger uses to
make certificate renewal requests to Dogtag instances running on IPA
servers. It is not normally run interactively, but it can be for trou‐
bleshooting purposes.
The preferred option is to request a renewal of an already-issued cer‐
tificate, using its serial number, which can be read from a PEM-format‐
ted certificate provided in the CERTMONGER_CERTIFICATE environment
variable, or via the -s or -D option on the command line. If no serial
number is provided, then the client will attempt to obtain a new cer‐
tificate by submitting a signing request to the CA.
The signing request which is to be submitted should either be in a file
whose name is given as an argument, or fed into dogtag-ipa-renew-agent-
submit via stdin.
OPTIONS-E EE-URL
The top-level URL for the end-entity interface provided by the
CA. In IPA installations, this is typically
http://SERVER:EEPORT/ca/ee/ca. If no URL is specified, the host
named in the [global] section in the /etc/ipa/default.conf file
is used as the value of SERVER, and the value of EEPORT will be
inferred based on the value of the dogtag_version in the
[global] section in the /etc/ipa/default.conf file: if dog‐
tag_version is set to 10 or more, EEPORT will be set to 8080.
Otherwise it will be 9180.
-A AGENT-URL
The top-level URL for the agent interface provided by the CA.
In IPA installations, this is typically https://SERVER:AGENT‐
PORT/ca/agent/ca. If no URL is specified, the host named in the
[global] section in the /etc/ipa/default.conf file is used as
the value of SERVER, and the value of AGENTPORT will be inferred
based on the value of the dogtag_version in the [global] section
in the /etc/ipa/default.conf file: if dogtag_version is set to
10 or more, AGENTPORT will be set to 8443. Otherwise it will be
9443.
-d dbdir -n nickname -c certfile -k keyfile
The location of the key and certificate which the client should
use to authenticate to the CA's agent interface. Exactly which
values are meaningful depend on which cryptography library your
copy of libcurl was linked with.
If none of these options are specified, and none of the -p, -P,
-i, nor -C options are specified, then this set of defaults is
used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-p pinfile
The name of a file which contains a PIN/password which will be
needed in order to make use of the agent credentials.
If this option is not specified, and none of the -d, -n, -c, -k,
-P, -i, nor -C options are specified, then this set of defaults
is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-i cainfo -C capath
The location of a file containing a copy of the CA's certifi‐
cate, against which the CA server's certificate will be veri‐
fied, or a directory containing, among other things, such a
file.
If these options are not specified, and none of the -d, -n, -c,
-k, -p, nor -P options are specified, then this set of defaults
is used:
-i /etc/ipa/ca.crt
-d /etc/httpd/alias
-n ipaCert
-p /etc/httpd/alias/pwdfile.txt
-s serial
The serial number of an already-issued certificate for which the
client should attempt to obtain a new certificate, in hexadeci‐
mal form, if one can not be read from the CERTMONGER_CERTIFICATE
environment variable.
-D serial
The serial number of an already-issued certificate for which the
client should attempt to obtain a new certificate, in decimal
form, if one can not be read from the CERTMONGER_CERTIFICATE
environment variable.
-S state
A cookie value provided by a previous instance of this helper,
if the helper is being asked to continue a multi-step enrollment
process. If the CERTMONGER_COOKIE environment variable is set,
its value is used.
-T profile/template
The name of the type of certificate which the client should
request from the CA if it is not renewing a certificate (per the
-s option above). The default value is caServerCert.
-v Increases the logging level. Use twice for more logging. This
option is mainly useful for troubleshooting.
EXIT STATUS
0 if the certificate was issued. The certificate will be printed.
1 if the CA is still thinking. A cookie value will be printed.
2 if the CA rejected the request. An error message may be
printed.
3 if the CA was unreachable. An error message may be printed.
4 if critical configuration information is missing. An error mes‐
sage may be printed.
5 if the CA is still thinking. A suggested poll delay (specified
in seconds) and a cookie value will be printed.
FILES
/etc/ipa/default.conf
is the IPA client configuration file. This file is consulted to
determine the URL for the Dogtag server's end-entity and agent
interfaces if they are not supplied as arguments.
BUGS
Please file tickets for any that you find at https://fedora‐
hosted.org/certmonger/
SEE ALSOcertmonger(8)getcert(1)getcert-list(1)getcert-list-cas(1) getcert-
resubmit(1)getcert-start-tracking(1)getcert-stop-tracking(1) certmon‐
ger-certmaster-submit(8)certmonger-ipa-submit(8)certmonger Manual 26 June 2012 certmonger(8)