certmonger-scep-submit - Man Page

scep-submit

Synopsis

scep-submit -u SERVER-URL [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] [-N ca-cert-file] [-i ca-identifier] [-v] [-n] [-c|-C|-g|-p] [pkimessage-filename]

Description

scep-submit is the helper which certmonger can use to transmit certificate enrollment and renewal requests to servers using SCEP.  It is not normally run interactively, but it can be for troubleshooting purposes.

The request which is to be submitted should be a PEM-encoded SCEP pkiMessage either in a file whose name is given as an argument, or fed into scep-submit via stdin.

Modes

-c,  --retrieve-ca-capabilities

scep-submit will issue a GetCACaps request to the server and print the results.

-C,  --retrieve-ca-certificates

scep-submit will issue a GetCACert request to the server, parse the response, and then print, in order, the RA certificate, the CA certificate, and any additional certificates.

-p,  --pki-message

scep-submit will issue a PKIOperation request to the server using the passed-in message as the message content.  It will parse the server's response, verify the signature, and if the response includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response indicates an error, it will print the error.

-g,  --get-initial-cert

scep-submit will issue a PKIOperation request to the server using the passed-in message as the message content.  It will parse the server's response, verify the signature, and if the response includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response indicates an error, it will print the error.

Options

-u URL, --url=URL

The location of the SCEP interface provided by the CA.  This is typically http://SERVER/cgi-bin/PKICLIENT.EXE or http://SERVER/certsrv/mscep/mscep.dll.  This option is always required.

-R FILE, --cacert=FILE

The location of the CA certificate which was used to issue the SCEP web server's certificate in PEM form. If the URL specified with the -u option is an https URL, then this option is required.

-N FILE, --signingca=FILE

The location of a PEM-formatted copy of the SCEP server's CA certificate. A discovered value is normally supplied by the certmonger daemon, but one can be specified for troubleshooting purposes.

-r FILE, --racert=FILE

The location of the SCEP server's RA certificate, which is expected to be used for signing responses sent by the SCEP server back to the client.  This option is required when either the -g flag or the -p flag is specified.

-I FILE, --other-certs=FILE

The location of a file containing other PEM-formatted certificates which may be needed in order to properly verify signed responses sent by the SCEP server back to the client.  This option may be necessary when either the -g flag or the -p flag is specified.

-i NAME, --ca-identifier=NAME

When called with the -c or -C flag, this option can be used to specify the CA identifier which is passed to the server as part of the client's request.  The default is "0".

-n,  --non-renewal

The SCEP Renewal feature allows a client with a previously-issued certificate to use that certificate and the associated private key to request a new certificate for a different key pair, and can be used to support certmonger's rekeying feature if the SCEP server advertises support for it.  This option forces the scep-submit helper to prefer to issue requests which do not make use of this feature.

-v,  --verbose

Increases the logging level.  Use twice for more logging.  This option is mainly useful for troubleshooting.

Exit Status

0

if the certificate was issued. The pkcsPKIEnvelope will be printed in PEM-encoded form.

1

if the CA is still thinking.  A cookie (state) value will be printed.

2

if the CA rejected the request.  An error message may be printed.

3

if the CA was unreachable.  An error message may be printed.

4

if critical configuration information is missing.  An error message may be printed.

5

if the CA is still thinking.  A suggested poll delay (specified in seconds) and a cookie (state) value will be printed.

16

if the helper needs an SCEP pkiMessage, but couldn't read one.

17

if the CA indicates that the client needs to attempt enrollment using a new key pair.

Bugs

Please file tickets for any that you find at https://fedorahosted.org/certmonger/

See Also

certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1) getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)

Referenced By

certmonger(8), certmonger-dogtag-ipa-renew-agent-submit(8), certmonger-dogtag-submit(8), certmonger-ipa-submit(8), certmonger-local-submit(8), getcert(1), getcert-add-ca(1), getcert-add-scep-ca(1), getcert-list(1), getcert-list-cas(1), getcert-modify-ca(1), getcert-refresh(1), getcert-refresh-ca(1), getcert-rekey(1), getcert-remove-ca(1), getcert-request(1), getcert-resubmit(1), getcert-start-tracking(1), getcert-status(1), getcert-stop-tracking(1), ipa-getcert(1), local-getcert(1), selfsign-getcert(1).

June 20, 2015 certmonger Manual