Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
CERTMONGER(8)		    System Manager's Manual		 CERTMONGER(8)

NAME
       scep-submit

SYNOPSIS
       scep-submit  -u	SERVER-URL  [-r	 ra-cert-file]	[-R  ca-cert-file] [-I
       other-certs-file]  [-N  ca-cert-file]  [-i  ca-identifier]  [-v]	  [-n]
       [-c|-C|-g|-p] [pkimessage-filename]

DESCRIPTION
       scep-submit is the helper which certmonger can use to transmit certifi-
       cate  enrollment	and renewal requests to	servers	using SCEP.  It	is not
       normally	run interactively, but it can be for troubleshooting purposes.

       The request which is to be  submitted  should  be  a  PEM-encoded  SCEP
       pkiMessage  either in a file whose name is given	as an argument,	or fed
       into scep-submit	via stdin.

MODES
       -c, --retrieve-ca-capabilities
	      scep-submit will issue a GetCACaps request  to  the  server  and
	      print the	results.

       -C, --retrieve-ca-certificates
	      scep-submit  will	issue a	GetCACert request to the server, parse
	      the response, and	then print, in order, the RA certificate,  the
	      CA certificate, and any additional certificates.

       -p, --pki-message
	      scep-submit  will	issue a	PKIOperation request to	the server us-
	      ing the passed-in	message	as the message content.	 It will parse
	      the server's response, verify the	signature, and if the response
	      includes an issued certificate, it will output the  pkcsPKIEnve-
	      lope in PEM format.  If the response indicates an	error, it will
	      print the	error.

       -g, --get-initial-cert
	      scep-submit  will	issue a	PKIOperation request to	the server us-
	      ing the passed-in	message	as the message content.	 It will parse
	      the server's response, verify the	signature, and if the response
	      includes an issued certificate, it will output the  pkcsPKIEnve-
	      lope in PEM format.  If the response indicates an	error, it will
	      print the	error.

OPTIONS
       -u URL, --url=URL
	      The  location of the SCEP	interface provided by the CA.  This is
	      typically		http://SERVER/cgi-bin/PKICLIENT.EXE	    or
	      http://SERVER/certsrv/mscep/mscep.dll.   This  option  is	always
	      required.

       -R FILE,	--cacert=FILE
	      The location of the CA certificate which was used	to  issue  the
	      SCEP  web	server's certificate in	PEM form. If the URL specified
	      with the -u option is an https URL,  then	 this  option  is  re-
	      quired.

       -N FILE,	--signingca=FILE
	      The  location  of	 a  PEM-formatted copy of the SCEP server's CA
	      certificate.  A discovered value is  normally  supplied  by  the
	      certmonger  daemon, but one can be specified for troubleshooting
	      purposes.

       -r FILE,	--racert=FILE
	      The location of the SCEP server's	RA certificate,	which  is  ex-
	      pected  to be used for signing responses sent by the SCEP	server
	      back to the client.  This	option is required when	either the  -g
	      flag or the -p flag is specified.

       -I FILE,	--other-certs=FILE
	      The  location  of	a file containing other	PEM-formatted certifi-
	      cates which may be needed	in order to properly verify signed re-
	      sponses sent by the SCEP server back to the client.  This	option
	      may be necessary when either the -g flag or the -p flag is spec-
	      ified.

       -i NAME,	--ca-identifier=NAME
	      When called with the -c or -C flag, this option can be  used  to
	      specify  the CA identifier which is passed to the	server as part
	      of the client's request.	The default is "0".

       -n, --non-renewal
	      The SCEP Renewal feature allows a	client with  a	previously-is-
	      sued certificate to use that certificate and the associated pri-
	      vate  key	to request a new certificate for a different key pair,
	      and can be used to support certmonger's rekeying feature if  the
	      SCEP  server  advertises support for it.	This option forces the
	      scep-submit helper to prefer to issue requests which do not make
	      use of this feature.

       -v, --verbose
	      Increases	the logging level.  Use	twice for more logging.	  This
	      option is	mainly useful for troubleshooting.

EXIT STATUS
       0      if  the  certificate  was	 issued.  The  pkcsPKIEnvelope will be
	      printed in PEM-encoded form.

       1      if the CA	is still thinking.  A cookie  (state)  value  will  be
	      printed.

       2      if  the  CA  rejected  the  request.   An	 error	message	may be
	      printed.

       3      if the CA	was unreachable.  An error message may be printed.

       4      if critical configuration	information is missing.	 An error mes-
	      sage may be printed.

       5      if the CA	is still thinking.  A suggested	poll delay  (specified
	      in seconds) and a	cookie (state) value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read	one.

       17     if  the CA indicates that	the client needs to attempt enrollment
	      using a new key pair.

BUGS
       Please  file  tickets  for  any	that  you  find	  at   https://fedora-
       hosted.org/certmonger/

SEE ALSO
       certmonger(8)   getcert(1)   getcert-add-ca(1)	getcert-add-scep-ca(1)
       getcert-list-cas(1)  getcert-list(1)  getcert-modify-ca(1)  getcert-re-
       fresh-ca(1)  getcert-refresh(1)	getcert-rekey(1)  getcert-remove-ca(1)
       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
       getcert-stop-tracking(1)	   certmonger-certmaster-submit(8)    certmon-
       ger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8)	 cert-
       monger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)

certmonger Manual		 June 20, 2015			 CERTMONGER(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=certmonger-scep-submit&sektion=8&manpath=FreeBSD+Ports+15.0>

home | help