dogtag-submit

       Options  that provide the location for the private key and public certificate which the client should use
       to authenticate to the CA's agent interface.  The values to use depend on which cryptography library your
       copy of libcurl was linked with.

       -dDIR, --dbdir=DIR
              Use an NSS database in the specified directory for this certificate and key. Only valid with -n.

       -nNAME, --nickname=NAME
              Use the NSS key with this nickname. Only valid with -d.

       -cFILE, --certfile=FILE
              The PEM file that contains the public certificate. Only valid with -k.

       -kFILE, --keyfile=FILE
              The PEM file that contains the private certificate. Only valid with -c.

       -pFILE, --sslpinfile=FILE
              The name of a file which contains a PIN/password which will be needed in order to make use of  the
              agent credentials.

       -PPIN, --sslpin=PIN
              The  name of a file which contains a PIN/password which will be needed in order to make use of the
              agent credentials.

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

dogtag-submit is the helper which certmonger can use to make certificate enrollment and renewal  requests
       to Dogtag servers.  It is not normally run interactively, but it can be for troubleshooting purposes.

       The  preferred  option is to request a renewal of an already-issued certificate, using its serial number,
       which can be read from a PEM-formatted certificate provided  in  the  CERTMONGER_CERTIFICATE  environment
       variable,  or  via  the  -s  or -D option on the command line.  If no serial number is provided, then the
       client will attempt to obtain a new certificate by submitting a signing request to the CA.

       The signing request which is to be submitted should either be in  a  file  whose  name  is  given  as  an
       argument, or fed into dogtag-submit via stdin.

       certmonger does not yet support retrieving trust information from Dogtag CAs.

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if the CA is still thinking.  A suggested poll delay (specified in seconds) and a  cookie  (state)
              value will be printed.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.

       dogtag-submit

-EEE-URL, --ee-url=EE-URL
              The  top-level  URL  for  the  end-entity  interface provided by the CA, through which the initial
              enrollment request will be submitted.  This is typically http://SERVER:EEPORT/ca/ee/ca.

       -AAGENT-URL, --agent-url=AGENT-URL
              The top-level URL for the agent interface provided by the CA, through which  the  request  can  be
              approved using agent credentials.  This is typically https://SERVER:AGENTPORT/ca/agent/ca.

       -iFILE, --cafile=FILE
              The  location  of  a file containing a copy of the CA's certificate, against which the CA server's
              certificate will be verified.

       -CDIR, --capath=DIR
              The location of a directory containing a copy of the CA's certificate(s),  against  which  the  CA
              server's certificate will be verified.

       -DSERIAL, --serial=SERIAL
              The serial number of an already-issued certificate for which the client should attempt to obtain a
              new  certificate,  in  decimal  form,  if  one  can  not  be  read from the CERTMONGER_CERTIFICATE
              environment variable.

       -s SERIAL, --hex-serial=SERIAL
              The serial number of an already-issued certificate for which the client should attempt to obtain a
              new certificate, in hexadecimal form, if one can  not  be  read  from  the  CERTMONGER_CERTIFICATE
              environment variable.

       -SSTATE, --state=STATE
              A  cookie  value  provided  by a previous instance of this helper, if the helper is being asked to
              continue a multi-step enrollment process.  If the CERTMONGER_COOKIE environment variable  is  set,
              its value is used.

       -TNAME, --profile=NAME
              The  name  of  the  type  of  certificate which the client should request from the CA if it is not
              renewing a certificate (per the  -s  option  above).   If  the  CERTMONGER_CA_PROFILE  environment
              variable is set, its value is used.  Otherwise, the default value is caServerCert.

       -Oparam=value, --approval-options=param=value
              An  additional  parameter  to  pass  to  the server when approving the signing request using agent
              credentials.  By default, any server-supplied default settings are applied.  This  option  can  be
              used  either to override a server-supplied default setting, or to supply one which would otherwise
              have not been used.  Requires the -A option.

       -N, --force-new
              Even if an already-issued certificate  is  available  in  the  CERTMONGER_CERTIFICATE  environment
              variable,  or  a  serial  number has been provided, don't attempt to renew a certificate using its
              serial number.  Instead, attempt to obtain a new  certificate  using  the  signing  request.   The
              default behavior is to request a renewal if possible.

       -R, --force-renew
              Negates the effect of the -N flag.

       -t, --profile-list
              Instead  of  attempting  to  obtain  a new certificate, query the server for a list of the enabled
              enrollment profiles.

       -oparam=value, --submit-option=param=value
              When initially submitting a request to the CA, add the specified parameter and  value  along  with
              any request parameters which would otherwise be sent.

       -a, --agent-submit
              Use  agent  credentials,  specified  using  some  combination  of the -d, -n, -c, and -k flags, to
              authenticate to the CA when initially submitting a request to the CA or  retrieving  the  list  of
              enabled  enrollment  profiles.   This is typically required when the enrollment profile being used
              uses AgentCertAuth-based authentication, and requires that the URL specified using the -E flag  be
              an HTTPS URL, or when the URL specified using the -E flag is an HTTPS URL.

       -uusername, --uid=username
              When initially submitting a request to the CA, supply the specified value as a user name.  This is
              typically   required   when   the  enrollment  profile  being  used  uses  UidPwdDirAuth-based  or
              NISAuth-based authentication.

       -Uuserdn, --upn=userdn
              When initially submitting a request to the CA, supply the specified value as the DN (distinguished
              name) of the user's entry in a directory server which the CA is configured to use for checking the
              user's password.  This  is  typically  required  when  the  enrollment  profile  being  used  uses
              UdnPwdDirAuth-based authentication.

       -WPASSWORD, --userpwd=PASSWORD
              When  initially submitting a request to the CA, supply the specified value as the password for the
              user whose name is specified with the -u option, or whose DN is  specified  with  the  -U  option.
              This  is  typically only required when the enrollment profile being used uses UidPwdDirAuth-based,
              UserPwdDirAuth-based, or NISAuth-based authentication.  If the URL specified using the -E flag  is
              not an HTTPS URL, this value will not be encrypted.

       -wFILE, --userpwdfile=FILE
              When  initially  submitting a request to the CA, read from the specified file a password to supply
              for the user whose name is specified with the -u option, or whose DN  is  specified  with  the  -U
              option.    This   is  typically  only  required  when  the  enrollment  profile  being  used  uses
              UidPwdDirAuth-based, UserPwdDirAuth-based, or NISAuth-based authentication.  If the URL  specified
              using the -E flag is not an HTTPS URL, this value will not be encrypted.

       -YPIN, --userpin=PIN
              When  initially submitting a request to the CA, supply the specified value as the PIN for the user
              whose name is specified with the -u option, or whose DN is specified with the -U option.  This  is
              typically  only  required  when  the  enrollment  profile  being  used uses UidPwdPinDirAuth-based
              authentication.  If the URL specified using the -E flag is not an HTTPS URL, this value  will  not
              be encrypted.

       -yFILE, --userpinfile=FILE
              When  initially  submitting  a request to the CA, read from the specified file a PIN to supply for
              the user whose name is specified with the -u option, or whose DN is specified with the -U  option.
              This is typically only required when the enrollment profile being used uses UidPwdPinDirAuth-based
              authentication.   If  the URL specified using the -E flag is not an HTTPS URL, this value will not
              be encrypted.

       -v, --verbose
              Increases the logging level.  Use twice for more  logging.   This  option  is  mainly  useful  for
              troubleshooting.

certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1) getcert-list(1)
       getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)   getcert-rekey(1)   getcert-remove-ca(1)
       getcert-resubmit(1)       getcert-start-tracking(1)       getcert-status(1)      getcert-stop-tracking(1)
       certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-renew-agent-submit(8)    certmonger-ipa-submit(8)
       certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)

certmonger Manual                               October 27, 2015                                   CERTMONGER(8)

       dogtag-submit  -E EE-URL -A AGENT-URL [-d DIR] [-n NAME] [-i FILE] [-C DIR] [-c FILE] [-k FILE] [-p FILE]
       [-P PIN] [-s serial (hex)] [-D serial (decimal)] [-S state] [-T profile] [-O param=value] [-N | -R]  [-t]
       [-o  option=value]  [-a]  [-u  username]  [-U  userdn]  [-W  PASSWORD]  [-w FILE] [-Y PIN] [-y FILE] [-v]
       [csrfile]