NAME

       scep-submit

SYNOPSIS

       scep-submit -u SERVER-URL [-r ra-cert-file] [-R ca-cert-file] [-I other-certs-file] [-N ca-cert-file] [-i
       ca-identifier] [-v] [-n] [-c|-C|-g|-p] [pkimessage-filename]

DESCRIPTION

       scep-submit  is  the  helper  which  certmonger  can  use  to transmit certificate enrollment and renewal
       requests to servers using SCEP.  It is not normally run interactively, but it can be for  troubleshooting
       purposes.

       The  request which is to be submitted should be a PEM-encoded SCEP pkiMessage either in a file whose name
       is given as an argument, or fed into scep-submit via stdin.

MODES

       -c, --retrieve-ca-capabilities
              scep-submit will issue a GetCACaps request to the server and print the results.

       -C, --retrieve-ca-certificates
              scep-submit will issue a GetCACert request to the server, parse the response, and then  print,  in
              order, the RA certificate, the CA certificate, and any additional certificates.

       -p, --pki-message
              scep-submit  will  issue  a  PKIOperation request to the server using the passed-in message as the
              message content.  It will parse the server's response, verify the signature, and if  the  response
              includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response
              indicates an error, it will print the error.

       -g, --get-initial-cert
              scep-submit  will  issue  a  PKIOperation request to the server using the passed-in message as the
              message content.  It will parse the server's response, verify the signature, and if  the  response
              includes an issued certificate, it will output the pkcsPKIEnvelope in PEM format.  If the response
              indicates an error, it will print the error.

OPTIONS

       -u URL, --url=URL
              The    location   of   the   SCEP   interface   provided   by   the   CA.    This   is   typically
              http://SERVER/cgi-bin/PKICLIENT.EXE  or  http://SERVER/certsrv/mscep/mscep.dll.   This  option  is
              always required.

       -R FILE, --cacert=FILE
              The  location  of  the CA certificate which was used to issue the SCEP web server's certificate in
              PEM form. If the URL specified with the -u option is an https URL, then this option is required.

       -N FILE, --signingca=FILE
              The location of a PEM-formatted copy of the SCEP server's CA certificate.  A discovered  value  is
              normally supplied by the certmonger daemon, but one can be specified for troubleshooting purposes.

       -r FILE, --racert=FILE
              The  location  of  the  SCEP  server's  RA  certificate,  which is expected to be used for signing
              responses sent by the SCEP server back to the client.  This option is required when either the  -g
              flag or the -p flag is specified.

       -I FILE, --other-certs=FILE
              The location of a file containing other PEM-formatted certificates which may be needed in order to
              properly  verify  signed responses sent by the SCEP server back to the client.  This option may be
              necessary when either the -g flag or the -p flag is specified.

       -i NAME, --ca-identifier=NAME
              When called with the -c or -C flag, this option can be used to specify the CA identifier which  is
              passed to the server as part of the client's request.  The default is "0".

       -n, --non-renewal
              The  SCEP  Renewal  feature  allows  a  client  with  a  previously-issued certificate to use that
              certificate and the associated private key to request a new certificate for a different key  pair,
              and can be used to support certmonger's rekeying feature if the SCEP server advertises support for
              it.   This  option forces the scep-submit helper to prefer to issue requests which do not make use
              of this feature.

       -v, --verbose
              Increases the logging level.  Use twice for more  logging.   This  option  is  mainly  useful  for
              troubleshooting.

EXIT STATUS

       0      if the certificate was issued. The pkcsPKIEnvelope will be printed in PEM-encoded form.

       1      if the CA is still thinking.  A cookie (state) value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

       5      if  the  CA is still thinking.  A suggested poll delay (specified in seconds) and a cookie (state)
              value will be printed.

       16     if the helper needs an SCEP pkiMessage, but couldn't read one.

       17     if the CA indicates that the client needs to attempt enrollment using a new key pair.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8) getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)  getcert-list(1)
       getcert-modify-ca(1)   getcert-refresh-ca(1)   getcert-refresh(1)  getcert-rekey(1)  getcert-remove-ca(1)
       getcert-resubmit(1)      getcert-start-tracking(1)       getcert-status(1)       getcert-stop-tracking(1)
       certmonger-certmaster-submit(8)  certmonger-dogtag-ipa-renew-agent-submit(8)  certmonger-dogtag-submit(8)
       certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger_selinux(8)

certmonger Manual                                 June 20, 2015                                    CERTMONGER(8)