certmonger-certmaster-submit - Man Page



certmaster-submit [-h HOST] [-c FILE] [-C DIR] [-v] [csrfile]


certmaster-submit is the helper which certmonger uses to make requests to certmaster-based CAs.  It is not normally run interactively, but it can be for troubleshooting purposes.  The signing request which is to be submitted should either be in a file whose name is given as an argument, or fed into certmaster-submit via stdin.

There is no standard authenticated method for obtaining the root certificate from certmaster CAs, so certmonger does not support retrieving trust information from them.


-h HOST, --server-host=HOST

Submit the request to the certmaster instance running on the named host.  The default is localhost:51235 if a file named /var/run/certmaster.pid is found on the local system, and is read from /etc/certmaster/minion.conf if that file is not found.

-c FILE, --cafile=FILE

Submit the request over HTTPS instead of HTTP, and only trust the server if its certificate was issued by the CA whose certificate is in the named file.

-C DIR, --capath=DIR

Submit the request over HTTPS instead of HTTP, and only trust the server if its certificate was issued by a CA whose certificate is in a file in the named directory.

-v, --verbose

Be verbose about errors.  Normally, the details of an error received from the daemon will be suppressed if the client can make a diagnostic suggestion.

Exit Status


if the certificate was issued. The certificate will be printed.


if the CA is still thinking.  A cookie value will be printed.


if the CA rejected the request.  An error message may be printed.


if the CA was unreachable.  An error message may be printed.


if critical configuration information is missing.  An error message may be printed.



the certmaster service's PID file.  Its presence is taken to indicate that this system is a CA, and that requests should be submitted to a certmaster server running on the local system.


the certmaster minion configuration file.  If there is no indication that the local system is a certmaster server, then this file is consulted to determine the location of the certmaster server.

Known Bugs

Checking for the existence of certmaster's PID file is a terrible way to figure out whether we're a minion or not.


Please file tickets for any that you find at https://fedorahosted.org/certmonger/

See Also

certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1) getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1) getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1) getcert-stop-tracking(1) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)

Referenced By

certmaster-getcert(1), certmonger(8), certmonger-dogtag-ipa-renew-agent-submit(8), certmonger-dogtag-submit(8), certmonger-ipa-submit(8), certmonger-local-submit(8), certmonger-scep-submit(8), getcert(1), getcert-add-ca(1), getcert-add-scep-ca(1), getcert-list(1), getcert-list-cas(1), getcert-modify-ca(1), getcert-refresh(1), getcert-refresh-ca(1), getcert-rekey(1), getcert-remove-ca(1), getcert-request(1), getcert-resubmit(1), getcert-start-tracking(1), getcert-status(1), getcert-stop-tracking(1), ipa-getcert(1), local-getcert(1), selfsign-getcert(1).

June 7, 2010 certmonger Manual