#151 Add long options to help and man pages
Merged 3 years ago by rcritten. Opened 3 years ago by rcritten.
rcritten/certmonger bz1782838  into  master

file modified
+6
@@ -266,3 +266,9 @@ 

  submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h

  submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \

  		 $(POPT_LIBS)

+ 

+ .PHONY: manlint

+ manlint: $(man_MANS)

+ 	for page in $(MANS); do \

+ 		mandoc -T lint $${page}; \

+ 	done

file modified
+36 -36
@@ -1,20 +1,20 @@ 

- .TH certmonger 1 "23 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 23, 2009" "certmonger Manual"

  

  .SH NAME

- certmaster-getcert

+ certmaster\-getcert

  

  .SH SYNOPSIS

-  certmaster-getcert request [options]

-  certmaster-getcert resubmit [options]

-  certmaster-getcert start-tracking [options]

-  certmaster-getcert status [options]

-  certmaster-getcert stop-tracking [options]

-  certmaster-getcert list [options]

-  certmaster-getcert list-cas [options]

-  certmaster-getcert refresh-cas [options]

+  certmaster\-getcert request [options]

+  certmaster\-getcert resubmit [options]

+  certmaster\-getcert start\-tracking [options]

+  certmaster\-getcert status [options]

+  certmaster\-getcert stop\-tracking [options]

+  certmaster\-getcert list [options]

+  certmaster\-getcert list\-cas [options]

+  certmaster\-getcert refresh\-cas [options]

  

  .SH DESCRIPTION

- The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@

+ The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@

  service on behalf of the invoking user.  It can ask the service to begin

  enrollment, optionally generating a key pair to use, it can ask the

  service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ 

  list the set of certificates that the service is already monitoring, or

  it can list the set of CAs that the service is capable of using.

  

- If no command is given as the first command-line argument,

- \fIcertmaster-getcert\fR will print short usage information for each of

+ If no command is given as the first command\-line argument,

+ \fIcertmaster\-getcert\fR will print short usage information for each of

  its functions.

  

- The \fIcertmaster-getcert\fR tool behaves identically to the generic

- \fIgetcert\fR tool when it is used with the \fB-c

+ The \fIcertmaster\-getcert\fR tool behaves identically to the generic

+ \fIgetcert\fR tool when it is used with the \fB\-c

  \fI@CM_CERTMASTER_CA_NAME@\fR option.

  

  There is no standard authenticated method for obtaining the root certificate

  from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust

- information from them.  While the \fB-F\fR and \fB-a\fR options will still

+ information from them.  While the \fB\-F\fR and \fB\-a\fR options will still

  be recognized, they will effectively be ignored.

  

  .SH BUGS
@@ -41,24 +41,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

@@ -1,17 +1,17 @@ 

- .TH certmonger 8 "7 June 2010" "certmonger Manual"

+ .TH CERTMONGER 8 "June 7, 2010" "certmonger Manual"

  

  .SH NAME

- certmaster-submit

+ certmaster\-submit

  

  .SH SYNOPSIS

- certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]

+ certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile]

  

  .SH DESCRIPTION

- \fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make

- requests to certmaster-based CAs.  It is not normally run interactively,

+ \fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make

+ requests to certmaster\-based CAs.  It is not normally run interactively,

  but it can be for troubleshooting purposes.  The signing request which is

  to be submitted should either be in a file whose name is given as an argument,

- or fed into \fIcertmaster-submit\fR via stdin.

+ or fed into \fIcertmaster\-submit\fR via stdin.

  

  There is no standard authenticated method for obtaining the root certificate

  from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
@@ -19,21 +19,24 @@ 

  

  .SH OPTIONS

  .TP

- \fB\-h\fR serverHost

+ \fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR

  Submit the request to the certmaster instance running on the named host.  The

  default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR

  is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR

  if that file is not found.

  .TP

- \fB\-c\fR cafile

+ \fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR

  Submit the request over HTTPS instead of HTTP, and only trust the server

  if its certificate was issued by the CA whose certificate is in the named file.

  .TP

- \fB\-C\fR capath

+ \fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR

  Submit the request over HTTPS instead of HTTP, and only trust the server

  if its certificate was issued by a CA whose certificate is in a file in

  the named directory.

- 

+ .TP

+ \fB\-v\fR, \fB\-\-verbose\fR

+ Be verbose about errors.  Normally, the details of an error received from

+ the daemon will be suppressed if the client can make a diagnostic suggestion.

  .SH EXIT STATUS

  .TP

  0
@@ -73,22 +76,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

@@ -1,44 +1,51 @@ 

- .TH certmonger 8 "27 Oct 2015" "certmonger Manual"

+ .TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"

  

  .SH NAME

- dogtag-ipa-renew-agent-submit

+ dogtag\-ipa\-renew\-agent\-submit

  

  .SH SYNOPSIS

- dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL

- [-d dbdir]

- [-n nickname]

- [-i cainfo]

- [-C capath]

- [-c certfile]

- [-k keyfile]

- [-p pinfile]

- [-P pin]

- [-s serial (hex)]

- [-D serial (decimal)]

- [-S state]

- [-T profile]

- [-O param=value]

- [-N | -R]

- [-t]

- [-o option=value]

- [-v]

+ dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL

+ [\-d dbdir]

+ [\-n nickname]

+ [\-i cainfo]

+ [\-C capath]

+ [\-c certfile]

+ [\-k keyfile]

+ [\-p pinfile]

+ [\-P pin]

+ [\-s serial (hex)]

+ [\-D serial (decimal)]

+ [\-S state]

+ [\-T profile]

+ [\-O param=value]

+ [\-N | \-R]

+ [\-t]

+ [\-o option=value]

+ [\-a]

+ [\-u uid]

+ [\-U udn]

+ [\-W pwd]

+ [\-w pwdfile]

+ [\-Y pin]

+ [\-y pinfile]

  [csrfile]

  

+ 

  .SH DESCRIPTION

- \fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses

+ \fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses

  to make certificate renewal requests to Dogtag instances running on IPA

  servers.  It is not normally run interactively, but it can be for

  troubleshooting purposes.

  

- The preferred option is to request a renewal of an already-issued certificate,

- using its serial number, which can be read from a PEM-formatted certificate

+ The preferred option is to request a renewal of an already\-issued certificate,

+ using its serial number, which can be read from a PEM\-formatted certificate

  provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the

- \fB-s\fR or \fB-D\fR option on the command line.  If no serial number is

+ \fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is

  provided, then the client will attempt to obtain a new certificate by

  submitting a signing request to the CA.

  

  The signing request which is to be submitted should either be in a file whose

- name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR

+ name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR

  via stdin.

  

  \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
@@ -46,8 +53,8 @@ 

  

  .SH OPTIONS

  .TP

- \fB\-E\fR EE-URL

- The top-level URL for the end-entity interface provided by the CA.  In IPA

+ \fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR

+ The top\-level URL for the end\-entity interface provided by the CA.  In IPA

  installations, this is typically

  \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.

  If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
@@ -58,8 +65,8 @@ 

  if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will

  be set to 8080.  Otherwise it will be 9180.

  .TP

- \fB\-A\fR AGENT-URL

- The top-level URL for the agent interface provided by the CA.  In IPA

+ \fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR

+ The top\-level URL for the agent interface provided by the CA.  In IPA

  installations, this is typically

  \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.

  If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
@@ -70,96 +77,159 @@ 

  if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will

  be set to 8443.  Otherwise it will be 9443.

  .TP

- \fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile

- The location of the key and certificate which the client should use to

- authenticate to the CA's agent interface.  Exactly which values are

- meaningful depend on which cryptography library your copy of libcurl was

- linked with.

- 

- If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR,

- \fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is

- used:

-  \fB-i\fR \fI/etc/ipa/ca.crt\fR

-  \fB-d\fR \fI/etc/httpd/alias\fR

-  \fB-n\fR \fIipaCert\fR

-  \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR

- .TP

- \fB\-p\fR pinfile

- The name of a file which contains a PIN/password which will be needed in

- order to make use of the agent credentials.

- 

- If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR,

- \fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set

- of defaults is used:

-  \fB-i\fR \fI/etc/ipa/ca.crt\fR

-  \fB-d\fR \fI/etc/httpd/alias\fR

-  \fB-n\fR \fIipaCert\fR

-  \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR

- .TP

- \fB\-i\fR cainfo \fB\-C\fR capath

+ \fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR

  The location of a file containing a copy of the CA's certificate, against which

- the CA server's certificate will be verified, or a directory containing, among

- other things, such a file.

- 

- If these options are not specified, and none of the \fB-d\fR, \fB-n\fR,

- \fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set

- of defaults is used:

-  \fB-i\fR \fI/etc/ipa/ca.crt\fR

-  \fB-d\fR \fI/etc/httpd/alias\fR

-  \fB-n\fR \fIipaCert\fR

-  \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR

- .TP

- \fB-s\fR serial

- The serial number of an already-issued certificate for which the client should

- attempt to obtain a new certificate, in hexadecimal form, if one can not be

+ the CA server's certificate will be verified. The default is

+ \fB/etc/ipa/ca.crt\fR.

+ .TP

+ \fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR

+ The location of a directory containing a copy of the CA's certificate,

+ against which the CA server's certificate will be verified.

+ .TP

+ \fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB

+ The serial number of an already\-issued certificate for which the client should

+ attempt to obtain a new certificate, in hexidecimal form, if one can not be

  read from the \fICERTMONGER_CERTIFICATE\fR environment variable.

  .TP

- \fB-D\fR serial

- The serial number of an already-issued certificate for which the client should

+ \fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB

+ The serial number of an already\-issued certificate for which the client should

  attempt to obtain a new certificate, in decimal form, if one can not be

  read from the \fICERTMONGER_CERTIFICATE\fR environment variable.

  .TP

- \fB-S\fR state

+ \fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR

  A cookie value provided by a previous instance of this helper, if the helper

- is being asked to continue a multi-step enrollment process.  If the

+ is being asked to continue a multi\-step enrollment process.  If the

  \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.

  .TP

- \fB-T\fR profile/template

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  The name of the type of certificate which the client should request from the CA

- if it is not renewing a certificate (per the \fB-s\fR option above).  If the

+ if it is not renewing a certificate (per the \fB\-s\fR option above).  If the

  \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.

  Otherwise, the default value is \fBcaServerCert\fP.

  .TP

- \fB-O\fR param=value

+ \fB\-t\fR, \fB\-\-profile\-list\fR

+ Instead of attempting to obtain a new certificate, query the server for a list

+ of the enabled enrollment profiles.

+ .TP

+ \fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR

  An additional parameter to pass to the server when approving the signing

- request using the agent's credentials.  By default, any server-supplied default

+ request using the agent's credentials.  By default, any server\-supplied default

  settings are applied.  This option can be used either to override a

- server-supplied default setting, or to supply one which would otherwise have

+ server\-supplied default setting, or to supply one which would otherwise have

  not been used.

  .TP

- \fB-N\fR

- Even if an already-issued certificate is available in the

+ \fB\-N\fR, \fB\-\-force\-new\fR

+ Even if an already\-issued certificate is available in the

  \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been

  provided, don't attempt to renew a certificate using its serial number.

  Instead, attempt to obtain a new certificate using the signing request.

  The default behavior is to request a renewal if possible.

  .TP

- \fB-R\fR

- Negates the effect of the \fB-N\fR flag.

- .TP

- \fB-t\fR

- Instead of attempting to obtain a new certificate, query the server for a list

- of the enabled enrollment profiles.

+ \fB\-R\fR, \fB\-\-force\-renew\fR

+ Negates the effect of the \fB\-N\fR flag.

  .TP

- \fB-o\fR param=value

+ \fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR

  When initially submitting a request to the CA, add the specified parameter and

  value along with any request parameters which would otherwise be sent.  This

  option is not typically used.

  .TP

- \fB-v\fR

+ \fB\-a\fR, \fB\-\-agent\-submit\fR

+ Use agent credentials, specified using some combination of the \fB\-d\fR,

+ \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when

+ initially submitting a request to the CA or retrieving the list of enabled

+ enrollment profiles.

+ This is typically required when the enrollment profile being used uses

+ \fIAgentCertAuth\fR\-based

+ authentication,

+ and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,

+ or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.

+ .TP

+ \fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR

+ When initially submitting a request to the CA, supply the specified value as a user name.

+ This is typically required when the enrollment profile being used uses

+ \fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based

+ authentication..TP

+ \fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR

+ When initially submitting a request to the CA, supply the specified value as the DN

+ (distinguished name) of the user's entry in a directory server which the CA is

+ configured to use for checking the user's password.

+ This is typically required when the enrollment profile being used uses

+ \fIUdnPwdDirAuth\fR\-based

+ authentication.

+ .TP

+ \fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR

+ When initially submitting a request to the CA, supply the specified value as the password

+ for the user whose name is specified with the \fB\-u\fR option, or whose DN is

+ specified with the \fB\-U\fR option.

+ This is typically only required when the enrollment profile being used uses

+ \fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based

+ authentication.

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

+ will not be encrypted.

+ .TP

+ \fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR

+ When initially submitting a request to the CA, read from the specified file a

+ password to supply for the user whose name is specified with the \fB\-u\fR

+ option, or whose DN is specified with the \fB\-U\fR option.

+ This is typically only required when the enrollment profile being used uses

+ \fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based

+ authentication.

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

+ will not be encrypted.

+ .TP

+ \fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR

+ When initially submitting a request to the CA, supply the specified value as the PIN

+ for the user whose name is specified with the \fB\-u\fR option, or whose DN is

+ specified with the \fB\-U\fR option.

+ This is typically only required when the enrollment profile being used uses

+ \fIUidPwdPinDirAuth\fR\-based

+ authentication.

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

+ will not be encrypted.

+ \fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR

+ When initially submitting a request to the CA, read from the specified file a

+ PIN to supply for the user whose name is specified with the \fB\-u\fR

+ option, or whose DN is specified with the \fB\-U\fR option.

+ This is typically only required when the enrollment profile being used uses

+ \fIUidPwdPinDirAuth\fR\-based

+ authentication.  If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

+ will not be encrypted.

+ .TP

+ \fB\-v\fR, \fB\-\-verbose\fR

  Increases the logging level.  Use twice for more logging.  This option is mainly

  useful for troubleshooting.

- 

+ .SH AGENT KEY AND CERTIFICATE OPTIONS

+ Options that provide the location for the private key and public certificate

+ which the client should use to authenticate to the CA's agent interface.

+ The values to use depend on which cryptography library your copy of libcurl

+ was linked with.

+ .TP

+ If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used:

+  \fB\-i\fR \fI/etc/ipa/ca.crt\fR

+  \fB\-d\fR \fI/etc/httpd/alias\fR

+  \fB\-n\fR \fIipaCert\fR

+  \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR

+ .TP

+ \fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR

+ Use an NSS database in the specified directory for this certificate

+ and key. Only valid with \-n.

+ .TP

+ \fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR

+ Use the NSS key with this nickname. Only valid with \-d.

+ .TP

+ \fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

+ The PEM file that contains the public certificate. Only valid with \-k.

+ .TP

+ \fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR

+ The PEM file that contains the private certificate. Only valid with \-c.

+ .TP

+ \fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR

+ The name of a file which contains a PIN/password which will be needed in

+ order to make use of the agent credentials.

+ .TP

+ \fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR

+ The name of a file which contains a PIN/password which will be needed in

+ order to make use of the agent credentials.

  .SH EXIT STATUS

  .TP

  0
@@ -189,7 +259,7 @@ 

  .TP

  .I /etc/ipa/default.conf

  is the IPA client configuration file.  This file is consulted to determine

- the URL for the Dogtag server's end-entity and agent interfaces if they are

+ the URL for the Dogtag server's end\-entity and agent interfaces if they are

  not supplied as arguments.

  

  .SH BUGS
@@ -198,22 +268,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+135 -117
@@ -1,196 +1,214 @@ 

- .TH certmonger 8 "27 Oct 2015" "certmonger Manual"

+ .TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"

  

  .SH NAME

- dogtag-submit

+ dogtag\-submit

  

  .SH SYNOPSIS

- dogtag-submit -E EE-URL -A AGENT-URL

- [-d dbdir]

- [-n nickname]

- [-i cainfo]

- [-C capath]

- [-c certfile]

- [-k keyfile]

- [-p pinfile]

- [-P pin]

- [-s serial (hex)]

- [-D serial (decimal)]

- [-S state]

- [-T profile]

- [-O param=value]

- [-N | -R]

- [-t]

- [-o option=value]

- [-a ]

- [-u username]

- [-U userdn]

- [-W userpassword]

- [-w userpasswordfile]

- [-Y userpin]

- [-y userpinfile]

- [-v]

+ dogtag\-submit \-E EE\-URL \-A AGENT\-URL

+ [\-d DIR]

+ [\-n NAME]

+ [\-i FILE]

+ [\-C DIR]

+ [\-c FILE]

+ [\-k FILE]

+ [\-p FILE]

+ [\-P PIN]

+ [\-s serial (hex)]

+ [\-D serial (decimal)]

+ [\-S state]

+ [\-T profile]

+ [\-O param=value]

+ [\-N | \-R]

+ [\-t]

+ [\-o option=value]

+ [\-a]

+ [\-u username]

+ [\-U userdn]

+ [\-W PASSWORD]

+ [\-w FILE]

+ [\-Y PIN]

+ [\-y FILE]

+ [\-v]

  [csrfile]

  

  .SH DESCRIPTION

- \fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make

+ \fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make

  certificate enrollment and renewal requests to Dogtag servers.  It is not

  normally run interactively, but it can be for troubleshooting purposes.

  

- The preferred option is to request a renewal of an already-issued certificate,

- using its serial number, which can be read from a PEM-formatted certificate

+ The preferred option is to request a renewal of an already\-issued certificate,

+ using its serial number, which can be read from a PEM\-formatted certificate

  provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the

- \fB-s\fR or \fB-D\fR option on the command line.  If no serial number is

+ \fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is

  provided, then the client will attempt to obtain a new certificate by

  submitting a signing request to the CA.

  

  The signing request which is to be submitted should either be in a file whose

- name is given as an argument, or fed into \fIdogtag-submit\fR via stdin.

+ name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin.

  

  \fBcertmonger\fR does not yet support retrieving trust information from Dogtag

  CAs.

  

  .SH OPTIONS

  .TP

- \fB\-E\fR EE-URL

- The top-level URL for the end-entity interface provided by the CA, through

+ \fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR

+ The top\-level URL for the end\-entity interface provided by the CA, through

  which the initial enrollment request will be submitted.  This is typically

  \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.

  .TP

- \fB\-A\fR AGENT-URL

- The top-level URL for the agent interface provided by the CA, through which the

+ \fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR

+ The top\-level URL for the agent interface provided by the CA, through which the

  request can be approved using agent credentials.  This is typically

  \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.

  .TP

- \fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile

- The location of the key and certificate which the client should use to

- authenticate to the CA's agent interface.  Exactly which values are

- meaningful depend on which cryptography library your copy of libcurl was

- linked with.

- .TP

- \fB\-p\fR pinfile

- The name of a file which contains a PIN/password which will be needed in

- order to make use of the agent credentials.

- .TP

- \fB\-i\fR cainfo \fB\-C\fR capath

+ \fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR

  The location of a file containing a copy of the CA's certificate, against which

- the CA server's certificate will be verified, or a directory containing, among

- other things, such a file.

+ the CA server's certificate will be verified.

  .TP

- \fB-s\fR serial

- The serial number of an already-issued certificate for which the client should

- attempt to obtain a new certificate, in hexadecimal form, if one can not be

- read from the \fICERTMONGER_CERTIFICATE\fR environment variable.

+ \fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR

+ The location of a directory containing a copy of the CA's certificate(s),

+ against which the CA server's certificate will be verified.

  .TP

- \fB-D\fR serial

- The serial number of an already-issued certificate for which the client should

+ \fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR

+ The serial number of an already\-issued certificate for which the client should

  attempt to obtain a new certificate, in decimal form, if one can not be

  read from the \fICERTMONGER_CERTIFICATE\fR environment variable.

  .TP

- \fB-S\fR state

+ \fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR

+ The serial number of an already\-issued certificate for which the client should

+ attempt to obtain a new certificate, in hexadecimal form, if one can not be

+ read from the \fICERTMONGER_CERTIFICATE\fR environment variable.

+ .TP

+ \fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR

  A cookie value provided by a previous instance of this helper, if the helper

- is being asked to continue a multi-step enrollment process.  If the

+ is being asked to continue a multi\-step enrollment process.  If the

  \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.

  .TP

- \fB-T\fR profile/template

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  The name of the type of certificate which the client should request from the CA

- if it is not renewing a certificate (per the \fB-s\fR option above).  If the

+ if it is not renewing a certificate (per the \fB\-s\fR option above).  If the

  \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.

  Otherwise, the default value is \fBcaServerCert\fP.

  .TP

- \fB-O\fR param=value

+ \fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR

  An additional parameter to pass to the server when approving the signing

- request using agent credentials.  By default, any server-supplied default

+ request using agent credentials.  By default, any server\-supplied default

  settings are applied.  This option can be used either to override a

- server-supplied default setting, or to supply one which would otherwise have

- not been used.  Requires the \fB-A\fR option.

+ server\-supplied default setting, or to supply one which would otherwise have

+ not been used.  Requires the \fB\-A\fR option.

  .TP

- \fB-N\fR

- Even if an already-issued certificate is available in the

+ \fB\-N\fR, \fB\-\-force\-new\fR

+ Even if an already\-issued certificate is available in the

  \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been

  provided, don't attempt to renew a certificate using its serial number.

  Instead, attempt to obtain a new certificate using the signing request.

  The default behavior is to request a renewal if possible.

  .TP

- \fB-R\fR

- Negates the effect of the \fB-N\fR flag.

+ \fB\-R\fR, \fB\-\-force\-renew\fR

+ Negates the effect of the \fB\-N\fR flag.

  .TP

- \fB-t\fR

+ \fB\-t\fR, \fB\-\-profile\-list\fR

  Instead of attempting to obtain a new certificate, query the server for a list

  of the enabled enrollment profiles.

  .TP

- \fB-o\fR param=value

+ \fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR

  When initially submitting a request to the CA, add the specified parameter and

  value along with any request parameters which would otherwise be sent.

  .TP

- \fB-a\fR

+ \fB\-a\fR, \fB\-\-agent\-submit\fR

  Use agent credentials, specified using some combination of the \fB\-d\fR,

  \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when

  initially submitting a request to the CA or retrieving the list of enabled

  enrollment profiles.

  This is typically required when the enrollment profile being used uses

- \fIAgentCertAuth\fR-based

+ \fIAgentCertAuth\fR\-based

  authentication,

- and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL,

- or when the URL specified using the \fB-E\fR flag is an HTTPS URL.

+ and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,

+ or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.

  .TP

- \fB-u username\fR

+ \fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR

  When initially submitting a request to the CA, supply the specified value as a user name.

  This is typically required when the enrollment profile being used uses

- \fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based

+ \fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based

  authentication.

  .TP

- \fB-U userdn\fR

+ \fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR

  When initially submitting a request to the CA, supply the specified value as the DN

  (distinguished name) of the user's entry in a directory server which the CA is

  configured to use for checking the user's password.

  This is typically required when the enrollment profile being used uses

- \fIUdnPwdDirAuth\fR-based

+ \fIUdnPwdDirAuth\fR\-based

  authentication.

  .TP

- \fB-W userpassword\fR

+ \fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR

  When initially submitting a request to the CA, supply the specified value as the password

- for the user whose name is specified with the \fB-u\fR option, or whose DN is

- specified with the \fB-U\fR option.

+ for the user whose name is specified with the \fB\-u\fR option, or whose DN is

+ specified with the \fB\-U\fR option.

  This is typically only required when the enrollment profile being used uses

- \fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based

+ \fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based

  authentication.

- If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

  will not be encrypted.

  .TP

- \fB-w userpasswordfile\fR

+ \fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR

  When initially submitting a request to the CA, read from the specified file a

- password to supply for the user whose name is specified with the \fB-u\fR

- option, or whose DN is specified with the \fB-U\fR option.

+ password to supply for the user whose name is specified with the \fB\-u\fR

+ option, or whose DN is specified with the \fB\-U\fR option.

  This is typically only required when the enrollment profile being used uses

- \fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based

+ \fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based

  authentication.

- If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

  will not be encrypted.

  .TP

- \fB-Y userpin\fR

+ \fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR

  When initially submitting a request to the CA, supply the specified value as the PIN

- for the user whose name is specified with the \fB-u\fR option, or whose DN is

- specified with the \fB-U\fR option.

+ for the user whose name is specified with the \fB\-u\fR option, or whose DN is

+ specified with the \fB\-U\fR option.

  This is typically only required when the enrollment profile being used uses

- \fIUidPwdPinDirAuth\fR-based

+ \fIUidPwdPinDirAuth\fR\-based

  authentication.

- If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

  will not be encrypted.

  .TP

- \fB-y userpinfile\fR

+ \fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR

  When initially submitting a request to the CA, read from the specified file a

- PIN to supply for the user whose name is specified with the \fB-u\fR

- option, or whose DN is specified with the \fB-U\fR option.

+ PIN to supply for the user whose name is specified with the \fB\-u\fR

+ option, or whose DN is specified with the \fB\-U\fR option.

  This is typically only required when the enrollment profile being used uses

- \fIUidPwdPinDirAuth\fR-based

+ \fIUidPwdPinDirAuth\fR\-based

  authentication.

- If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value

+ If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value

  will not be encrypted.

  .TP

- \fB-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Increases the logging level.  Use twice for more logging.  This option is mainly

  useful for troubleshooting.

- 

+ .SH AGENT KEY AND CERTIFICATE OPTIONS

+ Options that provide the location for the private key and public certificate

+ which the client should use to authenticate to the CA's agent interface.

+ The values to use depend on which cryptography library your copy of libcurl

+ was linked with.

+ .TP

+ \fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR

+ Use an NSS database in the specified directory for this certificate

+ and key. Only valid with \-n.

+ .TP

+ \fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR

+ Use the NSS key with this nickname. Only valid with \-d.

+ .TP

+ \fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

+ The PEM file that contains the public certificate. Only valid with \-k.

+ .TP

+ \fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR

+ The PEM file that contains the private certificate. Only valid with \-c.

+ .TP

+ \fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR

+ The name of a file which contains a PIN/password which will be needed in

+ order to make use of the agent credentials.

+ .TP

+ \fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR

+ The name of a file which contains a PIN/password which will be needed in

+ order to make use of the agent credentials.

  .SH EXIT STATUS

  .TP

  0
@@ -222,22 +240,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+66 -49
@@ -1,21 +1,23 @@ 

- .TH certmonger 8 "16 April 2015" "certmonger Manual"

+ .TH CERTMONGER 8 "April 16, 2015" "certmonger Manual"

  

  .SH NAME

- ipa-submit

+ ipa\-submit

  

  .SH SYNOPSIS

- ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath]

- [[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]

+ ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn]

+ [\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]]

+ [\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile]

+ [\-X issuer] [csrfile]

  

  .SH DESCRIPTION

- \fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make

- requests to IPA-based CAs.  It is not normally run interactively,

+ \fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make

+ requests to IPA\-based CAs.  It is not normally run interactively,

  but it can be for troubleshooting purposes.  The signing request which is

  to be submitted should either be in a file whose name is given as an argument,

- or fed into \fIipa-submit\fR via stdin.

+ or fed into \fIipa\-submit\fR via stdin.

  

  \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See

- \fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about

+ \fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about

  specifying where those certificates should be stored on the local system.

  Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of

  entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA
@@ -24,27 +26,27 @@ 

  

  .SH OPTIONS

  .TP

- \fB\-P\fR csrPrincipal

+ \fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR

  Identifies the principal name of the service for which the certificate is being

  issued.  This setting is required by IPA and must always be specified.

  .TP

- \fB\-X\fR issuer

+ \fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR

  Requests that the certificate be processed by the specified certificate issuer.

  By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR

  variable is set in the environment, then the value of the environment variable

  will be used.  This setting is optional, and if a server returns error 3005,

  indicating that it does not understand multiple profiles, the request will be

- re-submitted without specifying an issuer name.

+ re\-submitted without specifying an issuer name.

  .TP

- \fB\-T\fR profile

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  Requests that the certificate be processed using the specified certificate profile.

  By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR

  variable is set in the environment, then the value of the environment variable

  will be used.  This setting is optional, and if a server returns error 3005,

  indicating that it does not understand multiple profiles, the request will be

- re-submitted without specifying a profile.

+ re\-submitted without specifying a profile.

  .TP

- \fB\-h\fR serverHost

+ \fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR

  Submit the request to the IPA server running on the named host.  The default is

  to read the location of the host from \fB/etc/ipa/default.conf\fR.

  If no server is configured, or the configured server cannot be reached, the
@@ -53,7 +55,7 @@ 

  IPA masters running the "CA" service, and the client will attempt to contact

  each of those in turn.

  .TP

- \fB\-H\fR serverURL

+ \fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR

  Submit the request to the IPA server at the specified location.  The default is

  to read the location of the host from \fB/etc/ipa/default.conf\fR.

  If no server is configured, or the configured server cannot be reached, the
@@ -62,49 +64,64 @@ 

  IPA masters running the "CA" service, and the client will attempt to contact

  each of those in turn.

  .TP

- \fB\-c\fR cafile

+ \fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR

+ Provide the IPA LDAP service location rather than using DNS discovery.

+ The default is to read the location of the host from

+ \fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of

+ _ldap._tcp.DOMAIN values and pick one for use.

+ .TP

+ \fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR

+ Use this domain when doing DNS discovery to locate LDAP servers for the IPA

+ installation. The default is to read the location of the host from

+ \fB/etc/ipa/default.conf\fR.

+ .TP

+ \fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR

+ Use this basedn to search for an IPA installation in LDAP. The default is to

+ read the location of the host from \fB/etc/ipa/default.conf\fR.

+ .TP

+ \fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR

  The server's certificate was issued by the CA whose certificate is in the named

  file.  The default value is \fI/etc/ipa/ca.crt\fR.

  .TP

- \fB\-C\fR capath

+ \fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR

  Trust the server if its certificate was issued by a CA whose certificate is in

  a file in the named directory.  There is no default for this option, and it

  is not expected to be necessary.

  .TP

- \fB\-t\fR keytab

+ \fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR

  Authenticate to the IPA server using Kerberos with credentials derived from

  keys stored in the named keytab.  The default value can vary, but it is usually

  \fI/etc/krb5.keytab\fR.

- This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR

+ This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR

  options.

  .TP

- \fB\-k\fR authPrincipal

+ \fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR

  Authenticate to the IPA server using Kerberos with credentials derived from

  keys stored in the named keytab for this principal name.  The default value is

  the \fBhost\fR service for the local host in the local realm.

- This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR

+ This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR

  options.

  .TP

- \fB\-K\fR

+ \fB\-K\fR, \fB\-\-use\-ccache\-creds\fR

  Authenticate to the IPA server using Kerberos with credentials derived from the

  default credential cache rather than a keytab.

- This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR

+ This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR

  options.

  .TP

- \fB\-u\fR uid

+ \fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR

  Authenticate to the IPA server using a user name and password, using the

  specified value as the user name.

- This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options.

+ This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options.

  .TP

- \fB\-W\fR pwd

+ \fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR

  Authenticate to the IPA server using a user name and password, using the

  specified value as the password.

- This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options.

+ This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options.

  .TP

- \fB\-w\fR pwdfile

+ \fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR

  Authenticate to the IPA server using a user name and password, reading the

  password from the specified file.

- This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options.

+ This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options.

  

  .SH EXIT STATUS

  .TP
@@ -131,7 +148,7 @@ 

  .TP

  .I /etc/ipa/default.conf

  is the IPA client configuration file.  This file is consulted to determine

- the URL for the IPA server's XML-RPC interface.

+ the URL for the IPA server's XML\-RPC interface.

  

  .SH BUGS

  Please file tickets for any that you find at https://fedorahosted.org/certmonger/
@@ -139,23 +156,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

@@ -1,35 +1,35 @@ 

- .TH certmonger 8 "7 June 2014" "certmonger Manual"

+ .TH CERTMONGER 8 "June 7, 2014" "certmonger Manual"

  

  .SH NAME

- local-submit

+ local\-submit

  

  .SH SYNOPSIS

- local-submit [-d state-directory] [-v] [csrfile]

+ local\-submit [\-d state\-directory] [\-v] [csrfile]

  

  .SH DESCRIPTION

- \fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement

+ \fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement

  its local signer.  It is not normally run interactively, but it can be for

  troubleshooting purposes.  The signing request which is to be submitted

  should either be in a file whose name is given as an argument, or fed into

- \fIlocal-submit\fR via stdin.

+ \fIlocal\-submit\fR via stdin.

  

- The local signer is currently hard-coded to generate and use a

- @CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based

+ The local signer is currently hard\-coded to generate and use a

+ @CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based

  on a UUID, replacing that key and certificate at roughly the midpoint of their

  useful lifetime.

  

- \fBcertmonger\fR supports retrieving the list of current and previously-used

- local CA certificates.  See \fBgetcert-request\fR(1) and

- \fBgetcert-resubmit\fR(1) for information about specifying where those

+ \fBcertmonger\fR supports retrieving the list of current and previously\-used

+ local CA certificates.  See \fBgetcert\-request\fR(1) and

+ \fBgetcert\-resubmit\fR(1) for information about specifying where those

  certificates should be stored.

  

  .SH OPTIONS

  .TP

- \fB\-d\fR state-directory

+ \fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR

  Identifies the directory which contains the local signer's private key,

  certificates, and other data used by the local signer.

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Increases the verbosity of the tool's diagnostic logging.

  

  .SH EXIT STATUS
@@ -47,7 +47,7 @@ 

  .TP

  .I creds

  is currently a PKCS#12 bundle containing the local signer's current signing key

- and current and previously-used signer certificates.  It should not be modified

+ and current and previously\-used signer certificates.  It should not be modified

  except by the local signer.  A new key is currently generated when ever a new

  signer certificate is needed.

  .TP
@@ -61,22 +61,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+62 -62
@@ -1,98 +1,98 @@ 

- .TH certmonger 8 "20 June 2015" "certmonger Manual"

+ .TH CERTMONGER 8 "June 20, 2015" "certmonger Manual"

  

  .SH NAME

- scep-submit

+ scep\-submit

  

  .SH SYNOPSIS

- scep-submit -u SERVER-URL

- [-r ra-cert-file]

- [-R ca-cert-file]

- [-I other-certs-file]

- [-N ca-cert-file]

- [-i ca-identifier]

- [-v]

- [-n]

- [-c|-C|-g|-p]

- [pkimessage-filename]

+ scep\-submit \-u SERVER\-URL

+ [\-r ra\-cert\-file]

+ [\-R ca\-cert\-file]

+ [\-I other\-certs\-file]

+ [\-N ca\-cert\-file]

+ [\-i ca\-identifier]

+ [\-v]

+ [\-n]

+ [\-c|\-C|\-g|\-p]

+ [pkimessage\-filename]

  

  .SH DESCRIPTION

- \fIscep-submit\fR is the helper which \fIcertmonger\fR can use to

+ \fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to

  transmit certificate enrollment and renewal requests to servers using

  SCEP.  It is not normally run interactively, but it can be for

  troubleshooting purposes.

  

- The request which is to be submitted should be a PEM-encoded SCEP

+ The request which is to be submitted should be a PEM\-encoded SCEP

  pkiMessage either in a file whose name is given as an argument, or fed

- into \fIscep-submit\fR via stdin.

+ into \fIscep\-submit\fR via stdin.

  

  .SH MODES

  .TP

- \fB\-c\fR

+ \fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR

  \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and

  print the results.

  .TP

- \fB\-C\fR

- \fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR

- requests to the server, parse the responses, and then print, in order,

+ \fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR

+ \fIscep-submit\fR will issue a \fIGetCACert\fR

+ request to the server, parse the response, and then print, in order,

  the RA certificate, the CA certificate, and any additional certificates.

  .TP

- \fB\-p\fR

- \fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server

- using the passed-in message as the message content.  It will parse the

+ \fB\-p\fR, \fB\-\-pki\-message\fR

+ \fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server

+ using the passed\-in message as the message content.  It will parse the

  server's response, verify the signature, and if the response includes an

  issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM

  format.  If the response indicates an error, it will print the error.

  .TP

- \fB\-g\fR

- \fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server

- using the passed-in message as the message content.  It will parse the

+ \fB\-g\fR, \fB\-\-get\-initial\-cert\fR

+ \fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server

+ using the passed\-in message as the message content.  It will parse the

  server's response, verify the signature, and if the response includes an

  issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM

  format.  If the response indicates an error, it will print the error.

  .SH OPTIONS

  .TP

- \fB\-u\fR SERVER-URL

+ \fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR

  The location of the SCEP interface provided by the CA.  This is

- typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or

+ typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or

  \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR.  This option is

  always required.

  .TP

- \fB\-R\fR CA-certificate-file

+ \fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR

  The location of the CA certificate which was used to issue the SCEP web

  server's certificate in PEM form. If the URL specified with the

- \fB-u\fR option is an \fIhttps\fR URL, then this option is required.

+ \fB\-u\fR option is an \fIhttps\fR URL, then this option is required.

  .TP

- \fB\-N\fR ca-certificate-file

- The location of a PEM-formatted copy of the SCEP server's CA certificate.

+ \fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR

+ The location of a PEM\-formatted copy of the SCEP server's CA certificate.

  A discovered value is normally supplied by the certmonger daemon, but one can

  be specified for troubleshooting purposes.

  .TP

- \fB\-r\fR RA-certificate-file

+ \fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR

  The location of the SCEP server's RA certificate, which is expected to

  be used for signing responses sent by the SCEP server back to the

- client.  This option is required when either the \fB-g\fR flag or the

- \fB-p\fR flag is specified.

+ client.  This option is required when either the \fB\-g\fR flag or the

+ \fB\-p\fR flag is specified.

  .TP

- \fB\-I\fR other-certificates-file

- The location of a file containing other PEM-formatted certificates which

+ \fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR

+ The location of a file containing other PEM\-formatted certificates which

  may be needed in order to properly verify signed responses sent by the

  SCEP server back to the client.  This option may be necessary when

- either the \fB-g\fR flag or the \fB-p\fR flag is specified.

+ either the \fB\-g\fR flag or the \fB\-p\fR flag is specified.

  .TP

- \fB\-i\fR ca-identifier

- When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to

+ \fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR

+ When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to

  specify the CA identifier which is passed to the server as part of the client's

  request.  The default is "0".

  .TP

- \fB\-n\fR

- The SCEP Renewal feature allows a client with a previously-issued certificate

+ \fB\-n\fR, \fB\-\-non\-renewal\fR

+ The SCEP Renewal feature allows a client with a previously\-issued certificate

  to use that certificate and the associated private key to request a new

  certificate for a different key pair, and can be used to support

  \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for

- it.  This option forces the \fIscep-submit\fR helper to prefer to issue

+ it.  This option forces the \fIscep\-submit\fR helper to prefer to issue

  requests which do not make use of this feature.

  .TP

- \fB-v\fR

+ \fB-v\fR, \fB\-\-verbose\fR

  Increases the logging level.  Use twice for more logging.  This option

  is mainly useful for troubleshooting.

  
@@ -100,7 +100,7 @@ 

  .TP

  0

  if the certificate was issued. The pkcsPKIEnvelope will be printed in

- PEM-encoded form.

+ PEM\-encoded form.

  .TP

  1

  if the CA is still thinking.  A cookie (state) value will be printed.
@@ -131,22 +131,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+43 -43
@@ -1,14 +1,14 @@ 

- .TH certmonger 8 "14 June 2015" "certmonger Manual"

+ .TH CERTMONGER 8 "June 14, 2015" "certmonger Manual"

  

  .SH NAME

  certmonger

  

  .SH SYNOPSIS

- certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v]

+ certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v]

  

  .SH DESCRIPTION

  The \fIcertmonger\fR daemon monitors certificates for impending

- expiration, and can optionally refresh soon-to-be-expired certificates

+ expiration, and can optionally refresh soon\-to\-be\-expired certificates

  with the help of a CA.  If told to, it can drive the entire enrollment

  process from key generation through enrollment and refresh.

  
@@ -17,58 +17,58 @@ 

  

  .SH OPTIONS

  .TP

- -s

+ \fB\-s\fR, \fB\-\-session\fR

  Listen on the session bus rather than the system bus.

  .TP

- -S

+ \fB\-S\fR, \fB\-\-system\fR

  Listen on the system bus rather than the session bus.  This is the default.

  .TP

- -l

+ \fB\-l\fR, \fB\-\-listening\-socket\fR

  Also listen on a private socket for connections from clients running under the

  same UID.

  .TP

- -L

+ \fB\-L\fR, \fB\-\-only\-listening\-socket\fR

  Listen only on a private socket for connections from clients running under the

  same UID, and skip connecting to a bus.

  .TP

- -P

+ \fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR

  Specify a location for the private listening socket.  If the location beings

  with a '/' character, it will be prefixed with 'unix:path=', otherwise it will

  be prefixed with 'unix:'.  If this option is not specified, the listening

  socket, if one is created, will be placed in the abstract namespace.

  .TP

- -b TIMEOUT

- Behave as a bus-activated service: if there are no certificates to be monitored

+ \fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR

+ Behave as a bus\-activated service: if there are no certificates to be monitored

  or obtained, and no requests are received within TIMEOUT seconds, exit.  Not

- compatible with the -c option.

+ compatible with the \-c option.

  .TP

- -B

- Don't behave as a bus-activated service.  This is the default.

+ \fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR

+ Don't behave as a bus\-activated service.  This is the default.

  .TP

- -n

+ \fB\-n\fR, \fB\-\-nofork\fR

  Don't fork, and log messages to stderr rather than syslog.

  .TP

- -f

+ \fB\-f\fR, \fB\-\-fork\fR

  Do fork, and log messages to syslog rather than stderr.  This is the default.

  .TP

- -d LEVEL

- Set debugging level.  Higher values produce more debugging output.  Implies -n.

+ \fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR

+ Set debugging level.  Higher values produce more debugging output.  Implies \-n.

  .TP

- -p FILE

+ \fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR

  Store the daemon's process ID in the named file.

  .TP

- -F

+ \fB\-F\fR, \fB\-\-fips\fR

  Force NSS to be initialized in FIPS mode.  The default behavior is to heed

  the setting stored in \fI/proc/sys/crypto/fips_enabled\fR.

  .TP

- -c cmd

+ \fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR

  After the service has initialized, run the specified command, then shut down

- the service after the command exits.  If the -l or -L option was also

+ the service after the command exits.  If the \-l or \-L option was also

  specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR

  environment variable set to the listening socket's location.  Not compatible

- with the -b option.

+ with the \-b option.

  .TP

- -v

+ \fB\-v\fR, \fB\-\-version\fR

  Print version information and exit.

  

  .SH FILES
@@ -89,24 +89,24 @@ 

  

  .SH SEE ALSO

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+10 -10
@@ -1,18 +1,18 @@ 

- .TH certmonger.conf 5 "12 May 2015" "certmonger Manual"

+ .TH CERTMONGER 5 "May 12, 2015" "certmonger Manual"

  

  .SH NAME

- certmonger.conf - configuration file for certmonger

+ certmonger.conf \- configuration file for certmonger

  

  .SH DESCRIPTION

  The \fIcertmonger.conf\fR file contains default settings used by certmonger.

- Its format is more or less that of a typical INI-style file.  The only sections

+ Its format is more or less that of a typical INI\-style file.  The only sections

  currently of note are named \fIdefaults\fR and \fIselfsign\fR.

  

  .SH DEFAULTS

  Within the \fIdefaults\fR section, these variables and values are recognized:

  

  .IP notify_ttls

- This is the list of times, given in seconds, before a certificate's not-after

+ This is the list of times, given in seconds, before a certificate's not\-after

  validity date

  (often referred to as its expiration time) when \fIcertmonger\fR should warn

  that the certificate will soon no longer be valid.
@@ -20,7 +20,7 @@ 

  of the \fIttls\fR setting.  The default list of values is "@CM_DEFAULT_TTL_LIST@".

  

  .IP enroll_ttls

- This is the list of times, given in seconds, before a certificate's not-after

+ This is the list of times, given in seconds, before a certificate's not\-after

  validity date

  (often referred to as its expiration time) when \fIcertmonger\fR should attempt

  to automatically renew the certificate, if it is configured to do so.
@@ -43,7 +43,7 @@ 

  

  .IP key_type

  This is the type of key pair which will be generated, used in certificate

- signing requests, and used when self-signing certificates.

+ signing requests, and used when self\-signing certificates.

  @NO_MAN_DSA@\fIRSA\fR is supported.

  @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported.

  @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported.
@@ -58,7 +58,7 @@ 

  

  .IP digest

  This is the digest algorithm which will be used when signing certificate

- signing requests and self-signed certificates.  Recognized values include

+ signing requests and self\-signed certificates.  Recognized values include

  \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP.  The default is

  \fIsha256\fP.  It is not recommended that this value be changed except in cases

  where the default is incompatible with other software.
@@ -95,14 +95,14 @@ 

  Within the \fIselfsign\fR section, these variables and values are recognized:

  

  .IP validity_period

- This is the validity period given to self-signed certificates.

+ This is the validity period given to self\-signed certificates.

  The value is specified as a combination of years (y), months (M), weeks (w),

  days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is

  specified, seconds are assumed.

  The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.

  

  .IP populate_unique_id

- This controls whether or not self-signed certificates will have their

+ This controls whether or not self\-signed certificates will have their

  subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits

  their use, they may be needed and/or used by older applications.  The default

  value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
@@ -111,7 +111,7 @@ 

  Within the \fIlocal\fR section, these variables and values are recognized:

  

  .IP validity_period

- This is the validity period given to the locally-signed CA's certificate when it

+ This is the validity period given to the locally\-signed CA's certificate when it

  is generated.

  The value is specified as a combination of years (y), months (M), weeks (w),

  days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is

file modified
+24 -24
@@ -1,10 +1,10 @@ 

- .TH certmonger 1 "24 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert add-ca [options]

+ getcert add\-ca [options]

  

  .SH DESCRIPTION

  Adds a CA configuration to \fIcertmonger\fR, which can subsequently be
@@ -12,17 +12,17 @@ 

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  The nickname to give to this CA configuration.  This same value can later be

  passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and

- \fIstart-tracking\fR commands using the \fB-c\fR flag.

+ \fIstart\-tracking\fR commands using the \fB\-c\fR flag.

  .TP

- \fB\-e\fR COMMAND

+ \fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR

  The helper command to run for communicating with the CA.  The helper will be

  used to pass signing requests to the CA, relay the CA's responses back to the

  \fIcertmonger\fR service, and to read information about the CA.

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

  
@@ -32,22 +32,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+40 -40
@@ -1,64 +1,64 @@ 

- .TH certmonger 1 "24 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert add-scep-ca [options]

+ getcert add\-scep\-ca [options]

  

  .SH DESCRIPTION

  Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to

- enroll certificates.  The configuration will use the bundled \fIscep-submit\fR

- helper.  The \fIadd-scep-ca\fR command is more or less a wrapper for the

- \fIadd-ca\fR command.

+ enroll certificates.  The configuration will use the bundled \fIscep\-submit\fR

+ helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the

+ \fIadd\-ca\fR command.

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  The nickname to give to this CA configuration.  This same value can later be

  passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and

- \fIstart-tracking\fR commands using the \fB-c\fR flag.

+ \fIstart\-tracking\fR commands using the \fB\-c\fR flag.

  .TP

- \fB\-u\fR URL

+ \fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR

  The location of the SCEP server's enrollment interface.  This option must be

  specified.

  .TP

- \fB\-R\fR ca-certificate-file

- The location of a PEM-formatted copy of the CA's certificate used to verify

+ \fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR

+ The location of a PEM\-formatted copy of the CA's certificate used to verify

  the TLS connection the SCEP server.

  

  This option must be specified if the URL is an \fIhttps\fR location.

  .TP

- \fB\-N\fR ca-certificate-file

- The location of a PEM-formatted copy of the SCEP server's CA certificate.

+ \fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR

+ The location of a PEM\-formatted copy of the SCEP server's CA certificate.

  A discovered value is normally supplied by the certmonger daemon, but one can

  be specified for troubleshooting purposes.

  .TP

- \fB\-r\fR ra-certificate-file

- The location of a PEM-formatted copy of the SCEP server's RA's certificate.

+ \fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR

+ The location of a PEM\-formatted copy of the SCEP server's RA's certificate.

  A discovered value is normally supplied by the certmonger daemon, but one can

  be specified for troubleshooting purposes.

  .TP

- \fB\-I\fR other-certificates-file

- The location of a file containing other PEM-formatted certificates which may be

+ \fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR

+ The location of a file containing other PEM\-formatted certificates which may be

  needed in order to properly verify signed responses sent by the SCEP server

  back to the client.  A discovered set is normally supplied by the certmonger

  daemon, but can be specified for troubleshooting purposes.

  .TP

- \fB\-i\fR identifier

+ \fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR

  A CA identifier value which will passed to the server when the

- \fIscep-submit\fR helper is used to retrieve copies of the server's

+ \fIscep\-submit\fR helper is used to retrieve copies of the server's

  certificates.

  .TP

- \fB\-n\fR

- The SCEP Renewal feature allows a client with a previously-issued certificate

+ \fB\-n\fR, \fB\-\-non\-renewal\fR

+ The SCEP Renewal feature allows a client with a previously\-issued certificate

  to use that certificate and the associated private key to request a new

  certificate for a different key pair, and can be used to support

  \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for

- it.  This option forces the \fIscep-submit\fR helper to issue requests without

+ it.  This option forces the \fIscep\-submit\fR helper to issue requests without

  making use of this feature.

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

  
@@ -68,22 +68,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+22 -22
@@ -1,17 +1,17 @@ 

- .TH certmonger 1 "3 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert list-cas [options]

+ getcert list\-cas [options]

  

  .SH DESCRIPTION

  Queries \fIcertmonger\fR for a list of known CAs.

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  List only information about the CA which has the specified nickname.

  

  .SH BUGS
@@ -20,23 +20,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+42 -42
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "28 June 2016" "certmonger Manual"

+ .TH CERTMONGER 1 "June 28, 2016" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -12,35 +12,35 @@ 

  

  .SH ENROLLMENT OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  List only entries which use the specified CA.  The name of the CA should

- correspond to one listed by \fIgetcert list-cas\fR.

+ correspond to one listed by \fIgetcert list\-cas\fR.

  

  .SH LISTING OPTIONS

  .TP

- \fB\-r\fR

+ \fB\-r\fR, \fB\-\-requests\-only\fR

  List only entries which are either currently being enrolled or refreshed.

  .TP

- \fB\-t\fR

+ \fB\-t\fR, \fB\-\-tracking\-only\fR

  List only entries which are not currently being enrolled or refreshed.

  .TP

- \fB\-u\fR|\fB--utc\fR

+ \fB\-u\fR, \fB\-\-utc\fR

  Display timestamps in UTC instead of local time.

  

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR

  List only entries which use an NSS database in the specified directory

  for storing the certificate.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR

  List only tracking requests which use an NSS database and the specified

  nickname for storing the certificate.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  List only tracking requests which specify that the certificate should be

  stored in the specified file.

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  List only tracking requests which use this request nickname.

  

  .SH STATES
@@ -53,11 +53,11 @@ 

  .TP

  NEED_KEY_GEN_PERMS

  The service encountered a filesystem permission error while attempting

- to save the newly-generated key pair.

+ to save the newly\-generated key pair.

  .TP

  NEED_KEY_GEN_PIN

  The service is missing the PIN which is required to access an NSS

- database in order to save the newly-generated key pair, or it has an

+ database in order to save the newly\-generated key pair, or it has an

  incorrect PIN for a database.

  .TP

  NEED_KEY_GEN_TOKEN
@@ -75,7 +75,7 @@ 

  .TP

  NEED_KEYINFO_READ_PIN

  The service is missing the PIN which is required to access an NSS

- database in order to read information about the newly-generated key pair, or

+ database in order to read information about the newly\-generated key pair, or

  it has an incorrect PIN for a database, or has an incorrect password for

  accessing a key stored in encrypted PEM format.

  .TP
@@ -161,8 +161,8 @@ 

  issued certificate to the location where it has been told to save it.

  .TP

  PRE_SAVE_CERT

- The service is running a configured pre-saving command before saving the

- newly-issued certificate to the location where it has been told to save

+ The service is running a configured pre\-saving command before saving the

+ newly\-issued certificate to the location where it has been told to save

  it.

  .TP

  START_SAVING_CERT
@@ -175,16 +175,16 @@ 

  .TP

  NEED_CERTSAVE_PERMS

  The service encountered a filesystem permission error while attempting

- to save the newly-issued certificate to the location where it has been

+ to save the newly\-issued certificate to the location where it has been

  told to save it.

  .TP

  NEED_CERTSAVE_TOKEN

- The service is unable to find the token in which the newly-issued

+ The service is unable to find the token in which the newly\-issued

  certificate is to be stored.

  .TP

  NEED_CERTSAVE_PIN

  The service is missing the PIN which is required to access an NSS

- database in order to save the newly-issued certificate to the location

+ database in order to save the newly\-issued certificate to the location

  where it has been told to save it.

  .TP

  NEED_TO_SAVE_CA_CERTS
@@ -231,22 +231,22 @@ 

  them.

  .TP

  POST_SAVED_CERT

- The service is running a configured post-saving command after saving the

- newly-issued certificate to the location where it has been told to save

+ The service is running a configured post\-saving command after saving the

+ newly\-issued certificate to the location where it has been told to save

  them.

  .TP

  MONITORING

  The service is monitoring the certificate and waiting for its

- not-valid-after date to approach.  This is expected to be the status

+ not\-valid\-after date to approach.  This is expected to be the status

  most often seen.

  .TP

  NEED_TO_NOTIFY_VALIDITY

  The service is about to notify the system administrator that the

- certificate's not-valid-after date is approaching.

+ certificate's not\-valid\-after date is approaching.

  .TP

  NOTIFYING_VALIDITY

  The service is notifying the system administrator that the certificate's

- not-valid-after date is approaching.

+ not\-valid\-after date is approaching.

  .TP

  NEED_TO_NOTIFY_REJECTION

  The service is about to notify the system administrator that the
@@ -350,23 +350,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+23 -23
@@ -1,23 +1,23 @@ 

- .TH certmonger 1 "24 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert modify-ca [options]

+ getcert modify\-ca [options]

  

  .SH DESCRIPTION

  Modifies the helper command in a \fIcertmonger\fR CA configuration.

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  The nickname of the CA configuration to modify.

  .TP

- \fB\-e\fR COMMAND

+ \fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR

  The new helper command to run for communicating with the CA.

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

  
@@ -27,22 +27,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+25 -25
@@ -1,21 +1,21 @@ 

- .TH certmonger 1 "29 May 2014" "certmonger Manual"

+ .TH CERTMONGER 1 "May 29, 2014" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert refresh-ca [options]

+ getcert refresh\-ca [options]

  

  .SH DESCRIPTION

  Forces \fIcertmonger\fR to refresh information specific to a CA, such as

- locally-stored copies of its certificates.

+ locally\-stored copies of its certificates.

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  Refresh information about the CA which has the specified nickname.

  .TP

- \fB\-a\fR

+ \fB\-a\fR, \fB\-\-all\fR

  Refresh information about all known CAs.

  

  .SH BUGS
@@ -24,24 +24,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+26 -26
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "21 July 2014" "certmonger Manual"

+ .TH CERTMONGER 1 "July 24, 2014" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -13,7 +13,7 @@ 

  

  .SH SPECIFYING REQUESTS BY NICKNAME

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Check on the status of the signing request which has this nickname.

  If this option is not specified, and a tracking entry which matches the

  certificate storage options which are specified already exists, that entry
@@ -23,24 +23,24 @@ 

  

  .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR

  The certificate is in the NSS database in the specified directory.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR

  The certificate in the NSS database named with \fB\-d\fR has the specified

  nickname.  Only valid with \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, the certificate

  is stored in this token.  This argument only rarely needs to be specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  The certificate is stored in the named file.

  

  .SH OPTIONS

  .TP

- \fB\-a\fR

+ \fB\-a\fR, \fB\-\-all\fR

  Refresh information about all requests for which the service will need to

  attempt to contact the CA again.

  
@@ -50,23 +50,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+59 -48
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "31 July 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "July 31, 2015" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -13,7 +13,7 @@ 

  

  .SH SPECIFYING REQUESTS BY NICKNAME

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  The new key pair will be generated and the new certificate will be obtained for

  the tracking request which has this nickname.  If this option is not specified,

  and a tracking entry which matches the key and certificate storage options
@@ -23,62 +23,61 @@ 

  

  .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR

  The certificate is in the NSS database in the specified directory.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR

  The certificate in the NSS database named with \fB\-d\fR has the specified

  nickname.  Only valid with \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, the certificate

  is stored in this token.  This argument only rarely needs to be specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  The certificate is stored in the named file.

  

  .SH KEY GENERATION OPTIONS

  .TP

- \fB\-G\fR TYPE

+ \fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR

  In case a new key pair needs to be generated, this option specifies the

  type of the keys to be generated.  If not specified, the current key type

  will be used.

  .TP

- \fB\-g\fR BITS

+ \fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR

  This option specifies the size of the new key to be generated.  If not

  specified, a key of the same size as the existing key will be generated.

  

- \fB\-c\fR NAME

  .SH ENROLLMENT OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  Submit the new signing request to the specified CA rather than the one which

  was previously associated with this certificate.  The name of

- the CA should correspond to one listed by \fIgetcert list-cas\fR.

+ the CA should correspond to one listed by \fIgetcert list\-cas\fR.

  .TP

- \fB\-T\fR NAME

+ \fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR

  Request a certificate using the named profile, template, or certtype,

  from the specified CA.

  .TP

- \fB\-\-ms-template-spec\fR SPEC

+ \fB\-\-ms\-template\-spec\fR \fISPEC\fR

  Include a V2 Certificate Template extension in the signing request.

  This datum includes an Object Identifier, a major version number

  (positive integer) and an optional minor version number.  The format

  is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

  .TP

- \fB\-X\fR NAME

+ \fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR

  Request a certificate using the named issuer from the specified CA.

  .TP

- \fB\-I\fR NAME

+ \fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR

  Assign the specified nickname to this task, replacing the previous nickname.

  

  .SH SIGNING REQUEST OPTIONS

  .TP

- \fB\-N\fR NAME

+ \fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR

  Change the subject name to include in the signing request.

  .TP

- \fB\-u\fR keyUsage

+ \fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR

  Add an extensionRequest for the specified keyUsage to the

  signing request.  The keyUsage value is expected to be one of these names:

  
@@ -100,62 +99,74 @@ 

  

  decipherOnly

  .TP

- \fB\-U\fR EKU

+ \fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR

  Change the extendedKeyUsage value specified in an extendedKeyUsage

  extension part of the extensionRequest attribute in the signing

  request.  The EKU value is expected to be an object identifier (OID).

  .TP

- \fB\-K\fR NAME

+ \fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR

  Change the Kerberos principal name specified as part of a subjectAltName

  extension part of the extensionRequest attribute in the signing request.

  .TP

- \fB\-E\fR EMAIL

+ \fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR

  Change the email address specified as part of a subjectAltName

  extension part of the extensionRequest attribute in the signing request.

  .TP

- \fB\-D\fR DNSNAME

+ \fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR

  Change the DNS name specified as part of a subjectAltName extension part of the

  extensionRequest attribute in the signing request.

  .TP

- \fB\-A\fR ADDRESS

+ \fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR

  Change the IP address specified as part of a subjectAltName extension part of

  the extensionRequest attribute in the signing request.

  .TP

- \fB\-l\fR FILE

+ \fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR

  Add an optional ChallengePassword value, read from the file, to the signing

  request.  A ChallengePassword is often required when the CA is accessed using

  SCEP.

  .TP

- \fB\-L\fR PIN

+ \fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR

  Add the argument value to the signing request as a ChallengePassword attribute.

  A ChallengePassword is often required when the CA is accessed using SCEP.

  

  .SH OTHER OPTIONS

  .TP

- \fB\-B\fR COMMAND

+ \fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user before

  saving the certificates.

  .TP

- \fB\-C\fR COMMAND

+ \fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user after

  saving the certificates.

  .TP

- \fB\-a\fR DIR

+ \fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, save them to the specified NSS database.

  .TP

- \fB\-F\fR FILE

+ \fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, and when the local copies of the

  CA's root certificates are updated, save them to the specified file.

  .TP

- \fB\-w\fR

+ \fB\-\-for\-ca\fR

+ Request a CA certificate.

+ .TP

+ \fB\-\-not\-for\-ca\fR

+ Request a non\-CA certificate (the default).

+ .TP

+ \fB\-\-ca\-path\-length\fR=\fILENGTH\fR

+ Path length for CA certificate. Only valid with \-\-for\-ca.

+ .TP

+ \fB\-w\fR, \fB\-\-wait\fR

  Wait for the new certificate to be issued and saved, or for the attempt to obtain

  one using the new key to fail.

  .TP

- \fB\-v\fR

+ \fB\-\-wait\-timeout\fR=\fITIMEOUT\fR

+ Maximum time to wait for the certificate to be issued.

+ .TP

+ \fB\-v\fR \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

  
@@ -165,22 +176,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+22 -22
@@ -1,10 +1,10 @@ 

- .TH certmonger 1 "24 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert remove-ca [options]

+ getcert remove\-ca [options]

  

  .SH DESCRIPTION

  Remove a CA configuration from \fIcertmonger\fR.  Enrollment requests which
@@ -12,10 +12,10 @@ 

  

  .SH OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  The nickname of the CA configuration to remove.

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

  
@@ -25,22 +25,22 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+90 -68
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "9 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -14,87 +14,87 @@ 

  

  .SH KEY AND CERTIFICATE STORAGE OPTIONS

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR

  Use an NSS database in the specified directory for storing this

  certificate and key.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR

  Use the key with this nickname to generate the signing request.  If no

  such key is found, generate one.  Give the enrolled certificate this

  nickname, too.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, use the token

  with this name for storing and accessing the certificate and key.  This

  argument only rarely needs to be specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  Store the issued certificate in this file.  For safety's sake, do not

  use the same file specified with the \fB\-k\fR option.

  .TP

- \fB\-k\fR FILE

+ \fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR

  Use the key stored in this file to generate the signing request.  If no

  such file is found, generate a new key pair and store them in the file.

  Only valid with \fB\-f\fR.

  

  .SH KEY ENCRYPTION OPTIONS

  .TP

- \fB\-p\fR FILE

+ \fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR

  Encrypt private key files or databases using the PIN stored in the named

  file as the passphrase.

  .TP

- \fB\-P\fR PIN

+ \fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR

  Encrypt private key files or databases using the specified PIN as the

- passphrase.  Because command-line arguments to running processes are

+ passphrase.  Because command\-line arguments to running processes are

  trivially discoverable, use of this option is not recommended except

  for testing.

  

  .SH KEY GENERATION OPTIONS

  .TP

- \fB\-G\fR TYPE

+ \fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR

  In case a new key pair needs to be generated, this option specifies the

  type of the keys to be generated.  If not specified, a reasonable default

  (currently \fIRSA\fR) will be used.

  .TP

- \fB\-g\fR BITS

+ \fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR

  In case a new key pair needs to be generated, this option specifies the

  size of the key.  If not specified, a reasonable default (currently

  @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used.

  

  .SH TRACKING OPTIONS

  .TP

- \fB\-r\fR

+ \fB\-r\fR, \fB\-\-renew\fR

  Attempt to obtain a new certificate from the CA when the expiration date of a

  certificate nears.  This is the default setting.

  .TP

- \fB\-R\fR

+ \fB\-R\fR, \fB\-\-no\-renew\fR

  Don't attempt to obtain a new certificate from the CA when the expiration date

  of a certificate nears.  If this option is specified, an expired certificate

  will simply stay expired.

  .TP

- \fB\-I\fR NAME

+ \fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Assign the specified nickname to this task.  If this option is not specified,

  a name will be assigned automatically.

  

  .SH ENROLLMENT OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  Enroll with the specified CA rather than a possible default.  The name of

- the CA should correspond to one listed by \fIgetcert list-cas\fR.

+ the CA should correspond to one listed by \fIgetcert list\-cas\fR.

  .TP

- \fB\-T\fR NAME

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  Request a certificate using the named profile, template, or certtype,

  from the specified CA.

  .TP

- \fB\-\-ms-template-spec\fR SPEC

+ \fB\-\-ms\-template\-spec\fR \fISPEC\fR

  Include a V2 Certificate Template extension in the signing request.

  This datum includes an Object Identifier, a major version number

  (positive integer) and an optional minor version number.  The format

  is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

  .TP

- \fB\-X\fR NAME

+ \fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR

  Request a certificate using the named issuer from the specified CA.

  

  .SH SIGNING REQUEST OPTIONS
@@ -108,11 +108,11 @@ 

  multiple times to set multiple subjectAltName of the same type.

  

  .TP

- \fB\-N\fR NAME

+ \fB\-N\fR \fINAME\fR, , \fB\-\-subject\-name\fR=\fINAME\fR

  Set the subject name to include in the signing request.  The default

  used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname.

  .TP

- \fB\-u\fR keyUsage

+ \fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR

  Add an extensionRequest for the specified keyUsage to the

  signing request.  The keyUsage value is expected to be one of these names:

  
@@ -134,92 +134,114 @@ 

  

  decipherOnly

  .TP

- \fB\-U\fR EKU

+ \fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR

  Add an extensionRequest for the specified extendedKeyUsage to the

  signing request.  The EKU value is expected to be an object identifier

  (OID), but some specific names are also recognized.  These are some

  names and their associated OID values:

  

- id-kp-serverAuth 1.3.6.1.5.5.7.3.1

+ id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1

  

- id-kp-clientAuth 1.3.6.1.5.5.7.3.2

+ id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2

  

- id-kp-codeSigning 1.3.6.1.5.5.7.3.3

+ id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3

  

- id-kp-emailProtection 1.3.6.1.5.5.7.3.4

+ id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4

  

- id-kp-timeStamping 1.3.6.1.5.5.7.3.8

+ id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8

  

- id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

+ id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9

  

- id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

+ id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4

  

- id-pkinit-KPKdc 1.3.6.1.5.2.3.5

+ id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5

  

- id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

+ id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2

  .TP

- \fB\-K\fR NAME

+ \fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR

  Add an extensionRequest for a subjectAltName, with the specified Kerberos

  principal name as its value, to the signing request.

  .TP

- \fB\-E\fR EMAIL

+ \fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR

  Add an extensionRequest for a subjectAltName, with the specified email

  address as its value, to the signing request.

  .TP

- \fB\-D\fR DNSNAME

+ \fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR

  Add an extensionRequest for a subjectAltName, with the specified DNS name

  as its value, to the signing request.

  .TP

- \fB\-A\fR ADDRESS

+ \fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR

  Add an extensionRequest for a subjectAltName, with the specified IP address

  as its value, to the signing request.

  .TP

- \fB\-l\fR FILE

+ \fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR

  Add an optional ChallengePassword value, read from the file, to the signing

  request.  A ChallengePassword is often required when the CA is accessed using

  SCEP.

  .TP

- \fB\-L\fR PIN

+ \fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR

  Add the argument value to the signing request as a ChallengePassword attribute.

  A ChallengePassword is often required when the CA is accessed using SCEP.

  

  .SH OTHER OPTIONS

  .TP

- \fB\-B\fR COMMAND

+ \fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user before

  saving the certificates.

  .TP

- \fB\-C\fR COMMAND

+ \fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user after

  saving the certificates.

  .TP

- \fB\-a\fR DIR

+ \fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, save them to the specified NSS database.

  .TP

- \fB\-F\fR FILE

+ \fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, and when the local copies of the

  CA's root certificates are updated, save them to the specified file.

  .TP

- \fB\-w\fR

+ \fB\-\-for\-ca\fR

+ Request a CA certificate.

+ .TP

+ \fB\-\-not\-for\-ca\fR

+ Request a non\-CA certificate (the default).

+ .TP

+ \fB\-\-ca\-path\-length\fR=\fILENGTH\fR

+ Path length for CA certificate. Only valid with \-\-for\-ca.

+ .TP

+ \fB\-w\fR, \fB\-\-wait\fR

  Wait for the certificate to be issued and saved, or for the attempt to obtain

  one to fail.

  .TP

- \fB\-v\fR

+ \fB\-\-wait\-timeout\fR=\fITIMEOUT\fR

+ Maximum time to wait for the certificate to be issued.

+ .TP

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

- \fB\-o\fR OWNER, --key-owner=OWNER

+ .TP

+ \fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR

  After generation set the owner on the private key file or database to OWNER.

- \fB\-m\fR MODE, --key-perms=MODE

+ .TP

+ \fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the private key file or database to MODE.

- \fB\-O\fR OWNER, --cert-owner=OWNER

+ .TP

+ \fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR

  After generation set the owner on the certificate file or database to OWNER.

- \fB\-M\fR MODE, --cert-perms=MODE

+ .TP

+ \fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the certificate file or database to MODE.

- 

+ .SH BUS OPTIONS

+ \fB\-s\fR, \fB\-\-session\fR

+ Connect to certmonger on the session bus rather than the system bus.

+ .TP

+ \fB\-S\fR, \fB\-\-system\fR

+ Connect to certmonger on the system bus rather than the session bus.  This

+ is the default.

  .SH NOTES

  Locations specified for key and certificate storage need to be

  accessible to the \fIcertmonger\fR daemon process.  When run as a system
@@ -227,7 +249,7 @@ 

  as SELinux, the system policy must ensure that the daemon is allowed to

  access the locations where certificates and keys that it will manage

  will be stored (these locations are typically labeled as \fIcert_t\fR or

- an equivalent).  More SELinux-specific information can be found in the

+ an equivalent).  More SELinux\-specific information can be found in the

  \fIselinux.txt\fR documentation file for this package.

  

  .SH BUGS
@@ -236,23 +258,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+62 -50
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "9 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -12,7 +12,7 @@ 

  

  .SH SPECIFYING REQUESTS BY NICKNAME

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Resubmit a signing request for the tracking request which has this nickname.

  If this option is not specified, and a tracking entry which matches the key

  and certificate storage options which are specified already exists, that entry
@@ -22,50 +22,50 @@ 

  

  .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR

  The certificate is in the NSS database in the specified directory.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR

  The certificate in the NSS database named with \fB\-d\fR has the specified

  nickname.  Only valid with \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, the certificate

  is stored in this token.  This argument only rarely needs to be specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  The certificate is stored in the named file.

  

  .SH ENROLLMENT OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  Submit the new signing request to the specified CA rather than the one which

  was previously associated with this certificate.  The name of

- the CA should correspond to one listed by \fIgetcert list-cas\fR.

+ the CA should correspond to one listed by \fIgetcert list\-cas\fR.

  .TP

- \fB\-T\fR NAME

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  Request a certificate using the named profile, template, or certtype,

  from the specified CA.

  .TP

- \fB\-\-ms-template-spec\fR SPEC

+ \fB\-\-ms\-template\-spec\fR \fISPEC\fR

  Include a V2 Certificate Template extension in the signing request.

  This datum includes an Object Identifier, a major version number

  (positive integer) and an optional minor version number.  The format

  is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

  .TP

- \fB\-X\fR NAME

+ \fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR

  Request a certificate using the named issuer from the specified CA.

  .TP

- \fB\-I\fR NAME

+ \fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Assign the specified nickname to this task, replacing the previous nickname.

  

  .SH SIGNING REQUEST OPTIONS

  .TP

- \fB\-N\fR NAME

+ \fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR

  Change the subject name to include in the signing request.

  .TP

- \fB\-u\fR keyUsage

+ \fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR

  Add an extensionRequest for the specified keyUsage to the

  signing request.  The keyUsage value is expected to be one of these names:

  
@@ -87,71 +87,83 @@ 

  

  decipherOnly

  .TP

- \fB\-U\fR EKU

+ \fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR

  Change the extendedKeyUsage value specified in an extendedKeyUsage

  extension part of the extensionRequest attribute in the signing

  request.  The EKU value is expected to be an object identifier (OID).

  .TP

- \fB\-K\fR NAME

+ \fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR

  Change the Kerberos principal name specified as part of a subjectAltName

  extension part of the extensionRequest attribute in the signing request.

  .TP

- \fB\-E\fR EMAIL

+ \fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR

  Change the email address specified as part of a subjectAltName

  extension part of the extensionRequest attribute in the signing request.

  .TP

- \fB\-D\fR DNSNAME

+ \fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR

  Change the DNS name specified as part of a subjectAltName extension part of the

  extensionRequest attribute in the signing request.

  .TP

- \fB\-A\fR ADDRESS

+ \fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR

  Change the IP address specified as part of a subjectAltName extension part of

  the extensionRequest attribute in the signing request.

  .TP

- \fB\-l\fR FILE

+ \fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR

  Add an optional ChallengePassword value, read from the file, to the signing

  request.  A ChallengePassword is often required when the CA is accessed using

  SCEP.

  .TP

- \fB\-L\fR PIN

+ \fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR

  Add the argument value to the signing request as a ChallengePassword attribute.

  A ChallengePassword is often required when the CA is accessed using SCEP.

  

  .SH OTHER OPTIONS

  .TP

- \fB\-B\fR COMMAND

+ \fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user before

  saving the certificates.

  .TP

- \fB\-C\fR COMMAND

+ \fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user after

  saving the certificates.

  .TP

- \fB\-a\fR DIR

+ \fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, save them to the specified NSS database.

  .TP

- \fB\-F\fR FILE

+ \fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, and when the local copies of the

  CA's root certificates are updated, save them to the specified file.

  .TP

- \fB\-w\fR

+ \fB\-\-for\-ca\fR

+ Request a CA certificate.

+ .TP

+ \fB\-\-not\-for\-ca\fR

+ Request a non\-CA certificate (the default).

+ .TP

+ \fB\-\-ca\-path\-length\fR=\fILENGTH\fR

+ Path length for CA certificate. Only valid with \-\-for\-ca.

+ .TP

+ \fB\-w\fR, \fB\-\-wait\fR

  Wait for the certificate to be reissued and saved, or for the attempt to obtain

  one to fail.

  .TP

- \fB\-v\fR

+ \fB\-\-wait\-timeout\fR=\fITIMEOUT\fR

+ Maximum time to wait for the certificate to be issued.

+ .TP

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

- \fB\-o\fR OWNER, --key-owner=OWNER

+ \fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR

  After generation set the owner on the private key file or database to OWNER.

- \fB\-m\fR MODE, --key-perms=MODE

+ \fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the private key file or database to MODE.

- \fB\-O\fR OWNER, --cert-owner=OWNER

+ \fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR

  After generation set the owner on the certificate file or database to OWNER.

- \fB\-M\fR MODE, --cert-perms=MODE

+ \fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the certificate file or database to MODE.

  

  .SH BUGS
@@ -160,23 +172,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+75 -60
@@ -1,13 +1,13 @@ 

- .TH certmonger 1 "9 February 2015" "certmonger Manual"

+ .TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert start-tracking [options]

+ getcert start\-tracking [options]

  

  .SH DESCRIPTION

- Tells \fIcertmonger\fR to monitor an already-issued certificate.

+ Tells \fIcertmonger\fR to monitor an already\-issued certificate.

  Optionally, when the certificate nears expiration, use an existing key

  pair (or to generate one if one is not already found in the specified

  location), to generate a signing request using the key pair and to
@@ -15,7 +15,7 @@ 

  

  .SH SPECIFYING EXISTING REQUESTS

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Modify the request which has this nickname.  If this option is not specified,

  and a tracking entry which matches the key and certificate storage options

  which are specified already exists, that entry will be modified.  Otherwise, a
@@ -23,27 +23,27 @@ 

  

  .SH KEY AND CERTIFICATE STORAGE OPTIONS

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR

  Use an NSS database in the specified directory for reading this

  certificate and, if possible, the corresponding key.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR

  Use the certificate with this nickname, and if a private key with the

  same nickname or which corresponds to the certificate is available, to

  use it, too.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, use the token

  with this name for accessing the certificate and key.  This argument

  only rarely needs to be specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  Read the certificate from this file.  For safety's sake, do not use the

  same file specified with the \fB\-k\fR option.

  .TP

- \fB\-k\fR FILE

+ \fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR

  Use the key stored in this file to generate a signing request for

  refreshing the certificate.  If no such file is found when needed,

  generate a new key pair and store them in the file.
@@ -51,58 +51,58 @@ 

  

  .SH KEY ENCRYPTION OPTIONS

  .TP

- \fB\-p\fR FILE

+ \fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR

  The private key files or databases are encrypted using the PIN stored in the

  named file as the passphrase.

  .TP

- \fB\-P\fR PIN

+ \fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR

  The private key files or databases are encrypted using the specified PIN as the

- passphrase.  Because command-line arguments to running processes are trivially

+ passphrase.  Because command\-line arguments to running processes are trivially

  discoverable, use of this option is not recommended except for testing.

  

  .SH TRACKING OPTIONS

  .TP

- \fB\-I\fR NAME

+ \fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR

  Assign the specified nickname to this task.  If this option is not specified,

  a name will be assigned automatically.

  .TP

- \fB\-r\fR

+ \fB\-r\fR, \fB\-\-renew\fR

  Attempt to obtain a new certificate from the CA when the expiration date of a

  certificate nears.  This is the default setting.

  .TP

- \fB\-R\fR

+ \fB\-R\fR, \fB\-\-no\-renew\fR

  Don't attempt to obtain a new certificate from the CA when the expiration date

  of a certificate nears.  If this option is specified, an expired certificate

  will simply stay expired.

  

  .SH ENROLLMENT OPTIONS

  .TP

- \fB\-c\fR NAME

+ \fB\-c\fR  \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR

  Enroll with the specified CA rather than a possible default.  The name of

- the CA should correspond to one listed by \fIgetcert list-cas\fR.  Only

+ the CA should correspond to one listed by \fIgetcert list\-cas\fR.  Only

  useful in combination with \fB\-r\fR.

  .TP

- \fB\-T\fR NAME

+ \fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR

  Request a certificate using the named profile, template, or certtype,

  from the specified CA.

  .TP

- \fB\-\-ms-template-spec\fR SPEC

+ \fB\-\-ms\-template\-spec\fR \fISPEC\fR

  Include a V2 Certificate Template extension in the signing request.

  This datum includes an Object Identifier, a major version number

  (positive integer) and an optional minor version number.  The format

  is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.

  .TP

- \fB\-X\fR NAME

+ \fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR

  Request a certificate using the named issuer from the specified CA.

  

  .SH SIGNING REQUEST OPTIONS

  If and when \fIcertmonger\fR attempts to obtain a new certificate to replace

  the one being monitored, the values to be added to the signing request will be

  taken from the current certificate, unless preferred values are set using one

- or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.

+ or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.

  

  .TP

- \fB\-u\fR keyUsage

+ \fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR

  Add an extensionRequest for the specified keyUsage to the

  signing request.  The keyUsage value is expected to be one of these names:

  
@@ -124,72 +124,87 @@ 

  

  decipherOnly

  .TP

- \fB\-U\fR EKU

+ \fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR

  Add an extensionRequest for the specified extendedKeyUsage to the

  signing request.  The EKU value is expected to be an object identifier

  (OID).

  .TP

- \fB\-K\fR NAME

+ \fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR

  Add an extensionRequest for a subjectAltName, with the specified Kerberos

  principal name as its value, to the signing request.

  .TP

- \fB\-E\fR EMAIL

+ \fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR

  Add an extensionRequest for a subjectAltName, with the specified email

  address as its value, to the signing request.

  .TP

- \fB\-D\fR DNSNAME

+ \fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR

  Add an extensionRequest for a subjectAltName, with the specified DNS name

  as its value, to the signing request.

- \fB\-A\fR ADDRESS

+ .TP

+ \fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR

  Add an extensionRequest for a subjectAltName, with the specified IP address

  as its value, to the signing request.

  .TP

- \fB\-l\fR FILE

+ \fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR

  Add an optional ChallengePassword value, read from the file, to the signing

  request.  A ChallengePassword is often required when the CA is accessed using

  SCEP.

  .TP

- \fB\-L\fR PIN

+ \fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR

  Add the argument value to the signing request as a ChallengePassword attribute.

  A ChallengePassword is often required when the CA is accessed using SCEP.

  

  .SH OTHER OPTIONS

  .TP

- \fB\-B\fR COMMAND

+ \fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user before

  saving the certificates.

  .TP

- \fB\-C\fR COMMAND

+ \fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR

  When ever the certificate or the CA's certificates are saved to the

  specified locations, run the specified command as the client user after

  saving the certificates.

  .TP

- \fB\-a\fR DIR

+ \fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, save them to the specified NSS database.

  .TP

- \fB\-F\fR FILE

+ \fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR

  When ever the certificate is saved to the specified location, if root

  certificates for the CA are available, and when the local copies of the

  CA's root certificates are updated, save them to the specified file.

  .TP

- \fB\-w\fR

+ \fB\-w\fR, \fB\-\-wait\fR

  Wait for the certificate to become valid or to be reissued and saved, or for

  the attempt to obtain a new one to fail.

  .TP

- \fB\-v\fR

+ \fB\-\-wait\-timeout\fR=\fITIMEOUT\fR

+ Maximum time to wait for the certificate to be issued.

+ .TP

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

- \fB\-o\fR OWNER, --key-owner=OWNER

+ .TP

+ \fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR

  After generation set the owner on the private key file or database to OWNER.

- \fB\-m\fR MODE, --key-perms=MODE

+ .TP

+ \fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the private key file or database to MODE.

- \fB\-O\fR OWNER, --cert-owner=OWNER

+ .TP

+ \fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR

  After generation set the owner on the certificate file or database to OWNER.

- \fB\-M\fR MODE, --cert-perms=MODE

+ .TP

+ \fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR

  After generation set the file permissions on the certificate file or database to MODE.

- 

+ .SH BUS OPTIONS

+ .TP

+ \fB\-s\fR, \fB\-\-session\fR

+ Connect to certmonger on the session bus rather than the system bus.

+ .TP

+ \fB\-S\fR, \fB\-\-system\fR

+ Connect to certmonger on the system bus rather than the session bus.  This

+ is the default.

  .SH NOTES

  Locations specified for key and certificate storage need to be

  accessible to the \fIcertmonger\fR daemon process.  When run as a system
@@ -197,7 +212,7 @@ 

  as SELinux, the system policy must ensure that the daemon is allowed to

  access the locations where certificates and keys that it will manage

  will be stored (these locations are typically labeled as \fIcert_t\fR or

- an equivalent).  More SELinux-specific information can be found in the

+ an equivalent).  More SELinux\-specific information can be found in the

  \fIselinux.txt\fR documentation file for this package.

  

  .SH BUGS
@@ -206,23 +221,23 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+27 -27
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "13 June 2014" "certmonger Manual"

+ .TH CERTMONGER 1 "June 13, 2014" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -12,18 +12,18 @@ 

  

  .SH SELECTION OPTIONS

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR

  Check that status of a certificate in the named NSS database.  Must be

- specified with the \fB-n\fR option.

+ specified with the \fB\-n\fR option.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR

  Check that status of a certificate in with the specified nickname.  Must be

- specified with the \fB-d\fR option.

+ specified with the \fB\-d\fR option.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  Check that status of a certificate stored in the specified PEM file.

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  Check that status of a certificate with the specified request nickname.

  

  .SH EXIT STATUS
@@ -53,24 +53,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+36 -29
@@ -1,10 +1,10 @@ 

- .TH certmonger 1 "3 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"

  

  .SH NAME

  getcert

  

  .SH SYNOPSIS

- getcert stop-tracking [options]

+ getcert stop\-tracking [options]

  

  .SH DESCRIPTION

  Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or
@@ -12,7 +12,7 @@ 

  

  .SH TRACKING OPTIONS

  .TP

- \fB\-i\fR NAME

+ \fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR

  The certificate was tracked using the request with the specified nickname.

  If this option is not specified, some combination of \fB\-d\fR and

  \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should
@@ -20,55 +20,62 @@ 

  

  .SH KEY AND CERTIFICATE STORAGE OPTIONS

  .TP

- \fB\-d\fR DIR

+ \fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR

  The certificate is the one stored in the specified NSS database.

  .TP

- \fB\-n\fR NAME

+ \fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR

  The certificate is the one which has this nickname.  Only valid with

  \fB\-d\fR.

  .TP

- \fB\-t\fR TOKEN

+ \fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR

  If the NSS database has more than one token available, the certificate

  is stored in this token.  This argument only rarely needs to be

  specified.

  Only valid with \fB\-d\fR.

  .TP

- \fB\-f\fR FILE

+ \fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR

  The certificate is or was to be stored in this file.

  .TP

- \fB\-k\fR FILE

+ \fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR

  The private key is or was to be stored in this file.

  Only valid with \fB\-f\fR.

  

  .SH OTHER OPTIONS

  .TP

- \fB\-v\fR

+ \fB\-v\fR, \fB\-\-verbose\fR

  Be verbose about errors.  Normally, the details of an error received from

  the daemon will be suppressed if the client can make a diagnostic suggestion.

- 

+ .SH BUS OPTIONS

+ .TP

+ \fB\-s\fR, \fB\-\-session\fR

+ Connect to certmonger on the session bus rather than the system bus.

+ .TP

+ \fB\-S\fR, \fB\-\-system\fR

+ Connect to certmonger on the system bus rather than the session bus.  This

+ is the default.

  .SH BUGS

  Please file tickets for any that you find at https://fedorahosted.org/certmonger/

  

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+27 -27
@@ -1,4 +1,4 @@ 

- .TH certmonger 1 "3 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"

  

  .SH NAME

  getcert
@@ -6,12 +6,12 @@ 

  .SH SYNOPSIS

   getcert request [options]

   getcert resubmit [options]

-  getcert start-tracking [options]

+  getcert start\-tracking [options]

   getcert status [options]

-  getcert stop-tracking [options]

+  getcert stop\-tracking [options]

   getcert list [options]

-  getcert list-cas [options]

-  getcert refresh-cas [options]

+  getcert list\-cas [options]

+  getcert refresh\-cas [options]

  

  .SH DESCRIPTION

  The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on
@@ -22,7 +22,7 @@ 

  list the set of certificates that the service is already monitoring, or

  it can list the set of CAs that the service is capable of using.

  

- If no command is given as the first command-line argument, \fIgetcert\fR

+ If no command is given as the first command\-line argument, \fIgetcert\fR

  will print short usage information for each of its functions.

  

  If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus
@@ -32,7 +32,7 @@ 

  .SH COMMON ARGUMENTS

  If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR

  contacts the service directly at the specified location.

- All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct

+ All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct

  \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system

  bus, if no value is set.  By default, \fIgetcert\fR consults the @CM_DBUS_NAME@

  service attached to the system bus.
@@ -42,24 +42,24 @@ 

  

  .SH SEE ALSO

  \fBcertmonger\fR(8)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+349 -205
@@ -4874,54 +4874,90 @@ 

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -k FILE	PEM file for private key\n"),

- 		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),

+ 		N_("  -k FILE, --keyfile=FILE\n"),

+ 		N_("			PEM file for private key\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate (only valid with -k)\n"),

  		N_("* If keys are to be encrypted:\n"),

- 		N_("  -p FILE	file which holds the encryption PIN\n"),

- 		N_("  -P PIN	PIN value\n"),

+ 		N_("  -p FILE, --pinfile=FILE\n"),

+ 		N_("			file which holds the encryption PIN\n"),

+ 		N_("  -P PIN, --pin=PIN	PIN value\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Certificate handling settings:\n"),

- 		N_("  -I NAME	nickname to assign to the request\n"),

- 		N_("  -G TYPE	type of key to be generated if one is not already in place\n"),

- 		N_("  -g SIZE	size of key to be generated if one is not already in place\n"),

- 		N_("  -r		attempt to renew the certificate when expiration nears (default)\n"),

- 		N_("  -R		don't attempt to renew the certificate when expiration nears\n"),

+ 		N_("  -I NAME, --new-id=NAME\n"),

+ 		N_("			new nickname to give to tracking request\n"),

+ 		N_("  -G TYPE, --key-type=TYPE\n"),

+ 		N_("			type of key to be generated if one is not already\n"),

+ 		N_("			in place\n"),

+ 		N_("  -g BITS, --key-size=BITS\n"),

+ 		N_("			size of key to be generated if one is not already\n"),

+ 		N_("			in place\n"),

+ 		N_("  -r, --renew		attempt to renew the certificate when\n"),

+ 		N_("			expiration nears (default)\n"),

+ 		N_("  -R, --no-renew	don't attempt to renew the certificate when\n"),

+ 		N_("			expiration nears\n"),

  #ifndef FORCE_CA

- 		N_("  -c CA		use the specified CA rather than the default\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

- 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+ 		N_("  -T PROFILE, --profile=NAME\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named profile or template\n"),

  		N_("  --ms-template-spec SPEC\n"),

- 		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

- 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

+ 		N_("	 		include V2 template specifier in CSR\n"),

+ 		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

+ 		N_("  -X ISSUER, --issuer=ISSUER\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named issuer\n"),

+         "\n",

  		N_("* Parameters for the signing request:\n"),

- 		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),

- 		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),

- 		N_("  -u KEYUSAGE	set requested key usage value\n"),

- 		N_("  -K NAME	set requested principal name\n"),

- 		N_("  -D DNSNAME	set requested DNS name\n"),

- 		N_("  -E EMAIL	set requested email address\n"),

- 		N_("  -A ADDRESS	set requested IP address\n"),

- 		N_("  -l FILE	file which holds an optional challenge password\n"),

- 		N_("  -L PASSWORD	an optional challenge password value\n"),

+ 		N_("  -N NAME, --subject-name=NAME\n"),

+ 		N_("			set requested subject name (default: CN=<hostname>)\n"),

+ 		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),

+ 		N_("			override requested extended key usage OID\n"),

+ 		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),

+ 		N_("			set requested key usage value\n"),

+ 		N_("  -K NAME, --principal=NAME\n"),

+ 		N_("			override requested principal name\n"),

+ 		N_("  -D DNSNAME, --dns=DNSNAME\n"),

+ 		N_("			override requested DNS name\n"),

+ 		N_("  -E EMAIL, --email=EMAIL\n"),

+ 		N_("			override requested email address\n"),

+ 		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),

+ 		N_("			override requested IP address\n"),

+ 		N_("  -l FILE, --challenge-password-file=FILE\n"),

+ 		N_("			file which holds an optional challenge password\n"),

+ 		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),

+ 		N_("			an optional challenge password value\n"),

+ 		"\n",

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -B	command to run before saving the certificate\n"),

- 		N_("  -C	command to run after saving the certificate\n"),

- 		N_("  -F	file in which to store the CA's certificates\n"),

- 		N_("  -a	NSS database in which to store the CA's certificates\n"),

- 		N_("  -w	try to wait for the certificate to be issued\n"),

- 		N_("  -v	report all details of errors\n"),

- 		N_("  -o OWNER	owner information for private key\n"),

- 		N_("  -m MODE	file permissions for private key\n"),

- 		N_("  -O OWNER	owner information for certificate\n"),

- 		N_("  -M MODE	file permissions for certificate\n"),

+ 		N_("  -B COMMAND, --before-command=COMMAND\n"),

+ 		N_("			command to run before saving the certificate\n"),

+ 		N_("  -C COMMAND, --after-command=COMMAND\n"),

+ 		N_("			command to run after saving the certificate\n"),

+ 		N_("  -F FILE, --ca-file=FILE\n"),

+ 		N_("			file in which to store the CA's certificates\n"),

+ 		N_("  -a DIR, --ca-dbdir=DIR\n"),

+ 		N_("			NSS database in which to store the CA's certificates\n"),

+ 		N_("  -w, --wait		try to wait for the certificate to be issued\n"),

+ 		N_("  --wait-timeout TIMEOUT\n"),

+ 		N_("			Maximum time to wait for the certificateto be issued\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

+ 		N_("  -o OWNER, --key-owner=OWNER\n"),

+ 		N_("			owner information for private key\n"),

+ 		N_("  -m MODE, --key-perms=MODE\n"),

+ 		N_("			file permissions for private key\n"),

+ 		N_("  -O OWNER, --cert-owner=OWNER\n"),

+ 		N_("			owner information for certificate\n"),

+ 		N_("  -M MODE, --cert-perms=MODE\n"),

+ 		N_("			file permissions for certificate\n"),

  		NULL,

  	};

  	const char *start_tracking_help[] = {
@@ -4929,53 +4965,87 @@ 

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* If modifying an existing request:\n"),

- 		N_("  -i NAME	nickname of an existing tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname of an existing tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),

+ 		N_("			(only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -k FILE	PEM file for private key\n"),

- 		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),

+ 		N_("  -k FILE, --keyfile=FILE\n"),

+ 		N_("			PEM file for private key\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate (only valid with -k)\n"),

  		N_("* If keys are encrypted:\n"),

- 		N_("  -p FILE	file which holds the encryption PIN\n"),

- 		N_("  -P PIN	PIN value\n"),

+ 		N_("  -p FILE, --pinfile=FILE\n"),

+ 		N_("			file which holds the encryption PIN\n"),

+ 		N_("  -P PIN, --pin=PIN	PIN value\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Certificate handling settings:\n"),

- 		N_("  -I NAME	nickname to give to tracking request\n"),

- 		N_("  -r		attempt to renew the certificate when expiration nears (default)\n"),

- 		N_("  -R		don't attempt to renew the certificate when expiration nears\n"),

+ 		N_("  -I NAME, --new-id=NAME\n"),

+ 		N_("			new nickname to give to tracking request\n"),

+ 		N_("  -r, --renew		attempt to renew the certificate when\n"),

+ 		N_("			expiration nears (default)\n"),

+ 		N_("  -R, --no-renew	don't attempt to renew the certificate when\n"),

+ 		N_("			expiration nears\n"),

  #ifndef FORCE_CA

- 		N_("  -c CA		use the specified CA rather than the default\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

- 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+ 		N_("  -T PROFILE, --profile=NAME\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named profile or template\n"),

  		N_("  --ms-template-spec SPEC\n"),

- 		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

- 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

+ 		N_("	 		include V2 template specifier in CSR\n"),

+ 		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

+ 		N_("  -X ISSUER, --issuer=ISSUER\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named issuer\n"),

+ 		"\n",

  		N_("* Parameters for the signing request at renewal time:\n"),

- 		N_("  -U EXTUSAGE	override requested extended key usage OID\n"),

- 		N_("  -u KEYUSAGE	set requested key usage value\n"),

- 		N_("  -K NAME	override requested principal name\n"),

- 		N_("  -D DNSNAME	override requested DNS name\n"),

- 		N_("  -E EMAIL	override requested email address\n"),

- 		N_("  -A ADDRESS	override requested IP address\n"),

- 		N_("  -l FILE	file which holds an optional challenge password\n"),

- 		N_("  -L PASSWORD	an optional challenge password value\n"),

+ 		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),

+ 		N_("			override requested extended key usage OID\n"),

+ 		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),

+ 		N_("			set requested key usage value\n"),

+ 		N_("  -K NAME, --principal=NAME\n"),

+ 		N_("			override requested principal name\n"),

+ 		N_("  -D DNSNAME, --dns=DNSNAME\n"),

+ 		N_("			override requested DNS name\n"),

+ 		N_("  -E EMAIL, --email=EMAIL\n"),

+ 		N_("			override requested email address\n"),

+ 		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),

+ 		N_("			override requested IP address\n"),

+ 		N_("  -l FILE, --challenge-password-file=FILE\n"),

+ 		N_("			file which holds an optional challenge password\n"),

+ 		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),

+ 		N_("			an optional challenge password value\n"),

+ 		"\n",

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

+ 		"\n",

  		N_("* Other options:\n"),

- 		N_("  -B	command to run before saving the certificate\n"),

- 		N_("  -C	command to run after saving the certificate\n"),

- 		N_("  -F	file in which to store the CA's certificates\n"),

- 		N_("  -a	NSS database in which to store the CA's certificates\n"),

- 		N_("  -w	try to wait for the certificate to be issued\n"),

- 		N_("  -v	report all details of errors\n"),

- 		N_("  -o OWNER	owner information for private key\n"),

- 		N_("  -m MODE	file permissions for private key\n"),

- 		N_("  -O OWNER	owner information for certificate\n"),

- 		N_("  -M MODE	file permissions for certificate\n"),

+ 		N_("  -B COMMAND, --before-command=COMMAND\n"),

+ 		N_("			command to run before saving the certificate\n"),

+ 		N_("  -C COMMAND, --after-command=COMMAND\n"),

+ 		N_("			command to run after saving the certificate\n"),

+ 		N_("  -F FILE, --ca-file=FILE\n"),

+ 		N_("			file in which to store the CA's certificates\n"),

+ 		N_("  -a DIR, --ca-dbdir=DIR\n"),

+ 		N_("			NSS database in which to store the CA's certificates\n"),

+ 		N_("  -w, --wait		try to wait for the certificate to be issued\n"),

+ 		N_("  --wait-timeout TIMEOUT\n"),

+ 		N_("			Maximum time to wait for the certificateto be issued\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

+ 		N_("  -o OWNER, --key-owner=OWNER\n"),

+ 		N_("			owner information for private key\n"),

+ 		N_("  -m MODE, --key-perms=MODE\n"),

+ 		N_("			file permissions for private key\n"),

+ 		N_("  -O OWNER, --cert-owner=OWNER\n"),

+ 		N_("			owner information for certificate\n"),

+ 		N_("  -M MODE, --cert-perms=MODE\n"),

+ 		N_("			file permissions for certificate\n"),

  		NULL,

  	};

  	const char *stop_tracking_help[] = {
@@ -4983,21 +5053,24 @@ 

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* By request identifier:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -k FILE	PEM file for private key\n"),

- 		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),

+ 		N_("  -k FILE, --keyfile=FILE\n"),

+ 		N_("			PEM file for private key\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate (only valid with -k)\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

+ 		"\n",

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *resubmit_help[] = {
@@ -5005,53 +5078,82 @@ 

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* By request identifier:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),

+ 		N_("			(only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -f FILE	PEM file for certificate\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate\n"),

  		"\n",

  		N_("* If keys are encrypted:\n"),

- 		N_("  -p FILE	file which holds the encryption PIN\n"),

- 		N_("  -P PIN	PIN value\n"),

+ 		N_("  -p FILE, --pinfile=FILE\n"),

+ 		N_("			file which holds the encryption PIN\n"),

+ 		N_("  -P PIN, --pin=PIN	PIN value\n"),

  		"\n",

  		N_("* New parameter values for the signing request:\n"),

- 		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),

- 		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),

- 		N_("  -u KEYUSAGE	set requested key usage value\n"),

- 		N_("  -K NAME	set requested principal name\n"),

- 		N_("  -D DNSNAME	set requested DNS name\n"),

- 		N_("  -E EMAIL	set requested email address\n"),

- 		N_("  -A ADDRESS	set requested IP address\n"),

- 		N_("  -l FILE	file which holds an optional challenge password\n"),

- 		N_("  -L PASSWORD	an optional challenge password value\n"),

+ 		N_("  -N NAME, --subject-name=NAME\n"),

+ 		N_("			set requested subject name (default: CN=<hostname>)\n"),

+ 		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),

+ 		N_("			override requested extended key usage OID\n"),

+ 		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),

+ 		N_("			set requested key usage value\n"),

+ 		N_("  -K NAME, --principal=NAME\n"),

+ 		N_("			override requested principal name\n"),

+ 		N_("  -D DNSNAME, --dns=DNSNAME\n"),

+ 		N_("			override requested DNS name\n"),

+ 		N_("  -E EMAIL, --email=EMAIL\n"),

+ 		N_("			override requested email address\n"),

+ 		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),

+ 		N_("			override requested IP address\n"),

+ 		N_("  -l FILE, --challenge-password-file=FILE\n"),

+ 		N_("			file which holds an optional challenge password\n"),

+ 		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),

+ 		N_("			an optional challenge password value\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Certificate handling settings:\n"),

- 		N_("  -I NAME	new nickname to give to tracking request\n"),

+ 		N_("  -I NAME, --new-id=NAME\n"),

+ 		N_("			new nickname to give to tracking request\n"),

  #ifndef FORCE_CA

- 		N_("  -c CA		use the specified CA rather than the current one\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

- 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+ 		N_("  -T PROFILE, --profile=NAME\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named profile or template\n"),

  		N_("  --ms-template-spec SPEC\n"),

- 		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

- 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

+ 		N_("	 		include V2 template specifier in CSR\n"),

+ 		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

+ 		N_("  -X ISSUER, --issuer=ISSUER\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named issuer\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -B	command to run before saving the certificate\n"),

- 		N_("  -C	command to run after saving the certificate\n"),

- 		N_("  -F	file in which to store the CA's certificates\n"),

- 		N_("  -a	NSS database in which to store the CA's certificates\n"),

- 		N_("  -w	try to wait for the certificate to be issued\n"),

- 		N_("  -v	report all details of errors\n"),

- 		N_("  -o OWNER	owner information for private key\n"),

- 		N_("  -m MODE	file permissions for private key\n"),

- 		N_("  -O OWNER	owner information for certificate\n"),

- 		N_("  -M MODE	file permissions for certificate\n"),

+ 		N_("  -B COMMAND, --before-command=COMMAND\n"),

+ 		N_("			command to run before saving the certificate\n"),

+ 		N_("  -C COMMAND, --after-command=COMMAND\n"),

+ 		N_("			command to run after saving the certificate\n"),

+ 		N_("  -F FILE, --ca-file=FILE\n"),

+ 		N_("			file in which to store the CA's certificates\n"),

+ 		N_("  -a DIR, --ca-dbdir=DIR\n"),

+ 		N_("			NSS database in which to store the CA's certificates\n"),

+ 		N_("  -w, --wait		try to wait for the certificate to be issued\n"),

+ 		N_("  --wait-timeout TIMEOUT\n"),

+ 		N_("			Maximum time to wait for the certificateto be issued\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

+ 		N_("  -o OWNER, --key-owner=OWNER\n"),

+ 		N_("			owner information for private key\n"),

+ 		N_("  -m MODE, --key-perms=MODE\n"),

+ 		N_("			file permissions for private key\n"),

+ 		N_("  -O OWNER, --cert-owner=OWNER\n"),

+ 		N_("			owner information for certificate\n"),

+ 		N_("  -M MODE, --cert-perms=MODE\n"),

+ 		N_("			file permissions for certificate\n"),

  		NULL,

  	};

  	const char *rekey_help[] = {
@@ -5059,51 +5161,80 @@ 

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* By request identifier:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),

+ 		N_("			(only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -f FILE	PEM file for certificate\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate\n"),

  		"\n",

  		N_("* If keys are encrypted:\n"),

- 		N_("  -p FILE	file which holds the encryption PIN\n"),

- 		N_("  -P PIN	PIN value\n"),

+ 		N_("  -p FILE, --pinfile=FILE\n"),

+ 		N_("			file which holds the encryption PIN\n"),

+ 		N_("  -P PIN, --pin=PIN	PIN value\n"),

  		"\n",

  		N_("* New parameter values for the signing request:\n"),

- 		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),

- 		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),

- 		N_("  -u KEYUSAGE	set requested key usage value\n"),

- 		N_("  -K NAME	set requested principal name\n"),

- 		N_("  -D DNSNAME	set requested DNS name\n"),

- 		N_("  -E EMAIL	set requested email address\n"),

- 		N_("  -A ADDRESS	set requested IP address\n"),

- 		N_("  -l FILE	file which holds an optional challenge password\n"),

- 		N_("  -L PASSWORD	an optional challenge password value\n"),

+ 		N_("  -N NAME, --subject-name=NAME\n"),

+ 		N_("			set requested subject name (default: CN=<hostname>)\n"),

+ 		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),

+ 		N_("			override requested extended key usage OID\n"),

+ 		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),

+ 		N_("			set requested key usage value\n"),

+ 		N_("  -K NAME, --principal=NAME\n"),

+ 		N_("			override requested principal name\n"),

+ 		N_("  -D DNSNAME, --dns=DNSNAME\n"),

+ 		N_("			override requested DNS name\n"),

+ 		N_("  -E EMAIL, --email=EMAIL\n"),

+ 		N_("			override requested email address\n"),

+ 		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),

+ 		N_("			override requested IP address\n"),

+ 		N_("  -l FILE, --challenge-password-file=FILE\n"),

+ 		N_("			file which holds an optional challenge password\n"),

+ 		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),

+ 		N_("			an optional challenge password value\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Certificate handling settings:\n"),

- 		N_("  -I NAME	new nickname to give to tracking request\n"),

+ 		N_("  -I NAME, --new-id=NAME\n"),

+ 		N_("			new nickname to give to tracking request\n"),

  #ifndef FORCE_CA

- 		N_("  -c CA		use the specified CA rather than the current one\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

- 		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),

+ 		N_("  -T PROFILE, --profile=NAME\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named profile or template\n"),

  		N_("  --ms-template-spec SPEC\n"),

- 		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

- 		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),

- 		N_("  -G TYPE	type of new key to be generated\n"),

- 		N_("  -g SIZE	size of new key to be generated\n"),

+ 		N_("	 		include V2 template specifier in CSR\n"),

+ 		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),

+ 		N_("  -X ISSUER, --issuer=ISSUER\n"),

+ 		N_("			ask the CA to process the request using the\n"),

+ 		N_("			named issuer\n"),

+ 		N_("  -G TYPE, --key-type=TYPE\n"),

+ 		N_("			type of key to be generated if one is not already\n"),

+ 		N_("			in place\n"),

+ 		N_("  -g BITS, --key-size=BITS\n"),

+ 		N_("			size of key to be generated if one is not already\n"),

+ 		N_("			in place\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -B	command to run before saving the certificate\n"),

- 		N_("  -C	command to run after saving the certificate\n"),

- 		N_("  -F	file in which to store the CA's certificates\n"),

- 		N_("  -a	NSS database in which to store the CA's certificates\n"),

- 		N_("  -w	try to wait for the certificate to be issued\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -B COMMAND, --before-command=COMMAND\n"),

+ 		N_("			command to run before saving the certificate\n"),

+ 		N_("  -C COMMAND, --after-command=COMMAND\n"),

+ 		N_("			command to run after saving the certificate\n"),

+ 		N_("  -F FILE, --ca-file=FILE\n"),

+ 		N_("			file in which to store the CA's certificates\n"),

+ 		N_("  -a DIR, --ca-dbdir=DIR\n"),

+ 		N_("			NSS database in which to store the CA's certificates\n"),

+ 		N_("  -w, --wait		try to wait for the certificate to be issued\n"),

+ 		N_("  --wait-timeout TIMEOUT\n"),

+ 		N_("			Maximum time to wait for the certificateto be issued\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *list_help[] = {
@@ -5112,46 +5243,52 @@ 

  		N_("Optional arguments:\n"),

  		N_("* General options:\n"),

  #ifndef FORCE_CA

- 		N_("  -c CA	list only requests and certs associated with this CA\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

- 		N_("  -r	list only information about outstanding requests\n"),

- 		N_("  -t	list only information about tracked certificates\n"),

- 		N_("  -u	display times in UTC instead of local time\n"),

+ 		N_("  -r, --requests-only	list only information about outstanding requests\n"),

+ 		N_("  -t, --tracking-only	list only information about tracked certificates\n"),

+ 		N_("  -u, --utc		display times in UTC instead of local time\n"),

  		N_("* If selecting a specific request:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	only list requests and certs which use this NSS database\n"),

- 		N_("  -n NAME	only list requests and certs which use this nickname\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -f FILE	only list requests and certs stored in this PEM file\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			only list requests and certs stored in this PEM file\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *refresh_help[] = {

  		N_("Usage: %s refresh [options]\n"),

  		"\n",

  		N_("* General options:\n"),

- 		N_("  -a	refresh information about all outstanding requests\n"),

+ 		N_("  -a, --all		refresh information about all outstanding requests\n"),

  		"\n",

  		N_("Required arguments:\n"),

  		N_("* By request identifier:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* If using an NSS database for storage:\n"),

- 		N_("  -d DIR	NSS database for key and cert\n"),

- 		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),

- 		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

+ 		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),

+ 		N_("			(only valid with -d)\n"),

  		N_("* If using files for storage:\n"),

- 		N_("  -f FILE	PEM file for certificate\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			PEM file for certificate\n"),

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S		connect to the certmonger service on the system bus\n"),

- 		N_("  -s		connect to the certmonger service on the session bus\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

+ 		N_("* Other options:\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *status_help[] = {
@@ -5159,17 +5296,19 @@ 

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* Selecting a specific request:\n"),

- 		N_("  -i NAME	nickname for tracking request\n"),

+ 		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),

  		N_("* When using an NSS database for storage:\n"),

- 		N_("  -d DIR	return status for the request in this NSS database\n"),

- 		N_("  -n NAME	return status for cert which uses this nickname\n"),

+ 		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),

+ 		N_("  -n NAME, --nickname NAME\n"),

+ 		N_("			nickname for NSS-based storage (only valid with -d)\n"),

  		N_("* When using files for storage:\n"),

- 		N_("  -f FILE	return status for cert stored in this PEM file\n"),

+ 		N_("  -f FILE, --certfile=FILE\n"),

+ 		N_("			return status for cert stored in this PEM file\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *list_cas_help[] = {
@@ -5178,13 +5317,13 @@ 

  		N_("Optional arguments:\n"),

  #ifndef FORCE_CA

  		N_("* General options:\n"),

- 		N_("  -c CA	list only information about the CA with this name\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  #endif

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *refresh_ca_help[] = {
@@ -5193,14 +5332,14 @@ 

  		N_("Optional arguments:\n"),

  #ifndef FORCE_CA

  		N_("* General options:\n"),

- 		N_("  -c CA	refresh information about the CA with this name\n"),

- 		N_("  -a	refresh information about all known CAs\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

+ 		N_("  -a, --all		refresh information about all known CAs\n"),

  #endif

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  #ifndef FORCE_CA
@@ -5209,13 +5348,13 @@ 

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* General options:\n"),

- 		N_("  -c CA		nickname to give to the new CA configuration\n"),

- 		N_("  -e CMD	helper command to run to communicate with CA\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

+ 		N_("  -e CMD, --command CMD	helper command to run to communicate with CA\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *add_scep_ca_help[] = {
@@ -5223,18 +5362,23 @@ 

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* General options:\n"),

- 		N_("  -c CA		nickname to give to the new CA configuration\n"),

- 		N_("  -u URL	location of SCEP server\n"),

- 		N_("  -i ID		CA identifier\n"),

- 		N_("  -R FILE	file containing CA's certificate\n"),

- 		N_("  -r FILE	file containing RA's certificate\n"),

- 		N_("  -I FILE	file containing certificates in RA's certifying chain\n"),

- 		N_("  -n	prefer not to use the SCEP Renewal feature\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

+ 		N_("  -u URL, --URL URL	location of SCEP server\n"),

+ 		N_("  -i ID, --id ID	CA identifier\n"),

+ 		N_("  -R FILE, --cacert=FILE\n"),

+ 		N_("			file containing web server's certificate\n"),

+ 		N_("  -r FILE, --racert=FILE\n"),

+ 		N_("			file containing RA's certificate\n"),

+ 		N_("  -N FILE, --signingca=FILE\n"),

+ 		N_("			file containing CA's certificate\n"),

+ 		N_("  -I FILE, --other-certs=FILE\n"),

+ 		N_("			file containing certificates in RA's certifying chain\n"),

+ 		N_("  -n, --non-renewal	prefer not to use the SCEP Renewal feature\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *modify_ca_help[] = {
@@ -5242,13 +5386,13 @@ 

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* General options:\n"),

- 		N_("  -c CA		nickname of the CA configuration\n"),

- 		N_("  -e CMD	updated helper command to run to communicate with CA\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

+ 		N_("  -e CMD, --command CMD	helper command to run to communicate with CA\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  	const char *remove_ca_help[] = {
@@ -5256,12 +5400,12 @@ 

  		"\n",

  		N_("Optional arguments:\n"),

  		N_("* General options:\n"),

- 		N_("  -c CA	nickname of CA configuration to remove\n"),

+ 		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),

  		N_("* Bus options:\n"),

- 		N_("  -S	connect to the certmonger service on the system bus\n"),

- 		N_("  -s	connect to the certmonger service on the session bus\n"),

+ 		N_("  -S, --system		connect to the certmonger service on the system bus\n"),

+ 		N_("  -s, --session		connect to the certmonger service on the session bus\n"),

  		N_("* Other options:\n"),

- 		N_("  -v	report all details of errors\n"),

+ 		N_("  -v, --verbose		report all details of errors\n"),

  		NULL,

  	};

  #endif

file modified
+37 -37
@@ -1,20 +1,20 @@ 

- .TH certmonger 1 "3 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"

  

  .SH NAME

- ipa-getcert

+ ipa\-getcert

  

  .SH SYNOPSIS

-  ipa-getcert request [options]

-  ipa-getcert resubmit [options]

-  ipa-getcert start-tracking [options]

-  ipa-getcert status [options]

-  ipa-getcert stop-tracking [options]

-  ipa-getcert list [options]

-  ipa-getcert list-cas [options]

-  ipa-getcert refresh-cas [options]

+  ipa\-getcert request [options]

+  ipa\-getcert resubmit [options]

+  ipa\-getcert start\-tracking [options]

+  ipa\-getcert status [options]

+  ipa\-getcert stop\-tracking [options]

+  ipa\-getcert list [options]

+  ipa\-getcert list\-cas [options]

+  ipa\-getcert refresh\-cas [options]

  

  .SH DESCRIPTION

- The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@

+ The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@

  service on behalf of the invoking user.  It can ask the service to begin

  enrollment, optionally generating a key pair to use, it can ask the

  service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ 

  list the set of certificates that the service is already monitoring, or

  it can list the set of CAs that the service is capable of using.

  

- If no command is given as the first command-line argument,

- \fIipa-getcert\fR will print short usage information for each of

+ If no command is given as the first command\-line argument,

+ \fIipa\-getcert\fR will print short usage information for each of

  its functions.

  

- The \fIipa-getcert\fR tool behaves identically to the generic

- \fIgetcert\fR tool when it is used with the \fB-c

+ The \fIipa\-getcert\fR tool behaves identically to the generic

+ \fIgetcert\fR tool when it is used with the \fB\-c

  \fI@CM_IPA_CA_NAME@\fR option.

  

  \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See

- \fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about

- using the \fB-F\fR and \fB-a\fR options to specify where those certificates

+ \fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about

+ using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates

  should be stored.

  

  .SH BUGS
@@ -41,24 +41,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+38 -38
@@ -1,20 +1,20 @@ 

- .TH certmonger 1 "7 June 2014" "certmonger Manual"

+ .TH CERTMONGER 1 "June 7, 2014" "certmonger Manual"

  

  .SH NAME

- local-getcert

+ local\-getcert

  

  .SH SYNOPSIS

-  local-getcert request [options]

-  local-getcert resubmit [options]

-  local-getcert start-tracking [options]

-  local-getcert status [options]

-  local-getcert stop-tracking [options]

-  local-getcert list [options]

-  local-getcert list-cas [options]

-  local-getcert refresh-cas [options]

+  local\-getcert request [options]

+  local\-getcert resubmit [options]

+  local\-getcert start\-tracking [options]

+  local\-getcert status [options]

+  local\-getcert stop\-tracking [options]

+  local\-getcert list [options]

+  local\-getcert list\-cas [options]

+  local\-getcert refresh\-cas [options]

  

  .SH DESCRIPTION

- The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@

+ The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@

  service on behalf of the invoking user.  It can ask the service to begin

  enrollment, optionally generating a key pair to use, it can ask the

  service to begin monitoring a certificate in a specified location for
@@ -22,17 +22,17 @@ 

  list the set of certificates that the service is already monitoring, or

  it can list the set of CAs that the service is capable of using.

  

- If no command is given as the first command-line argument,

- \fIlocal-getcert\fR will print short usage information for each of

+ If no command is given as the first command\-line argument,

+ \fIlocal\-getcert\fR will print short usage information for each of

  its functions.

  

- The \fIlocal-getcert\fR tool behaves identically to the generic

- \fIgetcert\fR tool when it is used with the \fB-c

+ The \fIlocal\-getcert\fR tool behaves identically to the generic

+ \fIgetcert\fR tool when it is used with the \fB\-c

  \fIlocal\fR option.

  

- \fBcertmonger\fR supports retrieving the list of current and previously-used

- local CA certificates.  See \fBgetcert-request\fR(1) and

- \fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR

+ \fBcertmonger\fR supports retrieving the list of current and previously\-used

+ local CA certificates.  See \fBgetcert\-request\fR(1) and

+ \fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR

  options to specify where those certificates should be stored.

  

  .SH BUGS
@@ -41,24 +41,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

file modified
+1 -1
@@ -229,7 +229,7 @@ 

  		{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},

  		{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},

  		{"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL},

- 		{"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL},

+ 		{"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL},

  		{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},

  		{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},

  		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},

file modified
+37 -37
@@ -1,20 +1,20 @@ 

- .TH certmonger 1 "3 November 2009" "certmonger Manual"

+ .TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"

  

  .SH NAME

- selfsign-getcert

+ selfsign\-getcert

  

  .SH SYNOPSIS

-  selfsign-getcert request [options]

-  selfsign-getcert resubmit [options]

-  selfsign-getcert start-tracking [options]

-  selfsign-getcert status [options]

-  selfsign-getcert stop-tracking [options]

-  selfsign-getcert list [options]

-  selfsign-getcert list-cas [options]

-  selfsign-getcert refresh-cas [options]

+  selfsign\-getcert request [options]

+  selfsign\-getcert resubmit [options]

+  selfsign\-getcert start\-tracking [options]

+  selfsign\-getcert status [options]

+  selfsign\-getcert stop\-tracking [options]

+  selfsign\-getcert list [options]

+  selfsign\-getcert list\-cas [options]

+  selfsign\-getcert refresh\-cas [options]

  

  .SH DESCRIPTION

- The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@

+ The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@

  service on behalf of the invoking user.  It can ask the service to begin

  enrollment, optionally generating a key pair to use, it can ask the

  service to begin monitoring a certificate in a specified location for
@@ -22,16 +22,16 @@ 

  list the set of certificates that the service is already monitoring, or

  it can list the set of CAs that the service is capable of using.

  

- If no command is given as the first command-line argument,

- \fIselfsign-getcert\fR will print short usage information for each of

+ If no command is given as the first command\-line argument,

+ \fIselfsign\-getcert\fR will print short usage information for each of

  its functions.

  

- The \fIselfsign-getcert\fR tool behaves identically to the generic

- \fIgetcert\fR tool when it is used with the \fB-c

+ The \fIselfsign\-getcert\fR tool behaves identically to the generic

+ \fIgetcert\fR tool when it is used with the \fB\-c

  \fI@CM_SELF_SIGN_CA_NAME@\fR option.

  

- \fBcertmonger\fR's self-signer doesn't use root certificates.  While the

- \fB-F\fR and \fB-a\fR options will still be recognized, they will effectively

+ \fBcertmonger\fR's self\-signer doesn't use root certificates.  While the

+ \fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively

  be ignored.

  

  .SH BUGS
@@ -40,24 +40,24 @@ 

  .SH SEE ALSO

  \fBcertmonger\fR(8)

  \fBgetcert\fR(1)

- \fBgetcert-add-ca\fR(1)

- \fBgetcert-add-scep-ca\fR(1)

- \fBgetcert-list-cas\fR(1)

- \fBgetcert-list\fR(1)

- \fBgetcert-modify-ca\fR(1)

- \fBgetcert-refresh-ca\fR(1)

- \fBgetcert-refresh\fR(1)

- \fBgetcert-rekey\fR(1)

- \fBgetcert-remove-ca\fR(1)

- \fBgetcert-request\fR(1)

- \fBgetcert-resubmit\fR(1)

- \fBgetcert-start-tracking\fR(1)

- \fBgetcert-status\fR(1)

- \fBgetcert-stop-tracking\fR(1)

- \fBcertmonger-certmaster-submit\fR(8)

- \fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)

- \fBcertmonger-dogtag-submit\fR(8)

- \fBcertmonger-ipa-submit\fR(8)

- \fBcertmonger-local-submit\fR(8)

- \fBcertmonger-scep-submit\fR(8)

+ \fBgetcert\-add\-ca\fR(1)

+ \fBgetcert\-add\-scep\-ca\fR(1)

+ \fBgetcert\-list\-cas\fR(1)

+ \fBgetcert\-list\fR(1)

+ \fBgetcert\-modify\-ca\fR(1)

+ \fBgetcert\-refresh\-ca\fR(1)

+ \fBgetcert\-refresh\fR(1)

+ \fBgetcert\-rekey\fR(1)

+ \fBgetcert\-remove\-ca\fR(1)

+ \fBgetcert\-request\fR(1)

+ \fBgetcert\-resubmit\fR(1)

+ \fBgetcert\-start\-tracking\fR(1)

+ \fBgetcert\-status\fR(1)

+ \fBgetcert\-stop\-tracking\fR(1)

+ \fBcertmonger\-certmaster\-submit\fR(8)

+ \fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)

+ \fBcertmonger\-dogtag\-submit\fR(8)

+ \fBcertmonger\-ipa\-submit\fR(8)

+ \fBcertmonger\-local\-submit\fR(8)

+ \fBcertmonger\-scep\-submit\fR(8)

  \fBcertmonger_selinux\fR(8)

The long options for the commands and daemon were not documented either in the man page or the help output.

rebased onto 525a9b4

3 years ago

Pull-Request has been merged by rcritten

3 years ago