getcert-add-scep-ca - Man Page

getcert

Synopsis

getcert add-scep-ca [options]

Description

Adds a CA configuration to certmonger, which can subsequently be used to enroll certificates.  The configuration will use the bundled scep-submit helper.  The add-scep-ca command is more or less a wrapper for the add-ca command.

Options

All user-provided certificate files must be in PEM format.
-c NAME, --ca=NAME

The nickname to give to this CA configuration.  This same value can later be passed in to getcert's request, resubmit, and start-tracking commands using the -c flag.

-u URL, --url=URL

The location of the SCEP server's enrollment interface.  This option must be specified.

-R FILE, --ca-cert=FILE

The location of a PEM-formatted copy of the CA's certificate used to verify the TLS connection the SCEP server.

This option must be specified if the URL is an https location.

-N FILE, --signingca=FILE

The location of a PEM-formatted copy of the SCEP server's CA certificate. A discovered value is normally supplied by the certmonger daemon, but one can be specified for troubleshooting purposes.

-r FILE, --ra-cert=FILE

The location of a PEM-formatted copy of the SCEP server's RA's certificate. A discovered value is normally supplied by the certmonger daemon, but one can be specified for troubleshooting purposes.

-I FILE, --other-certs=FILE

The location of a file containing other PEM-formatted certificates which may be needed in order to properly verify signed responses sent by the SCEP server back to the client.  A discovered set is normally supplied by the certmonger daemon, but can be specified for troubleshooting purposes.

-i ID, --id=ID

A CA identifier value which will passed to the server when the scep-submit helper is used to retrieve copies of the server's certificates.

-n,  --non-renewal

The SCEP Renewal feature allows a client with a previously-issued certificate to use that certificate and the associated private key to request a new certificate for a different key pair, and can be used to support certmonger's rekeying feature if the SCEP server advertises support for it.  This option forces the scep-submit helper to issue requests without making use of this feature.

-v,  --verbose

Be verbose about errors.  Normally, the details of an error received from the daemon will be suppressed if the client can make a diagnostic suggestion.

Bugs

Please file tickets for any that you find at https://fedorahosted.org/certmonger/

See Also

certmonger(8) getcert(1) getcert-add-ca(1) getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1) getcert-request(1) getcert-resubmit(1) getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)

Referenced By

certmonger(8), certmonger-dogtag-ipa-renew-agent-submit(8), certmonger-dogtag-submit(8), certmonger-ipa-submit(8), certmonger-local-submit(8), certmonger-scep-submit(8), getcert(1), getcert-add-ca(1), getcert-list(1), getcert-list-cas(1), getcert-modify-ca(1), getcert-refresh(1), getcert-refresh-ca(1), getcert-rekey(1), getcert-remove-ca(1), getcert-request(1), getcert-resubmit(1), getcert-start-tracking(1), getcert-status(1), getcert-stop-tracking(1), ipa-getcert(1), local-getcert(1), selfsign-getcert(1).

February 24, 2015 certmonger Manual