diff --git a/.certmonger.metadata b/.certmonger.metadata
index a647082..2f88761 100644
--- a/.certmonger.metadata
+++ b/.certmonger.metadata
@@ -1 +1 @@
-f73818aec2b6e1d9765af188547e2c82e644209c SOURCES/certmonger-0.79.7.tar.gz
+eecb2ceb6f293cf30ffed148fb3ad5021febe301 SOURCES/certmonger-0.79.13.tar.gz
diff --git a/.gitignore b/.gitignore
index fe7ff44..1202bac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/certmonger-0.79.7.tar.gz
+SOURCES/certmonger-0.79.13.tar.gz
diff --git a/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch b/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch
new file mode 100644
index 0000000..8590858
--- /dev/null
+++ b/SOURCES/0001-Don-t-run-the-002-keygen-tests-when-root.patch
@@ -0,0 +1,38 @@
+From a176d474644e0f1f2ce520ed69b04dc649ed2bed Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 29 Oct 2020 10:13:08 -0400
+Subject: [PATCH] Don't run the 002-keygen-* tests when root
+
+The permissions tests will fail.
+---
+ tests/002-keygen-dbm/prequal.sh | 5 +++++
+ tests/002-keygen-sql/prequal.sh | 5 +++++
+ 2 files changed, 10 insertions(+)
+ create mode 100755 tests/002-keygen-dbm/prequal.sh
+ create mode 100755 tests/002-keygen-sql/prequal.sh
+
+diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
+new file mode 100755
+index 00000000..d146a650
+--- /dev/null
++++ b/tests/002-keygen-dbm/prequal.sh
+@@ -0,0 +1,5 @@
++#!/bin/sh
++if test `id -u` -eq 0 ; then
++	echo "This test won't work right if run as root."
++	exit 1
++fi
+diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
+new file mode 100755
+index 00000000..d146a650
+--- /dev/null
++++ b/tests/002-keygen-sql/prequal.sh
+@@ -0,0 +1,5 @@
++#!/bin/sh
++if test `id -u` -eq 0 ; then
++	echo "This test won't work right if run as root."
++	exit 1
++fi
+-- 
+2.25.4
+
diff --git a/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch b/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
deleted file mode 100644
index 8e19e28..0000000
--- a/SOURCES/0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
+++ /dev/null
@@ -1,293 +0,0 @@
-From fd17f002b2f4150a1fddc2582a21c6c03933a28a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 23 Feb 2018 10:43:44 -0500
-Subject: [PATCH] NSS crypto policy sets minimum RSA and DSA key size to 2048
-
-Remove keys < 2048 for the NSS tests. This affects some of the
-OpenSSL tests as well where they run in a combined loop.
-
-Where it was not invasive to do I left the 1024/1536 for OpenSSL.
----
- tests/001-keyiread-dsa/expected.out |  6 +++---
- tests/001-keyiread-dsa/run.sh       |  2 +-
- tests/001-keyiread-rsa/expected.out |  2 --
- tests/001-keyiread-rsa/run.sh       |  2 +-
- tests/001-keyiread/expected.out     |  2 --
- tests/001-keyiread/run.sh           |  2 +-
- tests/002-keygen-rsa/expected.out   |  6 ------
- tests/002-keygen-rsa/run.sh         |  2 +-
- tests/002-keygen/expected.out       | 18 ------------------
- tests/002-keygen/run.sh             |  2 +-
- tests/003-csrgen-rsa/expected.out   |  6 ------
- tests/003-csrgen-rsa/run.sh         |  4 ++--
- tests/003-csrgen/expected.out       |  8 --------
- tests/003-csrgen/run.sh             |  4 ++--
- tests/004-selfsign-rsa/expected.out |  2 --
- tests/004-selfsign-rsa/run.sh       |  2 +-
- tests/004-selfsign/expected.out     |  2 --
- tests/004-selfsign/run.sh           |  2 +-
- 18 files changed, 14 insertions(+), 60 deletions(-)
-
-diff --git a/tests/001-keyiread-dsa/expected.out b/tests/001-keyiread-dsa/expected.out
-index b09db0ae..50643176 100644
---- a/tests/001-keyiread-dsa/expected.out
-+++ b/tests/001-keyiread-dsa/expected.out
-@@ -1,4 +1,4 @@
--OK (DSA:1024).
--OK (DSA:1024).
--OK (DSA:1024).
-+OK (DSA:2048).
-+OK (DSA:2048).
-+OK (DSA:2048).
- Test complete.
-diff --git a/tests/001-keyiread-dsa/run.sh b/tests/001-keyiread-dsa/run.sh
-index 9f96b3bc..68f6d1c3 100755
---- a/tests/001-keyiread-dsa/run.sh
-+++ b/tests/001-keyiread-dsa/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 ; do
-+for size in 2048 ; do
- 	# Generate a self-signed cert.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-diff --git a/tests/001-keyiread-rsa/expected.out b/tests/001-keyiread-rsa/expected.out
-index 727897d1..3daa51f2 100644
---- a/tests/001-keyiread-rsa/expected.out
-+++ b/tests/001-keyiread-rsa/expected.out
-@@ -1,5 +1,3 @@
--OK (RSA:1024).
--OK (RSA:1536).
- OK (RSA:2048).
- OK (RSA:3072).
- OK (RSA:4096).
-diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
-index c7b77686..ec31c7c7 100755
---- a/tests/001-keyiread-rsa/run.sh
-+++ b/tests/001-keyiread-rsa/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Generate a self-signed cert.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-diff --git a/tests/001-keyiread/expected.out b/tests/001-keyiread/expected.out
-index 727897d1..3daa51f2 100644
---- a/tests/001-keyiread/expected.out
-+++ b/tests/001-keyiread/expected.out
-@@ -1,5 +1,3 @@
--OK (RSA:1024).
--OK (RSA:1536).
- OK (RSA:2048).
- OK (RSA:3072).
- OK (RSA:4096).
-diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
-index ce1428ed..0b31df95 100755
---- a/tests/001-keyiread/run.sh
-+++ b/tests/001-keyiread/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Generate a self-signed cert.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-diff --git a/tests/002-keygen-rsa/expected.out b/tests/002-keygen-rsa/expected.out
-index 3e6e9f3c..f7c146d0 100644
---- a/tests/002-keygen-rsa/expected.out
-+++ b/tests/002-keygen-rsa/expected.out
-@@ -1,9 +1,3 @@
--[nss:1024]
--OK.
--OK (RSA:1024).
--[nss:1536]
--OK.
--OK (RSA:1536).
- [nss:2048]
- OK.
- OK (RSA:2048).
-diff --git a/tests/002-keygen-rsa/run.sh b/tests/002-keygen-rsa/run.sh
-index 476f4127..c0c59249 100755
---- a/tests/002-keygen-rsa/run.sh
-+++ b/tests/002-keygen-rsa/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	echo "[nss:$size]"
- 	# Generate a key.
- 	cat > entry.$size <<- EOF
-diff --git a/tests/002-keygen/expected.out b/tests/002-keygen/expected.out
-index dcd1af06..b8fbea56 100644
---- a/tests/002-keygen/expected.out
-+++ b/tests/002-keygen/expected.out
-@@ -1,21 +1,3 @@
--[nss:1024]
--OK.
--OK (RSA:1024).
--OK.
--OK (RSA:1024 after RSA:1024).
--OK.
--OK (RSA:1024 after RSA:1024).
--keyi1024
--keyi1024 (candidate (next))
--[nss:1536]
--OK.
--OK (RSA:1536).
--OK.
--OK (RSA:1536 after RSA:1536).
--OK.
--OK (RSA:1536 after RSA:1536).
--keyi1536
--keyi1536 (candidate (next))
- [nss:2048]
- OK.
- OK (RSA:2048).
-diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
-index 08af1523..94230e6f 100755
---- a/tests/002-keygen/run.sh
-+++ b/tests/002-keygen/run.sh
-@@ -7,7 +7,7 @@ scheme="${scheme:-dbm:}"
- source "$srcdir"/functions
- initnssdb "$scheme$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	echo "[nss:$size]"
- 	# Generate a key.
- 	cat > entry.$size <<- EOF
-diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
-index c9dec729..def53fe4 100644
---- a/tests/003-csrgen-rsa/expected.out
-+++ b/tests/003-csrgen-rsa/expected.out
-@@ -1,10 +1,4 @@
- pk12util: PKCS12 EXPORT SUCCESSFUL
--1024 OK.
--Signature OK
--pk12util: PKCS12 EXPORT SUCCESSFUL
--1536 OK.
--Signature OK
--pk12util: PKCS12 EXPORT SUCCESSFUL
- 2048 OK.
- Signature OK
- pk12util: PKCS12 EXPORT SUCCESSFUL
-diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
-index 4cd84084..bb8ebecb 100755
---- a/tests/003-csrgen-rsa/run.sh
-+++ b/tests/003-csrgen-rsa/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Build a self-signed certificate.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-@@ -147,7 +147,7 @@ iterate() {
- 
- iteration=1
- 
--for size in 1024 ; do
-+for size in 2048 ; do
- 	iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment"
- done
- 
-diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
-index 8e6cac6e..04342c0f 100644
---- a/tests/003-csrgen/expected.out
-+++ b/tests/003-csrgen/expected.out
-@@ -1,13 +1,5 @@
- pk12util: PKCS12 EXPORT SUCCESSFUL
- Signature OK
--minicert.openssl.1024.pem: OK
--1024 OK.
--pk12util: PKCS12 EXPORT SUCCESSFUL
--Signature OK
--minicert.openssl.1536.pem: OK
--1536 OK.
--pk12util: PKCS12 EXPORT SUCCESSFUL
--Signature OK
- minicert.openssl.2048.pem: OK
- 2048 OK.
- pk12util: PKCS12 EXPORT SUCCESSFUL
-diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
-index 7c169ed9..31466b5c 100755
---- a/tests/003-csrgen/run.sh
-+++ b/tests/003-csrgen/run.sh
-@@ -5,7 +5,7 @@ cd "$tmpdir"
- source "$srcdir"/functions
- initnssdb "$tmpdir"
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Build a self-signed certificate.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-@@ -199,7 +199,7 @@ iterate() {
- 
- iteration=1
- 
--for size in 1024 ; do
-+for size in 2048 ; do
- 	iterate "$size" "$subject" "$hostname" "$email" "$principal" "$ku" "$eku" "$challengepassword" "$certfname" "$ca" "$capathlen" "$crldp" "$ocsp" "$nscomment" "$subjectder" "$ipaddress" "$freshestcrl" "$no_ocsp_check" "$profile" "$ns_certtype"
- done
- 
-diff --git a/tests/004-selfsign-rsa/expected.out b/tests/004-selfsign-rsa/expected.out
-index dd5029ec..0eb84ef1 100644
---- a/tests/004-selfsign-rsa/expected.out
-+++ b/tests/004-selfsign-rsa/expected.out
-@@ -1,5 +1,3 @@
--1024 OK.
--1536 OK.
- 2048 OK.
- 3072 OK.
- 4096 OK.
-diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
-index 6f9285b6..c1dd4c80 100755
---- a/tests/004-selfsign-rsa/run.sh
-+++ b/tests/004-selfsign-rsa/run.sh
-@@ -33,7 +33,7 @@ function setupca() {
- 	EOF
- }
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Build a self-signed certificate.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
-diff --git a/tests/004-selfsign/expected.out b/tests/004-selfsign/expected.out
-index dd5029ec..0eb84ef1 100644
---- a/tests/004-selfsign/expected.out
-+++ b/tests/004-selfsign/expected.out
-@@ -1,5 +1,3 @@
--1024 OK.
--1536 OK.
- 2048 OK.
- 3072 OK.
- 4096 OK.
-diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
-index 7bb368ec..eb1df4ee 100755
---- a/tests/004-selfsign/run.sh
-+++ b/tests/004-selfsign/run.sh
-@@ -43,7 +43,7 @@ function setupca() {
- 	EOF
- }
- 
--for size in 1024 1536 2048 3072 4096 ; do
-+for size in 2048 3072 4096 ; do
- 	# Build a self-signed certificate.
- 	run_certutil -d "$tmpdir" -S -g $size -n keyi$size \
- 		-s "cn=T$size" -c "cn=T$size" \
--- 
-2.16.2
-
diff --git a/SOURCES/0002-Convert-tests-to-use-python3.patch b/SOURCES/0002-Convert-tests-to-use-python3.patch
deleted file mode 100644
index b31e3ce..0000000
--- a/SOURCES/0002-Convert-tests-to-use-python3.patch
+++ /dev/null
@@ -1,788 +0,0 @@
-From 653cd0571fe92c9fd4323f93ff23b9720c00fd5f Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 31 Jul 2018 13:09:02 -0400
-Subject: [PATCH] Convert tests to use python3
-
----
- tests/028-dbus/expected.out                 |  32 +-
- tests/028-dbus/expected.out.nodsa           |  22 +-
- tests/028-dbus/prequal.sh                   |   8 +-
- tests/028-dbus/run.sh                       |   9 +-
- tests/028-dbus/runsub.sh                    |   2 +-
- tests/028-dbus/simpleprop.py                |  14 +-
- tests/028-dbus/walk.py                      | 392 ++++++++++----------
- tests/038-ms-v2-template/extract-extdata.py |   5 +-
- 8 files changed, 243 insertions(+), 241 deletions(-)
-
-diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
-index ca3179e..1d8bec4 100644
---- a/tests/028-dbus/expected.out
-+++ b/tests/028-dbus/expected.out
-@@ -1,5 +1,3 @@
--Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
--Certificate in file "${tmpdir}/test.crt" issued by CA and saved.
- [[ getcert ]]
- State MONITORING, stuck: no.
- Number of certificates and requests being tracked: 1.
-@@ -187,13 +185,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
- dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
--dbus.Array([dbus.String(u'RSA'), dbus.String(u'DSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('RSA'), dbus.String('DSA'), dbus.String('EC')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
--dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
--dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
- OK
-@@ -433,19 +431,19 @@ Buddy
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
--(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
-+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
- recently
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
--(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
-+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
--(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
-+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
- 
-@@ -454,19 +452,19 @@ recently
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
--(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
-+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
--(dbus.String(u'RSA'), dbus.Int64(512L))
-+(dbus.String('RSA'), dbus.Int64(512))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
- 1
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
--(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
-+(dbus.String('stdout'), dbus.String('daemon.notice'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
--(dbus.String(u'MONITORING'), dbus.Boolean(False))
-+(dbus.String('MONITORING'), dbus.Boolean(False))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
- /org/fedorahosted/certmonger/cas/CA1
-@@ -482,7 +480,7 @@ recently
- 
- [ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
- 1 on /org/fedorahosted/certmonger/requests/Request2
--After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
-+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
- 1
-@@ -713,7 +711,7 @@ dbus.Array([], signature=dbus.Signature('s'))
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
--$tmpdir/cas/20180327134236
-+$tmpdir/cas/date
- 
- [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
- SelfSign
-@@ -828,7 +826,7 @@ dbus.Array([], signature=dbus.Signature('s'))
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
--$tmpdir/cas/20180327134236-1
-+$tmpdir/cas/date-1
- 
- [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
- IPA
-@@ -941,7 +939,7 @@ dbus.Array([], signature=dbus.Signature('s'))
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
--$tmpdir/cas/20180327134236-2
-+$tmpdir/cas/date-2
- 
- [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
- certmaster
-@@ -1054,7 +1052,7 @@ dbus.Array([], signature=dbus.Signature('s'))
- </node>
- 
- [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
--$tmpdir/cas/20180327134236-3
-+$tmpdir/cas/date-3
- 
- [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
- dogtag-ipa-renew-agent
-diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
-index a23af40..5082ee0 100644
---- a/tests/028-dbus/expected.out.nodsa
-+++ b/tests/028-dbus/expected.out.nodsa
-@@ -187,13 +187,13 @@ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.Object
- dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_types ]
--dbus.Array([dbus.String(u'RSA'), dbus.String(u'EC')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('RSA'), dbus.String('EC')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_key_storage ]
--dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_supported_cert_storage ]
--dbus.Array([dbus.String(u'NSSDB'), dbus.String(u'FILE')], signature=dbus.Signature('s'))
-+dbus.Array([dbus.String('NSSDB'), dbus.String('FILE')], signature=dbus.Signature('s'))
- 
- [ /org/fedorahosted/certmonger : org.fedorahosted.certmonger.remove_known_ca ]
- OK
-@@ -432,19 +432,19 @@ Buddy
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
--(dbus.String(u'CN=$UUID,CN=Local Signing Authority'), dbus.String(u'$UUID'), dbus.String(u'CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
-+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
- recently
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_storage_info ]
--(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.crt'))
-+(dbus.String('FILE'), dbus.String('$tmpdir/test.crt'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_data ]
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_csr_info ]
--(dbus.String(u'CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String(u'host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9L), dbus.Array([dbus.String(u'id-kp-serverAuth')], signature=dbus.Signature('s')))
-+(dbus.String('CN=localhost'), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('id-kp-serverAuth')], signature=dbus.Signature('s')))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_pin ]
- 
-@@ -453,19 +453,19 @@ recently
- 
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_storage_info ]
--(dbus.String(u'FILE'), dbus.String(u'$tmpdir/test.key'))
-+(dbus.String('FILE'), dbus.String('$tmpdir/test.key'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_key_type_and_size ]
--(dbus.String(u'RSA'), dbus.Int64(512L))
-+(dbus.String('RSA'), dbus.Int64(512))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_monitoring ]
- 1
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_notification_info ]
--(dbus.String(u'stdout'), dbus.String(u'daemon.notice'))
-+(dbus.String('stdout'), dbus.String('daemon.notice'))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_status ]
--(dbus.String(u'MONITORING'), dbus.Boolean(False))
-+(dbus.String('MONITORING'), dbus.Boolean(False))
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_ca ]
- /org/fedorahosted/certmonger/cas/CA1
-@@ -481,7 +481,7 @@ recently
- 
- [ /org/fedorahosted/certmonger/requests/Request2 : org.fedorahosted.certmonger.request.modify ]
- 1 on /org/fedorahosted/certmonger/requests/Request2
--After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String(u'1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
-+After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.String('1.2.3.4.5.6.7.8.9.10')], signature=dbus.Signature('s'), variant_level=1)
- 
- [ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.rekey ]
- 1
-diff --git a/tests/028-dbus/prequal.sh b/tests/028-dbus/prequal.sh
-index e645c19..4fe79c8 100755
---- a/tests/028-dbus/prequal.sh
-+++ b/tests/028-dbus/prequal.sh
-@@ -9,19 +9,19 @@ if test -z "$DBUSDAEMON" ; then
- 	echo dbus-daemon not found
- 	exit 1
- fi
--if ! python -c 'import os' 2> /dev/null ; then
-+if ! python3 -c 'import os' 2> /dev/null ; then
- 	echo python not found
- 	exit 1
- fi
--if ! python -c 'import dbus' 2> /dev/null ; then
-+if ! python3 -c 'import dbus' 2> /dev/null ; then
- 	echo python-dbus not found
- 	exit 1
- fi
--if ! python -c 'import xml' 2> /dev/null ; then
-+if ! python3 -c 'import xml' 2> /dev/null ; then
- 	echo python-xml not found
- 	exit 1
- fi
--if ! python -c 'import xml.etree.ElementTree' 2> /dev/null ; then
-+if ! python3 -c 'import xml.etree.ElementTree' 2> /dev/null ; then
- 	echo python-xml does not include etree.ElementTree
- 	exit 1
- fi
-diff --git a/tests/028-dbus/run.sh b/tests/028-dbus/run.sh
-index c468d51..ee90875 100755
---- a/tests/028-dbus/run.sh
-+++ b/tests/028-dbus/run.sh
-@@ -23,7 +23,7 @@ EOF
- $DBUSDAEMON --session --print-address=3 --print-pid=4 --fork 3> $tmpdir/address 4> $tmpdir/pid
- if test -s $tmpdir/pid ; then
- 	env DBUS_SESSION_BUS_ADDRESS=`cat $tmpdir/address` \
--	$toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh
-+	$toolsdir/../../src/certmonger-session -n -c $tmpdir/runsub.sh > /dev/null
- fi
- kill `cat $tmpdir/pid`
- 
-@@ -33,8 +33,8 @@ now=`date +%s`
- for i in `seq 240` ; do
- 	recently=$(($now-$i))
- 	tomorrow=$(($now-$i+24*60*60))
--	sed -i -e s/^$recently'$/recently/g' -e s/"("$recently"L)"/'(recently)'/g \
--	       -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow"L)"/'(tomorrow)'/g $tmpdir/runsub.out
-+	sed -i -e s/^$recently'$/recently/g' -e s/"("$recently")"/'(recently)'/g \
-+	       -e s/^$tomorrow'$/tomorrow/g' -e s/"("$tomorrow")"/'(tomorrow)'/g $tmpdir/runsub.out
- done
- 
- cat $tmpdir/runsub.out | \
-@@ -43,4 +43,5 @@ sed -r -e 's,CN=........-........-........-........,CN=$UUID,g' \
-        -e "s|$libexecdir|\$libexecdir|g" \
-        -e "s|$tmpdir|\$tmpdir|g" \
-        -e "s|expires:.*|expires: sometime|g" \
--       -e "s|u'(00)?[0-9a-fA-F]{32}|u'"'$UUID|g'
-+       -e "s|'(00)?[0-9a-fA-F]{32}|'"'$UUID|g' \
-+       -e "s|cas\/[0-9]{14}|cas\/date|g"
-diff --git a/tests/028-dbus/runsub.sh b/tests/028-dbus/runsub.sh
-index 3510d79..fe6766c 100755
---- a/tests/028-dbus/runsub.sh
-+++ b/tests/028-dbus/runsub.sh
-@@ -22,5 +22,5 @@ echo ""
- echo "[[ API ]]"
- for i in ./*.py ; do
- 	echo "[" `basename "$i"` "]"
--	python $i
-+	python3 $i
- done
-diff --git a/tests/028-dbus/simpleprop.py b/tests/028-dbus/simpleprop.py
-index e4f937e..35d9591 100644
---- a/tests/028-dbus/simpleprop.py
-+++ b/tests/028-dbus/simpleprop.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- import dbus
- 
- # Get a handle for the main certmonger interface.
-@@ -19,7 +19,7 @@ ca = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
- 
- # Toggle the helper a couple of times.
- ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
--print ca_ext_h, "->",
-+print(ca_ext_h, "-> ", end='')
- 
- if ca_ext_h.split()[0] == ca_ext_h:
-     ca_ext_h += ' -k admin@localhost'
-@@ -28,7 +28,7 @@ else:
- ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
- 
- ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
--print ca_ext_h, "->",
-+print(ca_ext_h, "-> ", end='')
- 
- if ca_ext_h.split()[0] == ca_ext_h:
-     ca_ext_h += ' -k admin@localhost'
-@@ -37,20 +37,20 @@ else:
- ca.Set('org.fedorahosted.certmonger.ca', 'external-helper', ca_ext_h)
- 
- ca_ext_h = o.Get('org.fedorahosted.certmonger.ca', 'external-helper')
--print ca_ext_h
-+print(ca_ext_h)
- 
- # Toggle the "is-default" value a couple of times.
- isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
--print isdef, "->",
-+print(isdef, "-> ", end='')
- 
- ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
- 
- isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
--print isdef, "->",
-+print(isdef, "-> ", end='')
- 
- ca.Set('org.fedorahosted.certmonger.ca', 'is-default', not isdef)
- 
- isdef = ca.Get('org.fedorahosted.certmonger.ca', 'is-default')
--print isdef
-+print(isdef)
- 
- cm.remove_known_ca(path)
-diff --git a/tests/028-dbus/walk.py b/tests/028-dbus/walk.py
-index f60ca93..683d94e 100644
---- a/tests/028-dbus/walk.py
-+++ b/tests/028-dbus/walk.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- import dbus
- import xml.etree.ElementTree
- import os
-@@ -9,217 +9,219 @@ bus = dbus.SessionBus()
- 
- # Check that reading a property directly produces the same value as reading it via GetAll().
- def check_props(objpath, interface):
--	o = bus.get_object('org.fedorahosted.certmonger', objpath)
--	i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
--	props = i.GetAll(interface)
--	for prop in props.keys():
--		value = props[prop]
--		if value != i.Get(interface, prop):
--			print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
--			return False
--	return True
-+    o = bus.get_object('org.fedorahosted.certmonger', objpath)
-+    i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-+    props = i.GetAll(interface)
-+    for prop in props.keys():
-+        value = props[prop]
-+        if value != i.Get(interface, prop):
-+            print("%s: property %s.%s mismatch (%s, %s)" % (objpath, interface, prop, value, i.Get(interface, prop)))
-+            return False
-+    return True
- 
- # Try to call the method.
- def examine_method(objpath, interface, method, idata):
--	in_args = 0
--	out_args = 0
--	o = bus.get_object('org.fedorahosted.certmonger', objpath)
--	i = dbus.Interface(o, interface)
--	for child in idata.getchildren():
--		if child.tag == 'arg':
--			if child.get('direction') != 'out':
--				in_args = in_args + 1
--			else:
--				out_args = out_args + 1
--	if in_args == 0:
--		# Takes no inputs, so just call it.
--		m = i.get_dbus_method(method)
--		if out_args == 0:
--			m()
--			print("[ %s: %s.%s ]\n" % (objpath, interface, method))
--		elif out_args == 1:
--			result = m()
--			print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
--		else:
--			result = m()
--			print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
--	elif method == 'Get' or method == 'Set' or method == 'GetAll':
--		# We check on properties elsewhere.
--		return True
--	# Per-method exercise.
--	elif method == 'add_known_ca' or method == 'remove_known_ca':
--		(result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
--		if not result:
--			print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
--			return False
--		result = i.remove_known_ca(path)
--		if not result:
--			print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
--			return False
--		print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
--	elif method == 'add_request' or method == 'remove_request':
--		tmpdir = os.getenv('TMPDIR')
--		if not tmpdir or tmpdir == '':
--			tmpdir = '/tmp'
--		properties = {
--			'nickname': 'foo',
--			'cert-storage': 'file',
--			'cert-file': tmpdir + "/028-certfile",
--			'key-storage': 'file',
--			'key-file': tmpdir + "/028-keyfile",
--			'template-email': ['root@localhost', 'toor@localhost'],
--		}
--		(result, path) = i.add_request(properties)
--		if not result:
--			print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
--			return False
--		result = i.remove_request(path)
--		if not result:
--			print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
--			return False
--		print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
--	elif method == 'find_ca_by_nickname':
--		capath = i.find_ca_by_nickname('local')
--		o = bus.get_object('org.fedorahosted.certmonger', capath)
--		i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
--		if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
--			print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
--			return False
--		print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
--	elif method == 'find_request_by_nickname':
--		reqpath = i.find_request_by_nickname('Buddy')
--		o = bus.get_object('org.fedorahosted.certmonger', reqpath)
--		i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
--		if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
--			print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
--			return False
--		print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
--	elif method == 'modify':
--		mods = {}
--		propname = "template-eku"
--		propval = '1.2.3.4.5.6.7.8.9.10'
--		mods[propname] = [propval,]
--		status, path = i.modify(mods)
--		if not status:
--			print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
--			return False
--		print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
--		props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
--		prop = props.Get(interface, 'template-eku')
--		print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
--	else:
--		# We're in FIXME territory.
--		print('FIXME: need support for "%s"' % method)
--		return False
--	# If we caused things to start churning, wait for them to settle.
-+    in_args = 0
-+    out_args = 0
-+    o = bus.get_object('org.fedorahosted.certmonger', objpath)
-+    i = dbus.Interface(o, interface)
-+    for child in idata.getchildren():
-+        if child.tag == 'arg':
-+            if child.get('direction') != 'out':
-+                in_args = in_args + 1
-+            else:
-+                out_args = out_args + 1
-+    if in_args == 0:
-+        # Takes no inputs, so just call it.
-+        m = i.get_dbus_method(method)
-+        if out_args == 0:
-+            m()
-+            print("[ %s: %s.%s ]\n" % (objpath, interface, method))
-+        elif out_args == 1:
-+            result = m()
-+            print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
-+        else:
-+            result = m()
-+            print("[ %s: %s.%s ]\n%s\n" % (objpath, interface, method, result))
-+    elif method == 'Get' or method == 'Set' or method == 'GetAll':
-+        # We check on properties elsewhere.
-+        return True
-+    # Per-method exercise.
-+    elif method == 'add_known_ca' or method == 'remove_known_ca':
-+        (result, path) = i.add_known_ca('Test CA', '/usr/bin/env', [])
-+        if not result:
-+            print("[ %s : %s.%s ]: add_known_ca error\n" % (objpath, interface, method))
-+            return False
-+        result = i.remove_known_ca(path)
-+        if not result:
-+            print("[ %s : %s.%s ]: remove_known_ca error\n" % (objpath, interface, method))
-+            return False
-+        print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
-+    elif method == 'add_request' or method == 'remove_request':
-+        tmpdir = os.getenv('TMPDIR')
-+        if not tmpdir or tmpdir == '':
-+            tmpdir = '/tmp'
-+        properties = {
-+            'nickname': 'foo',
-+            'cert-storage': 'file',
-+            'cert-file': tmpdir + "/028-certfile",
-+            'key-storage': 'file',
-+            'key-file': tmpdir + "/028-keyfile",
-+            'template-email': ['root@localhost', 'toor@localhost'],
-+        }
-+        (result, path) = i.add_request(properties)
-+        if not result:
-+            print("[ %s : %s.%s ]: add_request error\n" % (objpath, interface, method))
-+            return False
-+        result = i.remove_request(path)
-+        if not result:
-+            print("[ %s : %s.%s ]: remove_request error\n" % (objpath, interface, method))
-+            return False
-+        print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
-+    elif method == 'find_ca_by_nickname':
-+        capath = i.find_ca_by_nickname('local')
-+        o = bus.get_object('org.fedorahosted.certmonger', capath)
-+        i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-+        if i.Get('org.fedorahosted.certmonger.ca', 'nickname') != 'local':
-+            print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.ca', 'nickname')))
-+            return False
-+        print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
-+    elif method == 'find_request_by_nickname':
-+        reqpath = i.find_request_by_nickname('Buddy')
-+        if not reqpath:
-+            return False
-+        o = bus.get_object('org.fedorahosted.certmonger', reqpath)
-+        i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-+        if i.Get('org.fedorahosted.certmonger.request', 'nickname') != 'Buddy':
-+            print("[ %s : %s.%s ] error: %s\n" % (objpath, interface, method, i.Get('org.fedorahosted.certmonger.request', 'nickname')))
-+            return False
-+        print("[ %s : %s.%s ]\nOK\n" % (objpath, interface, method))
-+    elif method == 'modify':
-+        mods = {}
-+        propname = "template-eku"
-+        propval = '1.2.3.4.5.6.7.8.9.10'
-+        mods[propname] = [propval,]
-+        status, path = i.modify(mods)
-+        if not status:
-+            print("[ %s : %s.%s ] error\n" % (objpath, interface, method))
-+            return False
-+        print("[ %s : %s.%s ]\n%d on %s" % (objpath, interface, method, status, path))
-+        props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-+        prop = props.Get(interface, 'template-eku')
-+        print("After setting %s to %s, we got %s\n" % (propname, propval, prop))
-+    else:
-+        # We're in FIXME territory.
-+        print('FIXME: need support for "%s"' % method)
-+        return False
-+    # If we caused things to start churning, wait for them to settle.
-         if method == 'resubmit':
-             props = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-             prop = props.Get(interface, 'status')
-             while prop != 'MONITORING':
-                 time.sleep(1)
-                 prop = props.Get(interface, 'status')
--	return True
-+    return True
- 
- def iget(child, proxy, interface, prop):
--	value = proxy.Get(interface, prop)
--	if not value:
--		if child.get('type') == 'b':
--			value = False
--		elif child.get('type') == 'n' or child.get('type') == 'x':
--			value = 0
--		elif child.get('type') == 's':
--			value = ''
--		elif child.get('type') == 'as':
--			value = ['']
--		else:
--			print("%s.%s: %s" % (interface, prop, child.get('type')))
--			return False
--	return value
-+    value = proxy.Get(interface, prop)
-+    if not value:
-+        if child.get('type') == 'b':
-+            value = False
-+        elif child.get('type') == 'n' or child.get('type') == 'x':
-+            value = 0
-+        elif child.get('type') == 's':
-+            value = ''
-+        elif child.get('type') == 'as':
-+            value = ['']
-+        else:
-+            print("%s.%s: %s" % (interface, prop, child.get('type')))
-+            return False
-+    return value
- 
- def examine_interface(objpath, interface, idata):
--	o = bus.get_object('org.fedorahosted.certmonger', objpath)
--	i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
--	for child in idata.getchildren():
--		if child.tag == 'property':
--			prop = child.get('name')
--			if child.get('access') == 'read':
--				# Check that we can read it.
--				value = i.Get(interface, prop)
--			elif child.get('access') == 'readwrite':
--				if prop == 'external-helper' or prop == 'scep-ca-identifier':
--					cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
--					if cai.get_type() != 'EXTERNAL':
--						print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
--						continue
--				# Check that we can read it, tweak it, and then reset it.
--				value = iget(child, i, interface, prop)
--				i.Set(interface, prop, value)
--				newvalue = None
--				if child.get('type') == 'b':
--					newvalue = not value
--				elif child.get('type') == 'n' or child.get('type') == 'x':
--					newvalue = value + 1
--				elif child.get('type') == 's':
--					newvalue = 'x' + value
--				elif child.get('type') == 'as':
--					newvalue = ['x'] + value
--				else:
--					print("%s.%s: %s" % (interface, prop, child.get('type')))
--					return False
--				if newvalue:
--					if newvalue == value:
--						print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
--						return False
--					i.Set(interface, prop, newvalue)
--					if newvalue != iget(child, i, interface, prop):
--						print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
--						return False
--					i.Set(interface, prop, value)
--					if value != iget(child, i, interface, prop):
--						print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
--						return False
--		elif child.tag == 'method':
--			method = child.get('name')
--			if not examine_method(objpath, interface, method, child):
--				return False
--		elif child.tag == 'signal':
--			continue
--		else:
--			print "FIXME: handle child tag %s" % child.tag
--			return False
--	return True
-+    o = bus.get_object('org.fedorahosted.certmonger', objpath)
-+    i = dbus.Interface(o, 'org.freedesktop.DBus.Properties')
-+    for child in idata.getchildren():
-+        if child.tag == 'property':
-+            prop = child.get('name')
-+            if child.get('access') == 'read':
-+                # Check that we can read it.
-+                value = i.Get(interface, prop)
-+            elif child.get('access') == 'readwrite':
-+                if prop == 'external-helper' or prop == 'scep-ca-identifier':
-+                    cai = dbus.Interface(o, 'org.fedorahosted.certmonger.ca')
-+                    if cai.get_type() != 'EXTERNAL':
-+                        print("%s: warning: property %s.%s not settable on this object" % (objpath, interface, prop))
-+                        continue
-+                # Check that we can read it, tweak it, and then reset it.
-+                value = iget(child, i, interface, prop)
-+                i.Set(interface, prop, value)
-+                newvalue = None
-+                if child.get('type') == 'b':
-+                    newvalue = not value
-+                elif child.get('type') == 'n' or child.get('type') == 'x':
-+                    newvalue = value + 1
-+                elif child.get('type') == 's':
-+                    newvalue = 'x' + value
-+                elif child.get('type') == 'as':
-+                    newvalue = ['x'] + value
-+                else:
-+                    print("%s.%s: %s" % (interface, prop, child.get('type')))
-+                    return False
-+                if newvalue:
-+                    if newvalue == value:
-+                        print("%s: error determining new value: (%s, %s): %s" % (objpath, interface, prop, value))
-+                        return False
-+                    i.Set(interface, prop, newvalue)
-+                    if newvalue != iget(child, i, interface, prop):
-+                        print("%s: property %s.%s not set: (%s, %s)" % (objpath, interface, prop, value, newvalue))
-+                        return False
-+                    i.Set(interface, prop, value)
-+                    if value != iget(child, i, interface, prop):
-+                        print("%s: property %s.%s not reset: (%s, %s)" % (objpath, interface, prop, newvalue, value))
-+                        return False
-+        elif child.tag == 'method':
-+            method = child.get('name')
-+            if not examine_method(objpath, interface, method, child):
-+                return False
-+        elif child.tag == 'signal':
-+            continue
-+        else:
-+            print("FIXME: handle child tag %s" % child.tag)
-+            return False
-+    return True
- 
- def examine_object(objpath):
--	o = bus.get_object('org.fedorahosted.certmonger', objpath)
--	i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
--	idata = i.Introspect()
--	x = xml.etree.ElementTree.XML(idata)
-+    o = bus.get_object('org.fedorahosted.certmonger', objpath)
-+    i = dbus.Interface(o, 'org.freedesktop.DBus.Introspectable')
-+    idata = i.Introspect()
-+    x = xml.etree.ElementTree.XML(idata)
- 
--	# Check if the object supports properties interfaces.
--	props = False
--	for child in x.getchildren():
--		if child.tag == 'interface':
--			if child.get('name') == 'org.freedesktop.DBus.Properties':
--				props = True
-+    # Check if the object supports properties interfaces.
-+    props = False
-+    for child in x.getchildren():
-+        if child.tag == 'interface':
-+            if child.get('name') == 'org.freedesktop.DBus.Properties':
-+                props = True
- 
--	# Look at the interfaces and child nodes.
--	for child in x.getchildren():
--		if child.tag == 'interface':
--			if props and not check_props(objpath, child.get('name')):
--				return False
--			if not examine_interface(objpath, child.get('name'), child):
--				return False
--		elif child.tag == 'node':
--			if objpath == '/':
--				childpath = '/' + child.get('name')
--			else:
--				childpath = objpath + '/' + child.get('name')
--			examine_object(childpath)
--		else:
--			print "FIXME: handle child tag %s" % child.tag
--			return False
--	return True
-+    # Look at the interfaces and child nodes.
-+    for child in x.getchildren():
-+        if child.tag == 'interface':
-+            if props and not check_props(objpath, child.get('name')):
-+                return False
-+            if not examine_interface(objpath, child.get('name'), child):
-+                return False
-+        elif child.tag == 'node':
-+            if objpath == '/':
-+                childpath = '/' + child.get('name')
-+            else:
-+                childpath = objpath + '/' + child.get('name')
-+            examine_object(childpath)
-+        else:
-+            print("FIXME: handle child tag %s" % child.tag)
-+            return False
-+    return True
- 
- if not examine_object('/'):
--	sys.exit(1)
-+    sys.exit(1)
- sys.exit(0)
-diff --git a/tests/038-ms-v2-template/extract-extdata.py b/tests/038-ms-v2-template/extract-extdata.py
-index 1a845fd..9f9d910 100755
---- a/tests/038-ms-v2-template/extract-extdata.py
-+++ b/tests/038-ms-v2-template/extract-extdata.py
-@@ -1,10 +1,11 @@
--#!/usr/bin/python2
-+#!/usr/bin/python3
- 
- # Given `openssl asn1parse` output of a CSR, look for the V2 Template
- # extension and output its data if found.  Nonzero exit status if
- # not found.
- 
- import binascii
-+import os
- import re
- import sys
- 
-@@ -21,7 +22,7 @@ for line in sys.stdin:
-     #
-     if state == STATE_FOUND and 'OCTET STRING' in line:
-         result = re.search(r'\[HEX DUMP\]:(\w*)', line)
--        sys.stdout.write(binascii.unhexlify(result.group(1)))
-+        os.write(1, binascii.unhexlify(result.group(1)))
-         state = STATE_DONE
-         break
- 
--- 
-2.17.0
-
diff --git a/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch b/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
new file mode 100644
index 0000000..528271a
--- /dev/null
+++ b/SOURCES/0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
@@ -0,0 +1,195 @@
+From 73b1729b9ca740174ef2fa14332f890c5cd17a26 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 10 Nov 2020 18:48:05 -0500
+Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
+
+This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
+---
+ tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 124 insertions(+), 6 deletions(-)
+
+diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
+index ca7de34f..4d6a9a59 100644
+--- a/tests/028-dbus/expected.out
++++ b/tests/028-dbus/expected.out
+@@ -34,6 +34,10 @@ CA 'IPA':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+ 	helper-location: $libexecdir/ipa-submit
++CA 'certmaster':
++	is-default: no
++	ca-type: EXTERNAL
++	helper-location: $libexecdir/certmaster-submit
+ CA 'dogtag-ipa-renew-agent':
+ 	is-default: no
+ 	ca-type: EXTERNAL
+@@ -41,8 +45,8 @@ CA 'dogtag-ipa-renew-agent':
+ 
+ [[ API ]]
+ [ simpleprop.py ]
+-/org/fedorahosted/certmonger/cas/CA5
+-/org/fedorahosted/certmonger/cas/CA5
++/org/fedorahosted/certmonger/cas/CA6
++/org/fedorahosted/certmonger/cas/CA6
+ : -> : -k admin@localhost -> :
+ 0 -> 1 -> 0
+ [ walk.py ]
+@@ -178,7 +182,7 @@ OK
+ OK
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
+-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
++dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+ 
+ [ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
+ dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
+@@ -504,6 +508,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+  <node name="CA2"/>
+  <node name="CA3"/>
+  <node name="CA4"/>
++ <node name="CA5"/>
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
+@@ -937,10 +942,10 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </node>
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
+-$tmpdir/cas/20180327134236-3
++$tmpdir/cas/20180327134236-2
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
+-dogtag-ipa-renew-agent
++certmaster
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
+ 0
+@@ -952,7 +957,7 @@ EXTERNAL
+ None
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
+-$libexecdir/dogtag-ipa-renew-agent-submit
++$libexecdir/certmaster-submit
+ 
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
+ dbus.Array([], signature=dbus.Signature('s'))
+@@ -960,3 +965,116 @@ dbus.Array([], signature=dbus.Signature('s'))
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
+ 1
+ 
++[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
++<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
++"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
++
++<node name="/org/fedorahosted/certmonger/cas/CA5">
++ <interface name="org.freedesktop.DBus.Introspectable">
++  <method name="Introspect">
++   <arg name="xml_data" type="s" direction="out"/>
++  </method>
++ </interface>
++ <interface name="org.freedesktop.DBus.Properties">
++  <method name="Get">
++   <arg name="interface_name" type="s" direction="in"/>
++   <arg name="property_name" type="s" direction="in"/>
++   <arg name="value" type="v" direction="out"/>
++  </method>
++  <method name="Set">
++   <arg name="interface_name" type="s" direction="in"/>
++   <arg name="property_name" type="s" direction="in"/>
++   <arg name="value" type="v" direction="in"/>
++  </method>
++  <method name="GetAll">
++   <arg name="interface_name" type="s" direction="in"/>
++   <arg name="props" type="a{sv}" direction="out"/>
++  </method>
++  <signal name="PropertiesChanged">
++   <arg name="interface_name" type="s"/>
++   <arg name="changed_properties" type="a{sv}"/>
++   <arg name="invalidated_properties" type="as"/>
++  </signal>
++ </interface>
++ <interface name="org.fedorahosted.certmonger.ca">
++  <method name="get_config_file_path">
++   <arg name="path" type="s" direction="out"/>
++  </method>
++  <method name="get_nickname">
++   <arg name="nickname" type="s" direction="out"/>
++  </method>
++  <property name="nickname" type="s" access="read"/>
++  <property name="aka" type="s" access="read"/>
++  <method name="get_is_default">
++   <arg name="default" type="b" direction="out"/>
++  </method>
++  <property name="is-default" type="b" access="readwrite"/>
++  <method name="get_type">
++   <arg name="type" type="s" direction="out"/>
++  </method>
++  <method name="get_serial">
++   <arg name="serial_hex" type="s" direction="out"/>
++  </method>
++  <method name="get_location">
++   <arg name="path" type="s" direction="out"/>
++  </method>
++  <property name="external-helper" type="s" access="readwrite"/>
++  <method name="get_issuer_names">
++   <arg name="names" type="as" direction="out"/>
++  </method>
++  <method name="refresh">
++   <arg name="working" type="b" direction="out"/>
++  </method>
++  <property name="ca-error" type="s" access="read"/>
++  <property name="issuer-names" type="as" access="read"/>
++  <property name="root-certs" type="a(ss)" access="read"/>
++  <property name="root-other-certs" type="a(ss)" access="read"/>
++  <property name="other-certs" type="a(ss)" access="read"/>
++  <property name="required-enroll-attributes" type="as" access="read"/>
++  <property name="required-renew-attributes" type="as" access="read"/>
++  <property name="supported-profiles" type="as" access="read"/>
++  <property name="default-profile" type="s" access="read"/>
++  <property name="root-cert-files" type="as" access="readwrite"/>
++  <property name="root-other-cert-files" type="as" access="readwrite"/>
++  <property name="other-cert-files" type="as" access="readwrite"/>
++  <property name="root-cert-nssdbs" type="as" access="readwrite"/>
++  <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
++  <property name="other-cert-nssdbs" type="as" access="readwrite"/>
++  <property name="ca-presave-command" type="s" access="read"/>
++  <property name="ca-presave-uid" type="s" access="read"/>
++  <property name="ca-postsave-command" type="s" access="read"/>
++  <property name="ca-postsave-uid" type="s" access="read"/>
++  <property name="scep-cipher" type="s" access="readwrite"/>
++  <property name="scep-digest" type="s" access="readwrite"/>
++  <property name="scep-ca-identifier" type="s" access="readwrite"/>
++  <property name="scep-ca-capabilities" type="as" access="read"/>
++  <property name="scep-ra-cert" type="s" access="read"/>
++  <property name="scep-ca-cert" type="s" access="read"/>
++  <property name="scep-other-certs" type="s" access="read"/>
++ </interface>
++</node>
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/20180327134236-3
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
++dogtag-ipa-renew-agent
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
++0
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
++EXTERNAL
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
++None
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
++$libexecdir/dogtag-ipa-renew-agent-submit
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
++dbus.Array([], signature=dbus.Signature('s'))
++
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
++1
++
+-- 
+2.25.4
+
diff --git a/SOURCES/0018-clang-more-Dead-assignment.patch b/SOURCES/0018-clang-more-Dead-assignment.patch
deleted file mode 100644
index 951841b..0000000
--- a/SOURCES/0018-clang-more-Dead-assignment.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 3dee8044adf134462fadb2b135cc965227f1fab9 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 12:48:41 -0400
-Subject: [PATCH 18/25] clang: more Dead assignment
-
----
- src/submit-x.c | 5 ++---
- src/tdbus.c    | 1 -
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/src/submit-x.c b/src/submit-x.c
-index fa81e9aa..abebc610 100644
---- a/src/submit-x.c
-+++ b/src/submit-x.c
-@@ -914,9 +914,8 @@ main(int argc, const char **argv)
- 
- 	/* Maybe we need a ccache. */
- 	if (k5 || (kpname != NULL) || (ktname != NULL)) {
--		if (!make_ccache ||
--		    (cm_submit_x_make_ccache(ktname, kpname, NULL) == 0)) {
--			k5 = TRUE;
-+		if (make_ccache) {
-+		    cm_submit_x_make_ccache(ktname, kpname, NULL);
- 		}
- 	}
- 
-diff --git a/src/tdbus.c b/src/tdbus.c
-index cb0a8ad7..a81b5349 100644
---- a/src/tdbus.c
-+++ b/src/tdbus.c
-@@ -757,7 +757,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
- 	/* Connect to the right bus. */
- 	bus_desc = NULL;
- 	conn = NULL;
--	exit_on_disconnect = TRUE;
- 	if (error != NULL) {
- 		dbus_error_init(error);
- 	}
--- 
-2.21.0
-
diff --git a/SOURCES/0019-clang-more-Memory-leaks.patch b/SOURCES/0019-clang-more-Memory-leaks.patch
deleted file mode 100644
index 2434547..0000000
--- a/SOURCES/0019-clang-more-Memory-leaks.patch
+++ /dev/null
@@ -1,321 +0,0 @@
-From 0dc90f1783981ac11c3c067c40df88d6315911a6 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 12:53:57 -0400
-Subject: [PATCH 19/25] clang: more Memory leaks
-
-Fix leaks in tests/tools/addcinfo.c, dogtag.c and submit-x.c
----
- src/dogtag.c           | 17 +++++++++++++----
- src/getcert.c          |  3 ++-
- src/store-files.c      |  1 +
- src/submit-d.c         |  6 ++++++
- src/submit-x.c         | 39 ++++++++++-----------------------------
- tests/tools/addcinfo.c |  8 +++++---
- 6 files changed, 37 insertions(+), 37 deletions(-)
-
-diff --git a/src/dogtag.c b/src/dogtag.c
-index 55607f3d..8e3890a5 100644
---- a/src/dogtag.c
-+++ b/src/dogtag.c
-@@ -117,7 +117,7 @@ main(int argc, const char **argv)
- 	const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
- 	const char *sslcert = NULL, *sslkey = NULL;
- 	const char *sslpin = NULL, *sslpinfile = NULL;
--	const char *csr = NULL, *serial = NULL, *template = NULL;
-+	const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
- 	const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
- 	const char *udn = NULL, *pin = NULL, *pinfile = NULL;
- 	char *poptarg;
-@@ -127,7 +127,7 @@ main(int argc, const char **argv)
- 	} *aoptions = NULL, *soptions = NULL;
- 	size_t num_aoptions = 0, num_soptions = 0, j;
- 	char *savedstate = NULL;
--	char *p, *q, *params = NULL, *params2 = NULL;
-+	char *p = NULL, *q = NULL, *params = NULL, *params2 = NULL;
- 	const char *lasturl = NULL, *lastparams = NULL;
- 	const char *tmp = NULL, *results = NULL;
- 	struct cm_submit_h_context *hctx;
-@@ -537,16 +537,19 @@ main(int argc, const char **argv)
- 				}
- 				poptPrintUsage(pctx, stdout, 0);
- 				free(csr);
-+				free(p);
- 				return CM_SUBMIT_STATUS_UNCONFIGURED;
- 			}
--			csr = cm_submit_u_url_encode(csr);
-+			csre = cm_submit_u_url_encode(csr);
- 			params = talloc_asprintf(ctx,
- 						 "profileId=%s&"
- 						 "cert_request_type=pkcs10&"
- 						 "cert_request=%s&"
- 						 "xml=true",
- 						 template,
--						 csr);
-+						 csre);
-+			free(csr);
-+			free(csre);
- 		}
- 		/* Check for creds specified as options. */
- 		for (j = 0; j < num_soptions; j++) {
-@@ -608,12 +611,16 @@ main(int argc, const char **argv)
- 			printf(_("No agent URL (-A) given, and no default "
- 				 "known.\n"));
- 			poptPrintUsage(pctx, stdout, 0);
-+			free(p);
-+			free(q);
- 			return CM_SUBMIT_STATUS_UNCONFIGURED;
- 		}
- 		if ((sslcert == NULL) || (strlen(sslcert) == 0)) {
- 			printf(_("No agent credentials (-n) given, but they "
- 				 "are needed.\n"));
- 			poptPrintUsage(pctx, stdout, 0);
-+			free(p);
-+			free(q);
- 			return CM_SUBMIT_STATUS_UNCONFIGURED;
- 		}
- 		/* Reading profile defaults for this certificate, then applying
-@@ -778,12 +785,14 @@ main(int argc, const char **argv)
- 			       lasturl);
- 		}
- 		talloc_free(ctx);
-+		free(p);
- 		return CM_SUBMIT_STATUS_UNREACHABLE;
- 	}
- 	if (results == NULL) {
- 		printf(_("Internal error: no response to \"%s?%s\".\n"),
- 		       lasturl, lastparams);
- 		talloc_free(ctx);
-+		free(p);
- 		return CM_SUBMIT_STATUS_REJECTED;
- 	}
- 	switch (op) {
-diff --git a/src/getcert.c b/src/getcert.c
-index ddb28de2..0d527ab0 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4042,11 +4042,12 @@ thumbprint(const char *s, SECOidTag tag, int bits)
- 	}
- 	u = malloc(length);
- 	if (u == NULL) {
-+		free(t);
- 		goto done;
- 	}
- 	length = cm_store_base64_to_bin(t, -1, u, length);
-+	free(t);
- 	if (PK11_HashBuf(tag, digest, u, length) == SECSuccess) {
--		free(t);
- 		t = malloc(bits / 4 + howmany(bits, 32));
- 		if (t != NULL) {
- 			ret = t;
-diff --git a/src/store-files.c b/src/store-files.c
-index b97ba5ff..4e57ae16 100644
---- a/src/store-files.c
-+++ b/src/store-files.c
-@@ -573,6 +573,7 @@ cm_store_file_read_lines(void *parent, FILE *fp)
- 			lines = tlines;
- 		}
- 	}
-+	free(buf);
- 	return lines;
- }
- 
-diff --git a/src/submit-d.c b/src/submit-d.c
-index 5a4edb3f..36cc9828 100644
---- a/src/submit-d.c
-+++ b/src/submit-d.c
-@@ -1204,6 +1204,9 @@ restart:
- 		} else {
- 			printf("Error %d.\n", c);
- 		}
-+		if (defaults != nodefault) {
-+			free(defaults);
-+		}
- 		return 1;
- 	}
- 	result = cm_submit_h_results(hctx, NULL) ?: "";
-@@ -1365,6 +1368,9 @@ restart:
- 		/* never reached */
- 		break;
- 	}
-+	if (defaults != nodefault) {
-+		free(defaults);
-+	}
- 	return 0;
- }
- #endif
-diff --git a/src/submit-x.c b/src/submit-x.c
-index abebc610..58d007ef 100644
---- a/src/submit-x.c
-+++ b/src/submit-x.c
-@@ -45,14 +45,17 @@ get_error_message(krb5_context ctx, krb5_error_code kcode)
- {
- 	const char *ret;
- #ifdef HAVE_KRB5_GET_ERROR_MESSAGE
--	ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
--	if (ret == NULL) {
--		ret = error_message(kcode);
-+	if (ctx) {
-+		const char *msg = krb5_get_error_message(ctx, kcode);
-+		ret = strdup(msg);
-+		krb5_free_error_message(ctx, msg);
-+	} else {
-+		ret = strdup(error_message(kcode));
- 	}
- #else
--	ret = error_message(kcode);
-+	ret = strdup(error_message(kcode));
- #endif
--	return strdup(ret);
-+	return ret;
- }
- 
- char *
-@@ -75,8 +78,6 @@ cm_submit_x_ccache_realm(char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return NULL;
- 	}
-@@ -86,8 +87,6 @@ cm_submit_x_ccache_realm(char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return NULL;
- 	}
-@@ -97,8 +96,6 @@ cm_submit_x_ccache_realm(char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return NULL;
- 	}
-@@ -106,7 +103,7 @@ cm_submit_x_ccache_realm(char **msg)
- 	if (data == NULL) {
- 		fprintf(stderr, "Error retrieving principal realm.\n");
- 		if (msg != NULL) {
--			*msg = "Error retrieving principal realm.\n";
-+			*msg = strdup("Error retrieving principal realm.\n");
- 		}
- 		return NULL;
- 	}
-@@ -114,7 +111,7 @@ cm_submit_x_ccache_realm(char **msg)
- 	if (ret == NULL) {
- 		fprintf(stderr, "Out of memory for principal realm.\n");
- 		if (msg != NULL) {
--			*msg = "Out of memory for principal realm.\n";
-+			*msg = strdup("Out of memory for principal realm.\n");
- 		}
- 		return NULL;
- 	}
-@@ -145,8 +142,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 		fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-@@ -160,8 +155,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-@@ -173,8 +166,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 				principal, ret = get_error_message(ctx, kret));
- 			if (msg != NULL) {
- 				*msg = ret;
--			} else {
--				free(ret);
- 			}
- 			return kret;
- 		}
-@@ -186,8 +177,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 				ret = get_error_message(ctx, kret));
- 			if (msg != NULL) {
- 				*msg = ret;
--			} else {
--				free(ret);
- 			}
- 			return kret;
- 		}
-@@ -209,8 +198,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-@@ -229,8 +216,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-@@ -245,8 +230,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-@@ -257,8 +240,6 @@ cm_submit_x_make_ccache(const char *ktname, const char *principal, char **msg)
- 			ret = get_error_message(ctx, kret));
- 		if (msg != NULL) {
- 			*msg = ret;
--		} else {
--			free(ret);
- 		}
- 		return kret;
- 	}
-diff --git a/tests/tools/addcinfo.c b/tests/tools/addcinfo.c
-index 939005c2..e34612a5 100644
---- a/tests/tools/addcinfo.c
-+++ b/tests/tools/addcinfo.c
-@@ -63,7 +63,7 @@ content_info_template[] = {
- int
- main(int argc, char **argv)
- {
--	unsigned char *buffer = NULL, buf[BUFSIZ];
-+	unsigned char *buffer = NULL, *newbuffer = NULL, buf[BUFSIZ];
- 	int i, n = 0;
- 	unsigned int j;
- 	SECItem encoded;
-@@ -73,11 +73,13 @@ main(int argc, char **argv)
- 	cm_log_set_method(cm_log_stderr);
- 	cm_log_set_level(3);
- 	while ((i = read(STDIN_FILENO, buf, sizeof(buf))) > 0) {
--		buffer = realloc(buffer, n + i);
--		if (buffer == NULL) {
-+		newbuffer = realloc(buffer, n + i);
-+		if (newbuffer == NULL) {
-+			free(buffer);
- 			cm_log(0, "Out of memory.\n");
- 			return 1;
- 		}
-+		buffer = newbuffer;
- 		memcpy(buffer + n, buf, i);
- 		n += i;
- 	}
--- 
-2.21.0
-
diff --git a/SOURCES/0020-clang-Avoid-buffer-overflow.patch b/SOURCES/0020-clang-Avoid-buffer-overflow.patch
deleted file mode 100644
index 8c4607c..0000000
--- a/SOURCES/0020-clang-Avoid-buffer-overflow.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 6b14979cdb7a177e7c5567faa67449dd1365c1b9 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 13:16:08 -0400
-Subject: [PATCH 20/25] clang: Avoid buffer overflow
-
-This shouldn't be possible because the caller would never allow
-it all to be passed in but quiet static analyzers.
----
- src/getcert.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index 0d527ab0..bbc45479 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -1839,8 +1839,8 @@ set_tracking(const char *argv0, const char *category,
- 	enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
- 	DBusMessage *req, *rep;
- 	const char *request, *capath;
--	struct cm_tdbusm_dict param[28];
--	const struct cm_tdbusm_dict *params[29];
-+	struct cm_tdbusm_dict param[30];
-+	const struct cm_tdbusm_dict *params[30];
- 	char *nss_scheme, *dbdir = NULL, *token = NULL, *nickname = NULL;
- 	char **anchor_dbs = NULL, **anchor_files = NULL;
- 	char *id = NULL, *new_id = NULL, *new_request;
--- 
-2.21.0
-
diff --git a/SOURCES/0021-clang-Garbage-value-possible.patch b/SOURCES/0021-clang-Garbage-value-possible.patch
deleted file mode 100644
index 622072e..0000000
--- a/SOURCES/0021-clang-Garbage-value-possible.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 3727376f8654f9e1dd88b1f9721124f9fc96ad0a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 14:44:05 -0400
-Subject: [PATCH 21/25] clang: Garbage value possible
-
-Need to add guard so that error was only considered if the
-certificate was decodable and an import was attempted.
----
- src/certsave-n.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/certsave-n.c b/src/certsave-n.c
-index 972a1dfa..30e242c1 100644
---- a/src/certsave-n.c
-+++ b/src/certsave-n.c
-@@ -498,6 +498,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 					}
- 				}
- 				/* Import the certificate. */
-+				error = SECFailure;
- 				newcert = CERT_DecodeCertFromPackage((char *)item->data, item->len);
- 				if (newcert != NULL) {
- 					error = PK11_ImportCert(sle->slot,
-@@ -506,7 +507,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 						entry->cm_cert_nickname,
- 						PR_FALSE);
- 				}
--				if (error == SECSuccess) {
-+				if ((newcert != NULL) && (error == SECSuccess)) {
- 					cm_log(1, "Imported certificate with "
- 					       "nickname \"%s\".\n",
- 					       entry->cm_cert_nickname);
-@@ -581,6 +582,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 						CERT_DestroyCertList(certlist);
- 					}
- 				} else {
-+					ec = PORT_GetError();
- 					if (ec != 0) {
- 						es = PR_ErrorToName(ec);
- 					} else {
--- 
-2.21.0
-
diff --git a/SOURCES/0022-Uninitialized-variable.patch b/SOURCES/0022-Uninitialized-variable.patch
deleted file mode 100644
index f6ba508..0000000
--- a/SOURCES/0022-Uninitialized-variable.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From a5c7484a00b378290069ab57c1f2e52719cc91c0 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 14:48:43 -0400
-Subject: [PATCH 22/25] Uninitialized variable
-
----
- src/csrgen-o.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/csrgen-o.c b/src/csrgen-o.c
-index 402284ff..41b4f014 100644
---- a/src/csrgen-o.c
-+++ b/src/csrgen-o.c
-@@ -181,7 +181,7 @@ cm_csrgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	BIGNUM *serialbn;
- 	char buf[LINE_MAX], *s, *nickname, *pin, *password, *filename;
- 	unsigned char *extensions, *upassword, *bmp, *name, *up, *uq, md[CM_DIGEST_MAX];
--	char *spkidec, *mcb64, *nows;
-+	char *spkidec = NULL, *mcb64, *nows;
- 	const char *default_cn = CM_DEFAULT_CERT_SUBJECT_CN, *spkihex = NULL;
- 	const unsigned char *nametmp;
- 	struct tm *now;
--- 
-2.21.0
-
diff --git a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch b/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch
deleted file mode 100644
index ff1606d..0000000
--- a/SOURCES/0023-merge-into-clang-more-Memory-leaks.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 432f843ffbc0bc0b14c0501b26a10e450c5b5fcc Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 15:43:02 -0400
-Subject: [PATCH 23/25] merge into clang: more Memory leaks
-
----
- src/getcert.c  | 2 +-
- src/submit-x.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index bbc45479..4713dd15 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4040,7 +4040,7 @@ thumbprint(const char *s, SECOidTag tag, int bits)
- 	if (length == 0) {
- 		goto done;
- 	}
--	u = malloc(length);
-+	u = malloc(length+1);
- 	if (u == NULL) {
- 		free(t);
- 		goto done;
-diff --git a/src/submit-x.c b/src/submit-x.c
-index 58d007ef..467e67e4 100644
---- a/src/submit-x.c
-+++ b/src/submit-x.c
-@@ -43,7 +43,7 @@
- static char *
- get_error_message(krb5_context ctx, krb5_error_code kcode)
- {
--	const char *ret;
-+	char *ret;
- #ifdef HAVE_KRB5_GET_ERROR_MESSAGE
- 	if (ctx) {
- 		const char *msg = krb5_get_error_message(ctx, kcode);
--- 
-2.21.0
-
diff --git a/SOURCES/0024-Add-missing-return-type-declaration.patch b/SOURCES/0024-Add-missing-return-type-declaration.patch
deleted file mode 100644
index e434c8b..0000000
--- a/SOURCES/0024-Add-missing-return-type-declaration.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From d610317f69687d0c6892209d3cb6e3c407af4d86 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 15:44:07 -0400
-Subject: [PATCH 24/25] Add missing return type declaration
-
----
- src/tdbush.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/tdbush.c b/src/tdbush.c
-index d1bbe4da..a10a1aff 100644
---- a/src/tdbush.c
-+++ b/src/tdbush.c
-@@ -2129,6 +2129,7 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
- }
- 
- /* org.fedorahosted.certonger.ca.get_config_file_path */
-+static DBusHandlerResult
- ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
- 		struct cm_client_info *ci, struct cm_context *ctx)
- {
--- 
-2.21.0
-
diff --git a/SOURCES/0025-Discards-const-qualifier.patch b/SOURCES/0025-Discards-const-qualifier.patch
deleted file mode 100644
index dafefa2..0000000
--- a/SOURCES/0025-Discards-const-qualifier.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From c16545915ab280e40eefc6bfb4e86d081f20c758 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 8 Oct 2018 15:46:50 -0400
-Subject: [PATCH 25/25] Discards const qualifier
-
----
- src/dogtag.c | 3 ++-
- src/scep.c   | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/dogtag.c b/src/dogtag.c
-index 8e3890a5..962a8bf4 100644
---- a/src/dogtag.c
-+++ b/src/dogtag.c
-@@ -117,9 +117,10 @@ main(int argc, const char **argv)
- 	const char *ssldir = NULL, *cainfo = NULL, *capath = NULL;
- 	const char *sslcert = NULL, *sslkey = NULL;
- 	const char *sslpin = NULL, *sslpinfile = NULL;
--	const char *csr = NULL, *csre = NULL, *serial = NULL, *template = NULL;
-+	const char *serial = NULL, *template = NULL;
- 	const char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
- 	const char *udn = NULL, *pin = NULL, *pinfile = NULL;
-+	char *csr = NULL, *csre = NULL;
- 	char *poptarg;
- 	struct {
- 		char *name;
-diff --git a/src/scep.c b/src/scep.c
-index b0bd214b..b37711cf 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -204,7 +204,8 @@ main(int argc, const char **argv)
- 	int prefer_non_renewal = 0, can_renewal = 0;
- 	int response_code = 0, response_code2 = 0;
- 	enum known_ops op = op_unset;
--	const char *id = NULL, *cainfo = NULL;
-+	const char *id = NULL;
-+	char *cainfo = NULL;
- 	char *poptarg;
- 	char *message = NULL, *rekey_message = NULL;
- 	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
--- 
-2.21.0
-
diff --git a/SOURCES/0026-Optimize-closing-open-file-descriptors.patch b/SOURCES/0026-Optimize-closing-open-file-descriptors.patch
deleted file mode 100644
index c94fa0c..0000000
--- a/SOURCES/0026-Optimize-closing-open-file-descriptors.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 9bbb628620d4e586941344e1bdbbc166a885c0a9 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 5 Sep 2019 12:45:52 -0400
-Subject: [PATCH] Optimize closing open file descriptors
-
-When forking, the code would close all unused file descriptors up
-to maximum number of files. In the default case this is 1024. In
-the container case this is 1048576. Huge delays in startup were
-seen due to this.
-
-Even in a default 1024 ulimit case this drastically reduces the
-number of file descriptors to mark FD_CLOEXEC but in the container
-default case this saves another order of magnitude of work.
-
-This patch takes inspiration from systemd[1] and walks /proc/self/fd
-if it is available to determine the list of open descriptors. It
-falls back to the "close all fds we don't care about up to limit"
-method.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1656519
-
-[1] https://github.com/systemd/systemd/blob/5238e9575906297608ff802a27e2ff9effa3b338/src/basic/fd-util.c#L217
----
- src/subproc.c | 71 ++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 62 insertions(+), 9 deletions(-)
-
-diff --git a/src/subproc.c b/src/subproc.c
-index e49e3762..8df836ae 100644
---- a/src/subproc.c
-+++ b/src/subproc.c
-@@ -19,6 +19,7 @@
- 
- #include <sys/types.h>
- #include <sys/wait.h>
-+#include <dirent.h>
- #include <errno.h>
- #include <fcntl.h>
- #include <paths.h>
-@@ -436,6 +437,25 @@ cm_subproc_parse_args(void *parent, const char *cmdline, const char **error)
- 	return argv;
- }
- 
-+/* Based heavily on systemd version */
-+static
-+int safe_atoi(const char *s, int *ret_i) {
-+	char *x = NULL;
-+	long l;
-+
-+	errno = 0;
-+	l = strtol(s, &x, 0);
-+	if (errno > 0)
-+		return -1;
-+	if (!x || x == s || *x != 0)
-+		return -1;
-+	if ((long) (int) l != l)
-+		return -1;
-+
-+	*ret_i = (int) l;
-+	return 0;
-+}
-+
- /* Redirect stdio to /dev/null, and mark everything else as close-on-exec,
-  * except for perhaps one to three of them that are passed in by number. */
- void
-@@ -443,6 +463,9 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
- {
- 	int i;
- 	long l;
-+	DIR *dir = NULL;
-+	struct dirent *de;
-+
- 	if ((fd != STDIN_FILENO) &&
- 	    (fd2 != STDIN_FILENO) &&
- 	    (fd3 != STDIN_FILENO)) {
-@@ -482,17 +505,47 @@ cm_subproc_mark_most_cloexec(int fd, int fd2, int fd3)
- 			close(STDERR_FILENO);
- 		}
- 	}
--	for (i = getdtablesize() - 1; i >= 3; i--) {
--		if ((i == fd) ||
--		    (i == fd2) ||
--		    (i == fd3)) {
--			continue;
-+	dir = opendir("/proc/self/fd");
-+	if (!dir) {
-+		/* /proc isn't available, fall back to old way */
-+		for (i = getdtablesize() - 1; i >= 3; i--) {
-+			if ((i == fd) ||
-+			    (i == fd2) ||
-+			    (i == fd3)) {
-+				continue;
-+			}
-+			l = fcntl(i, F_GETFD);
-+			if (l != -1) {
-+				if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
-+					cm_log(0, "Potentially leaking FD %d.\n", i);
-+				}
-+			}
- 		}
--		l = fcntl(i, F_GETFD);
--		if (l != -1) {
--			if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
--				cm_log(0, "Potentially leaking FD %d.\n", i);
-+	} else {
-+		while ((de = readdir(dir)) != NULL) {
-+			int i = -1;
-+
-+			if (safe_atoi(de->d_name, &i) < 0) {
-+				continue;
-+			}
-+
-+			if ((i == fd) ||
-+			    (i == fd2) ||
-+			    (i == fd3)) {
-+				continue;
-+			}
-+
-+			if (i == dirfd(dir)) {
-+				continue;
-+			}
-+
-+			l = fcntl(i, F_GETFD);
-+			if (l != -1) {
-+				if (fcntl(i, F_SETFD, l | FD_CLOEXEC) != 0) {
-+					cm_log(0, "Potentially leaking FD %d.\n", i);
-+				}
- 			}
- 		}
-+		closedir(dir);
- 	}
- }
--- 
-2.21.0
-
diff --git a/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch b/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
deleted file mode 100644
index e1e6a23..0000000
--- a/SOURCES/0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From b7bcb1b3b953c2052e2d89cb2b3e9d9ccd1b3864 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 10 Oct 2019 16:28:18 -0400
-Subject: [PATCH] Don't close STDOUT when calling the CA fetch_roots function
-
-cm_subproc_mark_most_cloexec() now closes all open file
-descriptors except for up to three requested for stdin, stdout
-and stderr. Before the optimization those three were always
-left open.
-
-This was causing errors in the IPA helper ipa-server-guard
-because it tries to display the contents of stderr which was
-always being closed, causing ipa-server-guard to blow up.
----
- src/cadata.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cadata.c b/src/cadata.c
-index eb87eb76..3e916c96 100644
---- a/src/cadata.c
-+++ b/src/cadata.c
-@@ -109,7 +109,7 @@ fetch(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, void *data)
- 		}
- 		return -1;
- 	}
--	cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
-+	cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
- 	cm_log(1, "Running enrollment/cadata helper \"%s\".\n", argv[0]);
- 	execvp(argv[0], argv);
- 	u = errno;
--- 
-2.21.0
-
diff --git a/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch b/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
deleted file mode 100644
index a0c100f..0000000
--- a/SOURCES/0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 205775f73f7eef7b207acccac6b853562adf604b Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 25 Oct 2019 20:25:36 +0000
-Subject: [PATCH] Don't close STDERR when submitting request
-
-cm_subproc_mark_most_cloexec() now closes all open file
-descriptors except for up to three requested for stdin, stdout
-and stderr. Before the optimization those three were always
-left open.
-
-This was causing errors in the IPA helper ipa-server-guard
-because it tries to display the contents of stderr which was
-always being closed, causing ipa-server-guard to blow up.
----
- src/submit-e.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/submit-e.c b/src/submit-e.c
-index d6158d7a..69b4f8e2 100644
---- a/src/submit-e.c
-+++ b/src/submit-e.c
-@@ -941,8 +941,8 @@ cm_submit_e_helper_main(int fd, struct cm_store_ca *ca,
- 		}
- 		return -1;
- 	}
--	cm_log(2, "Redirecting stdin and stderr to /dev/null, leaving stdout open for child \"%s\".\n", argv[0]);
--	cm_subproc_mark_most_cloexec(STDOUT_FILENO, -1, -1);
-+	cm_log(2, "Redirecting stdin to /dev/null, leaving stdout and stderr open for child \"%s\".\n", argv[0]);
-+	cm_subproc_mark_most_cloexec(STDOUT_FILENO, STDERR_FILENO, -1);
- 	cm_log(1, "Running enrollment helper \"%s\".\n", argv[0]);
- 	execvp(argv[0], argv);
- 	u = errno;
--- 
-2.21.0
-
diff --git a/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch b/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
deleted file mode 100644
index f3f77a2..0000000
--- a/SOURCES/0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
+++ /dev/null
@@ -1,259 +0,0 @@
-From 34c120f0259750ff2228def2955de9ad985340e6 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 26 Aug 2019 22:01:35 +0000
-Subject: [PATCH] Remove NOMODDB flag flag from context init, look for full
- tokens
-
-The NSS databases were almost universally initialized with the
-NOMODDB flag. I'm not sure if something changed in NSS but the
-PKCS#11 modules were not being initialized. Adding this back after
-permission checks are done results in tokens working again.
-
-When looking for certs and keys try the full token:nickname string
-as well as just nickname when comparing values.
-
-https://pagure.io/certmonger/issue/125
----
- src/casave.c     |  3 +--
- src/certread-n.c | 33 ++++++++++++++++-----------------
- src/certsave-n.c |  5 +++++
- src/dogtag.c     |  3 +--
- src/keygen-n.c   |  5 +++++
- src/keyiread-n.c | 11 ++++++++++-
- src/scepgen-n.c  |  5 +++++
- src/submit-n.c   |  5 +++++
- src/toklist.c    |  2 +-
- 9 files changed, 49 insertions(+), 23 deletions(-)
-
-diff --git a/src/casave.c b/src/casave.c
-index bde63f99..1cf5a406 100644
---- a/src/casave.c
-+++ b/src/casave.c
-@@ -111,8 +111,7 @@ cm_casave_main_n(int fd, struct cm_store_ca *ca, struct cm_store_entry *e,
- 					break;
- 				default:
- 					flags = NSS_INIT_READONLY |
--						NSS_INIT_NOROOTINIT |
--						NSS_INIT_NOMODDB;
-+						NSS_INIT_NOROOTINIT;
- 					/* Sigh.  Not a lot of detail.  Check
- 					 * if we succeed in read-only mode,
- 					 * which we'll interpret as lack of
-diff --git a/src/certread-n.c b/src/certread-n.c
-index d535030b..bb61b61b 100644
---- a/src/certread-n.c
-+++ b/src/certread-n.c
-@@ -157,27 +157,22 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		cm_log(1, "Unable to open NSS database.\n");
- 		_exit(status);
- 	}
-+    /* Re-open the database with modules enabled */
-+	NSS_ShutdownContext(ctx);
-+	ctx = NSS_InitContext(entry->cm_cert_storage_location,
-+			      NULL, NULL, NULL, NULL,
-+			      (readwrite ? 0 : NSS_INIT_READONLY) |
-+			      NSS_INIT_NOROOTINIT);
- 	es = util_n_fips_hook();
- 	if (es != NULL) {
- 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", es);
- 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
- 	}
--	/* Allocate a memory pool. */
--	arena = PORT_NewArena(sizeof(double));
--	if (arena == NULL) {
--		cm_log(1, "Error opening database '%s'.\n",
--		       entry->cm_cert_storage_location);
--		if (NSS_ShutdownContext(ctx) != SECSuccess) {
--			cm_log(1, "Error shutting down NSS.\n");
--		}
--		_exit(ENOMEM);
--	}
- 	/* Find the tokens that we might use for cert storage. */
- 	mech = CKM_RSA_X_509;
- 	slotlist = PK11_GetAllTokens(mech, PR_FALSE, PR_FALSE, NULL);
- 	if (slotlist == NULL) {
- 		cm_log(1, "Error getting list of tokens.\n");
--		PORT_FreeArena(arena, PR_TRUE);
- 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
- 			cm_log(1, "Error shutting down NSS.\n");
- 		}
-@@ -249,6 +244,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		}
- 		/* If we need to log in in order to read certificates, do so. */
- 		if (PK11_NeedLogin(sle->slot)) {
-+			cm_log(3, "Need login to token %s\n", PK11_GetTokenName(sle->slot));
- 			if (cm_pin_read_for_cert(entry, &pin) != 0) {
- 				cm_log(1, "Error reading PIN for cert db, "
- 				       "skipping.\n");
-@@ -272,13 +268,19 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		/* Walk the list of certificates in the slot, looking for one
- 		 * which matches the specified nickname. */
- 		certs = PK11_ListCertsInSlot(sle->slot);
-+		cm_log(3, "Looking for %s\n", entry->cm_cert_nickname);
- 		if (certs != NULL) {
- 			for (node = CERT_LIST_HEAD(certs);
- 			     !CERT_LIST_EMPTY(certs) &&
- 			     !CERT_LIST_END(node, certs);
- 			     node = CERT_LIST_NEXT(node)) {
--				if (strcmp(node->cert->nickname,
--					   entry->cm_cert_nickname) == 0) {
-+				cm_log(3, "certread-n: Slot nickname %s\n",
-+							node->cert->nickname);
-+		        es = talloc_asprintf(entry, "%s:%s",
-+					   entry->cm_cert_token, entry->cm_cert_nickname);
-+				if ((strcmp(node->cert->nickname,
-+					   entry->cm_cert_nickname) == 0) ||
-+                    (strcmp(node->cert->nickname, es) == 0)) {
- 					cm_log(3, "Located the certificate "
- 					       "\"%s\".\n",
- 					       entry->cm_cert_nickname);
-@@ -321,7 +323,6 @@ next_slot:
- 	if (cert == NULL) {
- 		cm_log(1, "Error locating certificate.\n");
- 		PK11_FreeSlotList(slotlist);
--		PORT_FreeArena(arena, PR_TRUE);
- 		if (NSS_ShutdownContext(ctx) != SECSuccess) {
- 			cm_log(1, "Error shutting down NSS.\n");
- 		}
-@@ -332,7 +333,6 @@ next_slot:
- 	fclose(fp);
- 	CERT_DestroyCertificate(cert);
- 	PK11_FreeSlotList(slotlist);
--	PORT_FreeArena(arena, PR_TRUE);
- 	if (NSS_ShutdownContext(ctx) != SECSuccess) {
- 		cm_log(1, "Error shutting down NSS.\n");
- 	}
-@@ -358,8 +358,7 @@ cm_certread_n_parse(struct cm_store_entry *entry,
- 			      NULL, NULL, NULL, NULL,
- 			      NSS_INIT_NOCERTDB |
- 			      NSS_INIT_READONLY |
--			      NSS_INIT_NOROOTINIT |
--			      NSS_INIT_NOMODDB);
-+			      NSS_INIT_NOROOTINIT);
- 	if (ctx == NULL) {
- 		cm_log(1, "Unable to initialize NSS.\n");
- 		_exit(1);
-diff --git a/src/certsave-n.c b/src/certsave-n.c
-index 972a1dfa..eda03b34 100644
---- a/src/certsave-n.c
-+++ b/src/certsave-n.c
-@@ -186,6 +186,11 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	} else {
- 		/* We don't try to force FIPS mode here, as it seems to get in
- 		 * the way of saving the certificate. */
-+		NSS_ShutdownContext(ctx);
-+		ctx = NSS_InitContext(entry->cm_cert_storage_location,
-+				      NULL, NULL, NULL, NULL,
-+				      (readwrite ? 0 : NSS_INIT_READONLY) |
-+				      NSS_INIT_NOROOTINIT);
- 
- 		/* Allocate a memory pool. */
- 		arena = PORT_NewArena(sizeof(double));
-diff --git a/src/dogtag.c b/src/dogtag.c
-index 55607f3d..c43664ef 100644
---- a/src/dogtag.c
-+++ b/src/dogtag.c
-@@ -306,8 +306,7 @@ main(int argc, const char **argv)
- 			       NULL, NULL, NULL, NULL,
- 			       NSS_INIT_NOCERTDB |
- 			       NSS_INIT_READONLY |
--			       NSS_INIT_NOROOTINIT |
--			       NSS_INIT_NOMODDB);
-+			       NSS_INIT_NOROOTINIT);
- 	if (nctx == NULL) {
- 		cm_log(1, "Unable to initialize NSS.\n");
- 		_exit(1);
-diff --git a/src/keygen-n.c b/src/keygen-n.c
-index 061bd2af..e921d7ec 100644
---- a/src/keygen-n.c
-+++ b/src/keygen-n.c
-@@ -226,6 +226,11 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			break;
- 		}
- 	}
-+	NSS_ShutdownContext(ctx);
-+	ctx = NSS_InitContext(entry->cm_key_storage_location,
-+			      NULL, NULL, NULL, NULL,
-+			      (readwrite ? 0 : NSS_INIT_READONLY) |
-+			      NSS_INIT_NOROOTINIT);
- 	reason = util_n_fips_hook();
- 	if (reason != NULL) {
- 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
-diff --git a/src/keyiread-n.c b/src/keyiread-n.c
-index 91b1be41..dc1c6092 100644
---- a/src/keyiread-n.c
-+++ b/src/keyiread-n.c
-@@ -115,6 +115,11 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
- 			break;
- 		}
- 	}
-+	NSS_ShutdownContext(ctx);
-+	ctx = NSS_InitContext(entry->cm_key_storage_location,
-+			      NULL, NULL, NULL, NULL,
-+			      (readwrite ? 0 : NSS_INIT_READONLY) |
-+			      NSS_INIT_NOROOTINIT);
- 	reason = util_n_fips_hook();
- 	if (reason != NULL) {
- 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
-@@ -340,8 +345,12 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite)
- 			     cnode = CERT_LIST_NEXT(cnode)) {
- 				nickname = entry->cm_key_nickname;
- 				cert = cnode->cert;
-+				es = talloc_asprintf(entry, "%s:%s",
-+									         entry->cm_cert_token,
-+											 entry->cm_cert_nickname);
- 				if ((nickname != NULL) &&
--				    (strcmp(cert->nickname, nickname) == 0)) {
-+				    ((strcmp(cert->nickname, nickname) == 0) ||
-+					(strcmp(cert->nickname, es) == 0))) {
- 					cm_log(3, "Located a certificate with "
- 					       "the key's nickname (\"%s\").\n",
- 					       nickname);
-diff --git a/src/scepgen-n.c b/src/scepgen-n.c
-index d6735aa7..8c67b122 100644
---- a/src/scepgen-n.c
-+++ b/src/scepgen-n.c
-@@ -183,6 +183,11 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			break;
- 		}
- 	}
-+	NSS_ShutdownContext(ctx);
-+	ctx = NSS_InitContext(entry->cm_key_storage_location,
-+			      NULL, NULL, NULL, NULL,
-+			      NSS_INIT_READONLY |
-+			      NSS_INIT_NOROOTINIT);
- 	reason = util_n_fips_hook();
- 	if (reason != NULL) {
- 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
-diff --git a/src/submit-n.c b/src/submit-n.c
-index b07ea23a..f27b9c7f 100644
---- a/src/submit-n.c
-+++ b/src/submit-n.c
-@@ -317,6 +317,11 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope,
- 		}
- 		goto done;
- 	}
-+	NSS_ShutdownContext(ctx);
-+	ctx = NSS_InitContext(args->entry->cm_key_storage_location,
-+			      NULL, NULL, NULL, NULL,
-+			      NSS_INIT_READONLY |
-+			      NSS_INIT_NOROOTINIT);
- 	reason = util_n_fips_hook();
- 	if (reason != NULL) {
- 		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
-diff --git a/src/toklist.c b/src/toklist.c
-index a4328218..ac166722 100644
---- a/src/toklist.c
-+++ b/src/toklist.c
-@@ -79,7 +79,7 @@ main(int argc, const char **argv)
- 
- 	/* Open the database. */
- 	ctx = NSS_InitContext(dbdir, NULL, NULL, NULL, NULL,
--			      NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
-+			      NSS_INIT_NOROOTINIT);
- 	if (ctx == NULL) {
- 		printf("Unable to open NSS database '%s'.\n", dbdir);
- 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
--- 
-2.21.0
-
diff --git a/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch b/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
deleted file mode 100644
index 9cbdfe9..0000000
--- a/SOURCES/0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
+++ /dev/null
@@ -1,233 +0,0 @@
-From 59df833ca5fb80c596df621a24dc461a550dba71 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 27 Aug 2019 18:01:02 +0000
-Subject: [PATCH] Update tests to include the security module DB in expected
- output
-
-certmonger was previously always initializing the databases with
-the flag NSS_INIT_NOMODDB but in at elast NSS 3.44 this doesn't
-seem to initialize external modules (tested with SoftHSM2).
-
-https://pagure.io/certmonger/issue/125
----
- tests/034-perms-dbm/expected.out | 16 ++++++++++++++++
- tests/034-perms-sql/expected.out | 16 ++++++++++++++++
- tests/034-perms/expected.out     | 16 ++++++++++++++++
- 3 files changed, 48 insertions(+)
-
-diff --git a/tests/034-perms-dbm/expected.out b/tests/034-perms-dbm/expected.out
-index c062d409..7bf23a37 100644
---- a/tests/034-perms-dbm/expected.out
-+++ b/tests/034-perms-dbm/expected.out
-@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
- [dbm:keygen]
- $owner:$group|0600|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0600|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:csrgen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:submit]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:save]
- $owner:$group|0662|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0662|secmod.db
- [rekey:dbm:start]
- [rekey:dbm:keygen]
- $owner:$group|0600|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0600|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:keygen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:csrgen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:submit]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:save]
- $owner:$group|0662|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0662|secmod.db
- OK
-diff --git a/tests/034-perms-sql/expected.out b/tests/034-perms-sql/expected.out
-index 2808e02c..c5914e02 100644
---- a/tests/034-perms-sql/expected.out
-+++ b/tests/034-perms-sql/expected.out
-@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
- [sql:keygen]
- $owner:$group|0600|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0600|pkcs11.txt
- [sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [sql:csrgen]
- $owner:$group|0755|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0755|pkcs11.txt
- [sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [sql:submit]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [sql:save]
- $owner:$group|0662|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0662|pkcs11.txt
- [rekey:sql:start]
- [rekey:sql:keygen]
- $owner:$group|0600|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0600|pkcs11.txt
- [rekey:sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:keygen]
- $owner:$group|0755|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:csrgen]
- $owner:$group|0755|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:submit]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:reset]
- $owner:$group|0755|cert9.db
- $owner:$group|0755|key4.db
-+$owner:$group|0755|pkcs11.txt
- [rekey:sql:save]
- $owner:$group|0662|cert9.db
- $owner:$group|0620|key4.db
-+$owner:$group|0662|pkcs11.txt
- OK
-diff --git a/tests/034-perms/expected.out b/tests/034-perms/expected.out
-index c062d409..7bf23a37 100644
---- a/tests/034-perms/expected.out
-+++ b/tests/034-perms/expected.out
-@@ -45,50 +45,66 @@ $owner:$group|0620|ee.key
- [dbm:keygen]
- $owner:$group|0600|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0600|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:csrgen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:submit]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [dbm:save]
- $owner:$group|0662|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0662|secmod.db
- [rekey:dbm:start]
- [rekey:dbm:keygen]
- $owner:$group|0600|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0600|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:keygen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:csrgen]
- $owner:$group|0755|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:submit]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:reset]
- $owner:$group|0755|cert8.db
- $owner:$group|0755|key3.db
-+$owner:$group|0755|secmod.db
- [rekey:dbm:save]
- $owner:$group|0662|cert8.db
- $owner:$group|0620|key3.db
-+$owner:$group|0662|secmod.db
- OK
--- 
-2.21.0
-
diff --git a/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch b/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
deleted file mode 100644
index 5c9978d..0000000
--- a/SOURCES/0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 64702b25951ce996532afea7d627612d6bba7451 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 10 Oct 2019 18:24:32 +0000
-Subject: [PATCH] Try to pull the entire CA chain from IPA
-
-IPA originally stored a single cert in cn=cacert which is
-what certmonger has always retrieved in fetch_roots. It was
-replaced to store cn=certificates as separate entries in order
-to more easily support chains and to include additional
-metadata about certificates.
-
-Try to pull the chain from that location first and fall back
-to cn=cacert if no entries are found.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1710632
----
- src/ipa.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/ipa.c b/src/ipa.c
-index acd1a4e2..40a4b52c 100644
---- a/src/ipa.c
-+++ b/src/ipa.c
-@@ -508,7 +508,8 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
- 	LDAP *ld = NULL;
- 	LDAPMessage *lresult = NULL, *lmsg = NULL;
- 	char *lattrs[2] = {"caCertificate;binary", NULL};
--	const char *relativedn = "cn=cacert,cn=ipa,cn=etc";
-+	const char *relativedn = "cn=certificates,cn=ipa,cn=etc";
-+	const char *relativecompatdn = "cn=cacert,cn=ipa,cn=etc";
- 	char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", *kerr = NULL;
- 	struct berval **lbvalues, *lbv;
- 	unsigned char *bv_val;
-@@ -543,6 +544,13 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
- 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
- 			       lfilter, lattrs, 0, NULL, NULL, NULL,
- 			       LDAP_NO_LIMIT, &lresult);
-+    if (rc == LDAP_SUCCESS && ldap_count_entries(ld, lresult) == 0) {
-+		/* Fall back to the old location */
-+		snprintf(ldn, sizeof(ldn), "%s,%s", relativecompatdn, basedn);
-+		rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
-+				       lfilter, lattrs, 0, NULL, NULL, NULL,
-+				       LDAP_NO_LIMIT, &lresult);
-+	}
- 	if (rc != LDAP_SUCCESS) {
- 		fprintf(stderr, "Error searching '%s': %s.\n",
- 			ldn, ldap_err2string(rc));
--- 
-2.21.0
-
diff --git a/SOURCES/0032-Fix-use-after-free-issue.patch b/SOURCES/0032-Fix-use-after-free-issue.patch
deleted file mode 100644
index 06b0940..0000000
--- a/SOURCES/0032-Fix-use-after-free-issue.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From c6f2737747cbb70adfdd1a77412b669838f9c419 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 2 Dec 2019 15:08:54 -0500
-Subject: [PATCH] Fix use-after-free issue
-
-The basedn value was freed after the first search but a second
-one could be initiated.
----
- src/ipa.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/ipa.c b/src/ipa.c
-index 40a4b52c..41ca9081 100644
---- a/src/ipa.c
-+++ b/src/ipa.c
-@@ -540,7 +540,6 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
- 	/* Now look up the root certificates for the domain. */
- 	snprintf(lfilter, sizeof(lfilter), "(%s=*)", lattrs[0]);
- 	snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
--	free(basedn);
- 	rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
- 			       lfilter, lattrs, 0, NULL, NULL, NULL,
- 			       LDAP_NO_LIMIT, &lresult);
-@@ -551,6 +550,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
- 				       lfilter, lattrs, 0, NULL, NULL, NULL,
- 				       LDAP_NO_LIMIT, &lresult);
- 	}
-+	free(basedn);
- 	if (rc != LDAP_SUCCESS) {
- 		fprintf(stderr, "Error searching '%s': %s.\n",
- 			ldn, ldap_err2string(rc));
--- 
-2.21.0
-
diff --git a/SOURCES/0033-Improve-logging-in-SCEP-helper.patch b/SOURCES/0033-Improve-logging-in-SCEP-helper.patch
deleted file mode 100644
index 571d2c0..0000000
--- a/SOURCES/0033-Improve-logging-in-SCEP-helper.patch
+++ /dev/null
@@ -1,931 +0,0 @@
-From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Apr 2020 16:50:16 -0400
-Subject: [PATCH 33/39] Improve logging in SCEP helper
-
-Always check return value of cm_pkcs7_verify_signed() and return
-a unique error message.
-
-Change log level from 1 to 0 for all errors in scep.c and pkcs7.c
-so they appear by default.
-
-Centralize logging across scep.c and pkcs7.c to reduce code
-duplication.
-
-Check the return code to cm_pkcs7_verify_signed in all cases.
-
-Add the last available message, if any, to the error returned
-via stdout to certmonger as a hint to what is going on.
----
- src/pkcs7.c     | 111 +++++++++++++++++++++++++++---------------------
- src/pkcs7.h     |   2 +
- src/scep.c      |  59 ++++++++++---------------
- src/scepgen-n.c |  28 ++++++------
- src/scepgen-o.c |  72 ++++++++++++++++---------------
- src/scepgen.c   |   2 +-
- 6 files changed, 140 insertions(+), 134 deletions(-)
-
-diff --git a/src/pkcs7.c b/src/pkcs7.c
-index 6de1775..29420b9 100644
---- a/src/pkcs7.c
-+++ b/src/pkcs7.c
-@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length,
- 	}
- }
- 
-+void
-+log_pkcs7_errors(int level, char *msg)
-+{
-+    char buf[LINE_MAX] = "";
-+    long error;
-+	int nss_err;   
-+
-+    cm_log(level, "%s\n", msg);
-+    while ((error = ERR_get_error()) != 0) {
-+            memset(buf, '\0', sizeof(buf));
-+            ERR_error_string_n(error, buf, sizeof(buf));
-+            cm_log(level, "%s\n", buf);
-+    }
-+	nss_err = PORT_GetError();
-+    if (nss_err < 0) {
-+		cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
-+	}
-+}
-+
- int
- cm_pkcs7_parsev(unsigned int flags, void *parent,
- 		char **certleaf, char **certtop, char ***certothers,
-@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
- 
- 	in = BIO_new_mem_buf(encryption_cert, -1);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	recipient = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 	if (recipient == NULL) {
--		cm_log(1, "Error parsing recipient certificate.\n");
-+		log_pkcs7_errors(0, "Error parsing recipient certificate.\n");
- 		goto done;
- 	}
- 	BIO_free(in);
- 
- 	recipients = sk_X509_new(util_o_cert_cmp);
- 	if (recipients == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	sk_X509_push(recipients, recipient);
- 
- 	in = BIO_new_mem_buf(data, dlength);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher),
-@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher,
- 	BIO_free(in);
- 
- 	if (p7 == NULL) {
--		cm_log(1, "Error encrypting signing request.\n");
-+		log_pkcs7_errors(0, "Error encrypting signing request.\n");
- 		goto done;
- 	}
- 	len = i2d_PKCS7(p7, NULL);
- 	if (len < 0) {
--		cm_log(1, "Error encoding encrypted signing request.\n");
-+		log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
- 		goto done;
- 	}
- 	dp7 = malloc(len);
- 	if (dp7 == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	u = dp7;
- 	if (i2d_PKCS7(p7, &u) != len) {
--		cm_log(1, "Error encoding encrypted signing request.\n");
-+		log_pkcs7_errors(0, "Error encoding encrypted signing request.\n");
- 		goto done;
- 	}
- 	*enveloped = dp7;
-@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher,
- 
- 	in = BIO_new_mem_buf(csr, -1);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
- 	BIO_free(in);
- 	if (req == NULL) {
--		cm_log(1, "Error parsing certificate signing request.\n");
-+		log_pkcs7_errors(0, "Error parsing certificate signing request.\n");
- 		goto done;
- 	}
- 
- 	dlen = i2d_X509_REQ(req, NULL);
- 	if (dlen < 0) {
--		cm_log(1, "Error encoding certificate signing request.\n");
-+		log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
- 		goto done;
- 	}
- 	dreq = malloc(dlen);
- 	if (dreq == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	u = dreq;
- 	if (i2d_X509_REQ(req, &u) != dlen) {
--		cm_log(1, "Error encoding certificate signing request.\n");
-+		log_pkcs7_errors(0, "Error encoding certificate signing request.\n");
- 		goto done;
- 	}
- 	ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen,
-@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
- 
- 	in = BIO_new_mem_buf(cacert, -1);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	ca = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 	BIO_free(in);
- 	if (ca == NULL) {
--		cm_log(1, "Error parsing CA certificate.\n");
-+		log_pkcs7_errors(0, "Error parsing CA certificate.\n");
- 		goto done;
- 	}
- 
- 	in = BIO_new_mem_buf(minicert, -1);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	mini = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 	BIO_free(in);
- 	if (mini == NULL) {
--		cm_log(1, "Error parsing client certificate.\n");
-+		log_pkcs7_errors(0, "Error parsing client certificate.\n");
- 		goto done;
- 	}
- 
- 	issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL);
- 	if (issuerlen < 0) {
--		cm_log(1, "Error encoding CA certificate issuer name.\n");
-+		cm_log(0, "Error encoding CA certificate issuer name.\n");
- 		goto done;
- 	}
- 	issuer = malloc(issuerlen);
- 	if (issuer == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	u = issuer;
- 	if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) {
--		cm_log(1, "Error encoding CA certificate issuer name.\n");
-+		log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n");
- 		goto done;
- 	}
- 
- 	subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL);
- 	if (subjectlen < 0) {
--		cm_log(1, "Error encoding client certificate subject name.\n");
-+		cm_log(0, "Error encoding client certificate subject name.\n");
- 		goto done;
- 	}
- 	subject = malloc(subjectlen);
- 	if (subject == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	u = subject;
- 	if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) {
--		cm_log(1, "Error encoding client certificate subject name.\n");
-+		log_pkcs7_errors(0, "Error encoding client certificate subject name.\n");
- 		goto done;
- 	}
-+	PORT_SetError(0);
-+    ERR_clear_error();
- 	memset(&issuerandsubject, 0, sizeof(issuerandsubject));
- 	issuerandsubject.issuer.data = issuer;
- 	issuerandsubject.issuer.len = issuerlen;
-@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert,
- 	issuerandsubject.subject.len = subjectlen;
- 	if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject,
- 			       cm_pkcs7_ias_template) != &encoded) {
--		cm_log(1, "Error encoding issuer and subject names.\n");
-+		log_pkcs7_errors(0, "Error encoding issuer and subject names.\n");
- 		goto done;
- 	}
- 	*ias = malloc(encoded.len);
-@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 	u = data;
- 	p7 = d2i_PKCS7(NULL, &u, length);
- 	if ((p7 == NULL) || (u != data + length)) {
--		cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n");
-+		cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n");
- 		goto done;
- 	}
- 	if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) {
--		cm_log(1, "PKCS#7 data is not signed-data.\n");
-+		cm_log(0, "PKCS#7 data is not signed-data.\n");
- 		goto done;
- 	}
- 	store = X509_STORE_new();
- 	if (store == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors);
- 	certs = sk_X509_new(util_o_cert_cmp);
- 	if (certs == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) {
- 		s = talloc_strdup(parent, roots[i]);
- 		if (s == NULL) {
--			cm_log(1, "Out of memory.\n");
-+			cm_log(0, "Out of memory.\n");
- 			goto done;
- 		}
- 		/* In case one of these is multiple PEM certificates
-@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 			}
- 			in = BIO_new_mem_buf(p, q - p);
- 			if (in == NULL) {
--				cm_log(1, "Out of memory.\n");
-+				cm_log(0, "Out of memory.\n");
- 				goto done;
- 			}
- 			x = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 			BIO_free(in);
- 			if (x == NULL) {
--				cm_log(1, "Error parsing chain certificate.\n");
-+				cm_log(0, "Error parsing chain certificate.\n");
- 				goto done;
- 			}
- 			X509_STORE_add_cert(store, x);
-@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 	for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) {
- 		s = talloc_strdup(parent, othercerts[i]);
- 		if (s == NULL) {
--			cm_log(1, "Out of memory.\n");
-+			cm_log(0, "Out of memory.\n");
- 			goto done;
- 		}
- 		/* In case one of these is multiple PEM certificates
-@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 			}
- 			in = BIO_new_mem_buf(p, q - p);
- 			if (in == NULL) {
--				cm_log(1, "Out of memory.\n");
-+				cm_log(0, "Out of memory.\n");
- 				goto done;
- 			}
- 			x = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 			BIO_free(in);
- 			if (x == NULL) {
--				cm_log(1, "Error parsing chain certificate.\n");
-+				cm_log(0, "Error parsing chain certificate.\n");
- 				goto done;
- 			}
- 			sk_X509_push(certs, x);
-@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 	}
- 	out = BIO_new(BIO_s_mem());
- 	if (out == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		goto done;
- 	}
- 	if (roots != NULL) {
-@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 		for (i = 0; i < sk_X509_num(certs); i++) {
- 			x = X509_dup(sk_X509_value(certs, i));
- 			if (x == NULL) {
--				cm_log(1, "Out of memory.\n");
-+				cm_log(0, "Out of memory.\n");
- 				goto done;
- 			}
- 			PKCS7_add_certificate(p7, x);
- 		}
- 		if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) {
--			cm_log(1, "Message failed verification.\n");
-+			cm_log(0, "Message failed verification.\n");
- 			goto done;
- 		}
- 	}
- 	p7s = p7->d.sign;
- 	if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) {
--		cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n");
-+		cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n");
- 		goto done;
- 	}
- 	si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0);
-@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 	encapsulated = p7s->contents;
- 	if (expected_content_type != NID_undef) {
- 		if (encapsulated == NULL) {
--			cm_log(1, "Error parsing PKCS#7 encapsulated content.\n");
-+			cm_log(0, "Error parsing PKCS#7 encapsulated content.\n");
- 			goto done;
- 		}
- 		if ((encapsulated->type == NULL) ||
- 		    (OBJ_obj2nid(encapsulated->type) != expected_content_type)) {
--			cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n",
-+			cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n",
- 			       OBJ_nid2ln(expected_content_type),
- 			       encapsulated->type ?
- 			       OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) :
-@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 		}
- 	}
- 	if (attrs == NULL) {
--		cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n");
-+		cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n");
- 		goto done;
- 	}
- 	ret = 0;
-@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 		if (*payload_length > 0) {
- 			*payload = talloc_size(parent, *payload_length + 1);
- 			if (*payload == NULL) {
--				cm_log(1, "Out of memory.\n");
-+				cm_log(0, "Out of memory.\n");
- 				goto done;
- 			}
- 			memcpy(*payload, s, *payload_length);
-@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 		}
- 	}
- done:
--	if (ret != 0) {
--		while ((error = ERR_get_error()) != 0) {
--			ERR_error_string_n(error, buf, sizeof(buf));
--			cm_log(1, "%s\n", buf);
--		}
--	}
- 	if (p7 != NULL) {
- 		PKCS7_free(p7);
- 	}
-diff --git a/src/pkcs7.h b/src/pkcs7.h
-index 097f7ca..fae52f8 100644
---- a/src/pkcs7.h
-+++ b/src/pkcs7.h
-@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 			   size_t *recipient_nonce_length,
- 			   unsigned char **payload, size_t *payload_length);
- 
-+void log_pkcs7_errors(int level, char *msg);
-+
- #endif
-diff --git a/src/scep.c b/src/scep.c
-index b37711c..0b8bef9 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -428,11 +428,15 @@ main(int argc, const char **argv)
- 	if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) {
- 		tmp1 = cm_submit_u_base64_from_text(rekey_message);
- 		tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
--		cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
-+		i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
- 				       NULL, NULL, NID_pkcs7_data, ctx, NULL,
- 				       NULL, &msgtype, NULL, NULL,
- 				       NULL, NULL,
- 				       NULL, NULL, NULL, NULL);
-+		if (i != 0) {
-+			log_pkcs7_errors(0, "Error: failed to verify signature on "
-+					"rekey PKCSReq.\n");
-+		}
- 		if ((msgtype == NULL) ||
- 		    ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
- 		     (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
-@@ -454,11 +458,15 @@ main(int argc, const char **argv)
- 	if ((message != NULL) && (strlen(message) != 0)) {
- 		tmp1 = cm_submit_u_base64_from_text(message);
- 		tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c);
--		cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
-+		i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c,
- 				       NULL, NULL, NID_pkcs7_data, ctx, NULL,
- 				       &sent_tx, &msgtype, NULL, NULL,
- 				       &sent_nonce, &sent_nonce_length,
- 				       NULL, NULL, NULL, NULL);
-+		if (i != 0) {
-+			log_pkcs7_errors(0, "Error: failed to verify signature on "
-+					"message.\n");
-+		}
- 		if ((msgtype == NULL) ||
- 		    ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) &&
- 		     (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) {
-@@ -933,14 +941,16 @@ main(int argc, const char **argv)
- 						   &payload, &payload_length);
- 			if (i != 0) {
- 				printf(_("Error: failed to verify signature on "
--					 "server response.\n"));
--				cm_log(1, "Error: failed to verify signature on "
--					 "server response.\n");
--				while ((error = ERR_get_error()) != 0) {
-+						 "server response. "));
-+				error = ERR_peek_last_error();
-+				if (error != 0) {
- 					memset(buf, '\0', sizeof(buf));
- 					ERR_error_string_n(error, buf, sizeof(buf));
--					cm_log(1, "%s\n", buf);
-+					printf("%s", buf);
- 				}
-+				printf("\n");
-+				log_pkcs7_errors(0, "Error: failed to verify signature on "
-+						  "server response.\n");
- 				s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
- 							     results_length2);
- 				s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
-@@ -1050,26 +1060,7 @@ main(int argc, const char **argv)
- 				p7 = d2i_PKCS7(NULL, &u, payload_length);
- 				if (p7 == NULL) {
- 					printf(_("Error: couldn't parse signed-data.\n"));
--					while ((error = ERR_get_error()) != 0) {
--						memset(buf, '\0', sizeof(buf));
--						ERR_error_string_n(error, buf, sizeof(buf));
--						cm_log(1, "%s\n", buf);
--					}
--					s = cm_store_base64_from_bin(ctx,
--								     (unsigned char *) results2,
--								     results_length2);
--					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
--					fprintf(stderr, "Full reply:\n%s", s);
--					free(s);
--					return CM_SUBMIT_STATUS_UNREACHABLE;
--				}
--				if (!PKCS7_type_is_enveloped(p7)) {
--					printf(_("Error: signed-data payload is not enveloped-data.\n"));
--					while ((error = ERR_get_error()) != 0) {
--						memset(buf, '\0', sizeof(buf));
--						ERR_error_string_n(error, buf, sizeof(buf));
--						cm_log(1, "%s\n", buf);
--					}
-+					log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n");
- 					s = cm_store_base64_from_bin(ctx,
- 								     (unsigned char *) results2,
- 								     results_length2);
-@@ -1080,11 +1071,8 @@ main(int argc, const char **argv)
- 				}
- 				if (!PKCS7_type_is_enveloped(p7)) {
- 					printf(_("Error: signed-data payload is not enveloped-data.\n"));
--					while ((error = ERR_get_error()) != 0) {
--						memset(buf, '\0', sizeof(buf));
--						ERR_error_string_n(error, buf, sizeof(buf));
--						cm_log(1, "%s\n", buf);
--					}
-+					log_pkcs7_errors(0, "Error: signed-data payload is not "
-+								"enveloped-data.\n");
- 					s = cm_store_base64_from_bin(ctx,
- 								     (unsigned char *) results2,
- 								     results_length2);
-@@ -1098,11 +1086,8 @@ main(int argc, const char **argv)
- 				    (p7->d.enveloped->enc_data->content_type == NULL) ||
- 				    (OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) {
- 					printf(_("Error: enveloped-data payload is not data.\n"));
--					while ((error = ERR_get_error()) != 0) {
--						memset(buf, '\0', sizeof(buf));
--						ERR_error_string_n(error, buf, sizeof(buf));
--						cm_log(1, "%s\n", buf);
--					}
-+					log_pkcs7_errors(0, "Error: enveloped-data payload is "
-+								"not data.\n");
- 					s = cm_store_base64_from_bin(ctx,
- 								     (unsigned char *) results2,
- 								     results_length2);
-diff --git a/src/scepgen-n.c b/src/scepgen-n.c
-index 8c67b12..ce73c31 100644
---- a/src/scepgen-n.c
-+++ b/src/scepgen-n.c
-@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
- 		return;
- 	}
- 	if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) {
--		cm_log(1, "More than one signer, not sure what to do.\n");
-+		cm_log(0, "More than one signer, not sure what to do.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0);
- 	salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it);
- 	u = sabuf = malloc(salen);
- 	if (sabuf == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	/* ASN1_item_i2d doesn't actually modify the passed-in pointer, which
-@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
- 	 * that ourselves. */
- 	l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it);
- 	if (l != salen) {
--		cm_log(1, "Error encoding attributes.\n");
-+		cm_log(0, "Error encoding attributes.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 
-@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey)
- 	digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm));
- 	sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg);
- 	if (sigalg == SEC_OID_UNKNOWN) {
--		cm_log(1, "Unable to match digest algorithm and key.\n");
-+		cm_log(0, "Unable to match digest algorithm and key.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	if (SEC_SignData(&signature, sabuf, salen, privkey,
- 			 sigalg) != SECSuccess) {
--		cm_log(1, "Error re-signing: %s.\n",
-+		cm_log(0, "Error re-signing: %s.\n",
- 		       PR_ErrorToName(PORT_GetError()));
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
-@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	}
- 
- 	if (ca->cm_ca_encryption_cert == NULL) {
--		cm_log(1, "Can't generate new SCEP request data without "
-+		cm_log(0, "Can't generate new SCEP request data without "
- 		       "the RA/CA encryption certificate.\n");
- 		_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
- 	}
-@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			fprintf(status, "Error opening database "
- 				"'%s': %s.\n",
- 				entry->cm_key_storage_location, es);
--			cm_log(1, "Error opening database '%s': %s.\n",
-+			cm_log(0, "Error opening database '%s': %s.\n",
- 			       entry->cm_key_storage_location, es);
- 		} else {
- 			fprintf(status, "Error opening database '%s'.\n",
- 				entry->cm_key_storage_location);
--			cm_log(1, "Error opening database '%s'.\n",
-+			cm_log(0, "Error opening database '%s'.\n",
- 			       entry->cm_key_storage_location);
- 		}
- 		switch (ec) {
-@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			      NSS_INIT_NOROOTINIT);
- 	reason = util_n_fips_hook();
- 	if (reason != NULL) {
--		cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason);
-+		cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason);
- 		_exit(CM_SUB_STATUS_ERROR_INITIALIZING);
- 	}
- 
-@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	cm_log(1, "Generating dummy key.\n");
- 	key = EVP_PKEY_new();
- 	if (key == NULL) {
--		cm_log(1, "Error allocating new key.\n");
-+		cm_log(0, "Error allocating new key.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	exponent = BN_new();
- 	if (exponent == NULL) {
--		cm_log(1, "Error setting up exponent.\n");
-+		cm_log(0, "Error setting up exponent.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT);
- 	rsa = RSA_new();
- 	if (rsa == NULL) {
--		cm_log(1, "Error allocating new RSA key.\n");
-+		cm_log(0, "Error allocating new RSA key.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- retry_gen:
- 	if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) {
--		cm_log(1, "Error generating key.\n");
-+		cm_log(0, "Error generating key.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	if (RSA_check_key(rsa) != 1) { /* should be unnecessary */
-@@ -228,7 +228,7 @@ retry_gen:
- 	if ((keys->privkey->keyType != rsaKey) ||
- 	    ((keys->privkey_next != NULL) &&
- 	     (keys->privkey_next->keyType != rsaKey))) {
--		cm_log(1, "Keys aren't RSA.  They won't work with SCEP.\n");
-+		cm_log(0, "Keys aren't RSA.  They won't work with SCEP.\n");
- 		_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
- 	}
- 
-diff --git a/src/scepgen-o.c b/src/scepgen-o.c
-index 010abb7..a431815 100644
---- a/src/scepgen-o.c
-+++ b/src/scepgen-o.c
-@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
- 	keyfp = fopen(filename, "r");
- 	if (keyfp == NULL) {
- 		if (errno != ENOENT) {
--			cm_log(1, "Error opening key file \"%s\" "
-+			cm_log(0, "Error opening key file \"%s\" "
- 			       "for reading: %s.\n",
- 			       filename, strerror(errno));
- 		}
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	if (cm_pin_read_for_key(entry, &pin) != 0) {
--		cm_log(1, "Internal error reading key encryption PIN.\n");
-+		cm_log(0, "Internal error reading key encryption PIN.\n");
- 		_exit(CM_SUB_STATUS_ERROR_AUTH);
- 	}
- 	memset(&cb_data, 0, sizeof(cb_data));
-@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry)
- 				   cm_pin_read_for_key_ossl_cb, &cb_data);
- 	if (pkey == NULL) {
- 		error = errno;
--		cm_log(1, "Error reading private key '%s': %s.\n",
-+		cm_log(0, "Error reading private key '%s': %s.\n",
- 		       filename, strerror(error));
- 		while ((error = ERR_get_error()) != 0) {
- 			ERR_error_string_n(error, buf, sizeof(buf));
--			cm_log(1, "%s\n", buf);
-+			cm_log(0, "%s\n", buf);
- 		}
- 		_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
- 	} else {
- 		if ((pin != NULL) &&
- 		    (strlen(pin) > 0) &&
- 		    (cb_data.n_attempts == 0)) {
--			cm_log(1, "PIN was not needed to read private "
-+			cm_log(0, "PIN was not needed to read private "
- 			       "key '%s', though one was provided. "
- 			       "Treating this as an error.\n",
- 			       filename);
- 			while ((error = ERR_get_error()) != 0) {
- 				ERR_error_string_n(error, buf, sizeof(buf));
--				cm_log(1, "%s\n", buf);
-+				cm_log(0, "%s\n", buf);
- 			}
- 			_exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */
- 		}
-@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry)
- 	if ((pem != NULL) && (strlen(pem) > 0)) {
- 		in = BIO_new_mem_buf(pem, -1);
- 		if (in == NULL) {
--			cm_log(1, "Out of memory.\n");
-+			cm_log(0, "Out of memory.\n");
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
- 		cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 		BIO_free(in);
- 		if (cert == NULL) {
--			cm_log(1, "Error parsing certificate \"%s\".\n", pem);
-+			cm_log(0, "Error parsing certificate \"%s\".\n", pem);
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
- 		return cert;
-@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list)
- 		if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) {
- 			in = BIO_new_mem_buf(this->cm_cert, -1);
- 			if (in == NULL) {
--				cm_log(1, "Out of memory.\n");
-+				cm_log(0, "Out of memory.\n");
- 				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 			}
- 			cert = PEM_read_bio_X509(in, NULL, NULL, NULL);
- 			BIO_free(in);
- 			if (cert == NULL) {
--				cm_log(1, "Error parsing certificate.\n");
-+				cm_log(0, "Error parsing certificate.\n");
- 				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 			}
- 			if (sk == NULL) {
- 				sk = sk_X509_new(util_o_cert_cmp);
- 				if (sk == NULL) {
--					cm_log(1, "Out of memory.\n");
-+					cm_log(0, "Out of memory.\n");
- 					_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 				}
- 			}
-@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
- 
- 	in = BIO_new_mem_buf(data, data_length);
- 	if (in == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	ret = PKCS7_sign(signer, key, certs, in, flags);
- 	if (ret == NULL) {
--		cm_log(1, "Error signing data.\n");
-+		cm_log(0, "Error signing data.\n");
- 		goto errors;
- 	}
- 	BIO_free(in);
- 
- 	/* Set the digest to use for signing. */
- 	if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) {
--		cm_log(1, "Error signing data: %d signers.\n",
-+		cm_log(0, "Error signing data: %d signers.\n",
- 		       sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info));
- 		goto errors;
- 	}
-@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
- 	PKCS7_content_new(ret, NID_pkcs7_data);
- 	out = PKCS7_dataInit(ret, NULL);
- 	if (out == NULL) {
--		cm_log(1, "Error signing data.\n");
-+		cm_log(0, "Error signing data.\n");
- 		goto errors;
- 	}
- 	BIO_write(out, data, data_length);
-@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs,
- errors:
- 	while ((error = ERR_get_error()) != 0) {
- 		ERR_error_string_n(error, buf, sizeof(buf));
--		cm_log(1, "%s\n", buf);
-+		cm_log(0, "%s\n", buf);
- 	}
- 	_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- }
-@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	util_o_init();
- 	ERR_load_crypto_strings();
-         if (RAND_status() != 1) {
--		cm_log(1, "PRNG not seeded for generating key.\n");
-+		cm_log(0, "PRNG not seeded for generating key.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	if (RAND_bytes(nonce, nonce_length) == -1) {
--		cm_log(1, "PRNG unable to generate nonce.\n");
-+		cm_log(0, "PRNG unable to generate nonce.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 
-@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0,
- 					  entry->cm_minicert);
- 	if (pem == NULL) {
--		cm_log(1, "Out of memory.\n");
-+		cm_log(0, "Out of memory.\n");
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 	new_cert = cert_from_pem(pem, entry);
- 	if (new_cert == NULL) {
- 		while ((error = ERR_get_error()) != 0) {
- 			ERR_error_string_n(error, buf, sizeof(buf));
--			cm_log(1, "%s\n", buf);
-+			cm_log(0, "%s\n", buf);
- 		}
- 		free(pem);
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
-@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			cipher = cm_prefs_des;
- 		}
- 		else {
--			cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
-+			cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
- 			_exit(1);
- 		}
- 
-@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			digest = cm_prefs_md5;
- 		}
- 		else {
--			cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
-+			cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
- 			_exit(1);
- 		}
- 
-@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 					  ca->cm_ca_encryption_issuer_cert,
- 					  entry->cm_cert,
- 					  &old_ias, &old_ias_length) != 0) {
--			cm_log(1, "Error generating enveloped issuer-and-subject.\n");
-+			cm_log(0, "Error generating enveloped issuer-and-subject.\n");
- 			free(pem);
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
-@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 				  ca->cm_ca_encryption_issuer_cert,
- 				  pem,
- 				  &new_ias, &new_ias_length) != 0) {
--		cm_log(1, "Error generating enveloped issuer-and-subject.\n");
-+		cm_log(0, "Error generating enveloped issuer-and-subject.\n");
- 		free(pem);
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
-@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher,
- 				  entry->cm_csr,
- 				  &csr, &csr_length) != 0) {
--		cm_log(1, "Error generating enveloped CSR.\n");
-+		cm_log(0, "Error generating enveloped CSR.\n");
-+		while ((error = ERR_get_error()) != 0) {
-+			ERR_error_string_n(error, buf, sizeof(buf));
-+			cm_log(0, "%s\n", buf);
-+		}
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
- 
-@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		 * the matching key. */
- 		pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert));
- 		if (pubkey == NULL) {
--			cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
-+			cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
- 		util_X509_set_pubkey(old_cert, old_pkey);
-@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 			 * if we do, we did that in another code path. */
- 			pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
- 			if (pubkey == NULL) {
--				cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n");
-+				cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n");
- 				_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 			}
- 			util_X509_set_pubkey(new_cert, old_pkey);
-@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		 * any previously-issued certificate won't match. */
- 		pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert));
- 		if (pubkey == NULL) {
--			cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
-+			cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n");
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
- 		util_X509_set_pubkey(new_cert, new_pkey);
-@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	X509_free(new_cert);
- 	while ((error = ERR_get_error()) != 0) {
- 		ERR_error_string_n(error, buf, sizeof(buf));
--		cm_log(1, "%s\n", buf);
-+		cm_log(0, "%s\n", buf);
- 	}
- }
- 
-@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	}
- 
- 	if (ca->cm_ca_encryption_cert == NULL) {
--		cm_log(1, "Can't generate new SCEP request data without "
-+		cm_log(0, "Can't generate new SCEP request data without "
- 		       "the RA/CA encryption certificate.\n");
- 		_exit(CM_SUB_STATUS_NEED_SCEP_DATA);
- 	}
- 
- 	old_pkey = key_from_file(entry->cm_key_storage_location, entry);
- 	if (old_pkey == NULL) {
--		cm_log(1, "Error reading key from file \"%s\".\n",
-+		cm_log(0, "Error reading key from file \"%s\".\n",
- 		       entry->cm_key_storage_location);
- 		_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 	}
-@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 		filename = util_build_next_filename(entry->cm_key_storage_location,
- 						    entry->cm_key_next_marker);
- 		if (filename == NULL) {
--			cm_log(1, "Error opening key file \"%s\" "
-+			cm_log(0, "Error opening key file \"%s\" "
- 			       "for reading: %s.\n",
- 			       filename, strerror(errno));
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
- 		}
- 		new_pkey = key_from_file(filename, entry);
- 		if (new_pkey == NULL) {
--			cm_log(1, "Error reading key from file \"%s\".\n",
-+			cm_log(0, "Error reading key from file \"%s\".\n",
- 			       filename);
- 			free(filename);
- 			_exit(CM_SUB_STATUS_INTERNAL_ERROR);
-@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
- 	}
- 	if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) ||
- 	    ((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) {
--		cm_log(1, "Keys aren't RSA.  They won't work with SCEP.\n");
-+		cm_log(0, "Keys aren't RSA.  They won't work with SCEP.\n");
- 		_exit(CM_SUB_STATUS_ERROR_KEY_TYPE);
- 	}
- 
-diff --git a/src/scepgen.c b/src/scepgen.c
-index eaf2b7c..115446f 100644
---- a/src/scepgen.c
-+++ b/src/scepgen.c
-@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry)
- {
- 	switch (entry->cm_key_storage_type) {
- 	case cm_key_storage_none:
--		cm_log(1, "Can't generate new SCEP data for %s('%s') without "
-+		cm_log(0, "Can't generate new SCEP data for %s('%s') without "
- 		       "the key, and we don't know where that is or should "
- 		       "be.\n", entry->cm_busname, entry->cm_nickname);
- 		break;
--- 
-2.21.1
-
diff --git a/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch b/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
deleted file mode 100644
index b43e285..0000000
--- a/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 27 Feb 2020 18:15:02 -0500
-Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in
- add-scep-ca
-
-This option was silently dropped from the helper arguments even
-if requested on the add-scep-ca CLI and was only passed to the
-dbus helper.
-
-Add as many -v as requested though the scep helper only logs at
-most at level 1.
----
- src/getcert.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index 4713dd1..3d78a73 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 				  certs ? "-I" : "",
- 				  certs ? shell_escape(globals.tctx, certs) : "",
- 				  prefer_non_renewal ? "-n" : "");
-+	for (c = 0; c < verbose; c++) {
-+		command = talloc_strdup_append(command, " -v");
-+	}
- 	if (command == NULL) {
- 		printf(_("Error building command line.\n"));
- 		exit(1);
--- 
-2.21.1
-
diff --git a/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch b/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
deleted file mode 100644
index 07fe0f4..0000000
--- a/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
+++ /dev/null
@@ -1,422 +0,0 @@
-From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001
-From: Your Name <you@example.com>
-Date: Tue, 14 Apr 2020 13:17:14 +0000
-Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when
- finished
-
-The talloc context was freed in only a few cases and the curl
-context was never freed.
----
- src/scep.c     | 127 ++++++++++++++++++++++++++++++++-----------------
- src/submit-h.c |  15 +++++-
- src/submit-h.h |   1 +
- 3 files changed, 97 insertions(+), 46 deletions(-)
-
-diff --git a/src/scep.c b/src/scep.c
-index 0b8bef9..4d00692 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -199,7 +199,7 @@ int
- main(int argc, const char **argv)
- {
- 	const char *url = NULL, *results = NULL, *results2 = NULL;
--	struct cm_submit_h_context *hctx;
-+	struct cm_submit_h_context *hctx = NULL;
- 	int c, verbose = 0, results_length = 0, results_length2 = 0, i;
- 	int prefer_non_renewal = 0, can_renewal = 0;
- 	int response_code = 0, response_code2 = 0;
-@@ -225,7 +225,8 @@ main(int argc, const char **argv)
- 	size_t payload_length;
- 	long error;
- 	PKCS7 *p7;
--	poptContext pctx;
-+	int rval = CM_SUBMIT_STATUS_UNCONFIGURED;
-+	poptContext pctx = NULL;
- 	struct poptOption popts[] = {
- 		{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
- 		{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
-@@ -388,8 +389,8 @@ main(int argc, const char **argv)
- 			}
- 			if ((message == NULL) || (strlen(message) == 0)) {
- 				printf(_("Error reading request.  Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
--				free(cainfo);
--				return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+				rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+				goto done;
- 			}
- 			/* First step: read capabilities for our use. */
- 			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
-@@ -408,8 +409,8 @@ main(int argc, const char **argv)
- 			}
- 			if ((message == NULL) || (strlen(message) == 0)) {
- 				printf(_("Error reading request.  Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
--				free(cainfo);
--				return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+				rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+				goto done;
- 			}
- 			/* First step: read capabilities for our use. */
- 			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
-@@ -420,8 +421,8 @@ main(int argc, const char **argv)
- 	/* Supply help output, if it's needed. */
- 	if (missing_args) {
- 		poptPrintUsage(pctx, stdout, 0);
--		free(cainfo);
--		return CM_SUBMIT_STATUS_UNCONFIGURED;
-+		rval = CM_SUBMIT_STATUS_UNCONFIGURED;
-+		goto done;
- 	}
- 
- 	/* Check the rekey PKCSReq message, if we have one. */
-@@ -505,7 +506,6 @@ main(int argc, const char **argv)
- 				verbose > 1 ?
- 				cm_submit_h_curl_verbose_on :
- 				cm_submit_h_curl_verbose_off);
--	free(cainfo);
- 	cm_submit_h_run(hctx);
- 	content_type = cm_submit_h_result_type(hctx);
- 	if (content_type == NULL) {
-@@ -551,7 +551,8 @@ main(int argc, const char **argv)
- 		}
- 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
- 			printf(_("Error reading request.  Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n"));
--			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+			rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+			goto done;
- 		} else
- 		if (verbose > 0) {
- 			if (tmp2 == rekey_message) {
-@@ -576,7 +577,8 @@ main(int argc, const char **argv)
- 		}
- 		if ((tmp2 == NULL) || (strlen(tmp2) == 0)) {
- 			printf(_("Error reading request.  Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n"));
--			return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+			rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES;
-+			goto done;
- 		} else
- 		if (verbose > 0) {
- 			if (tmp2 == rekey_message) {
-@@ -638,7 +640,8 @@ main(int argc, const char **argv)
- 			       cm_submit_h_result_code(hctx),
- 			       url);
- 		}
--		return CM_SUBMIT_STATUS_UNREACHABLE;
-+		rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+		goto done;
- 	}
- 	switch (op) {
- 	case op_unset:
-@@ -651,16 +654,19 @@ main(int argc, const char **argv)
- 			       response_code, url);
- 			if (response_code == 500) {
- 				/* The server might recover, right? */
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			} else {
- 				/* Maybe not? */
--				return CM_SUBMIT_STATUS_REJECTED;
-+				rval = CM_SUBMIT_STATUS_REJECTED;
-+				goto done;
- 			}
- 		}
- 		if (results == NULL) {
- 			printf(_("Internal error: no response to \"%s?%s\".\n"),
- 			       url, params);
--			return CM_SUBMIT_STATUS_REJECTED;
-+			rval = CM_SUBMIT_STATUS_REJECTED;
-+			goto done;
- 		}
- 		break;
- 	case op_get_cert_initial:
-@@ -685,10 +691,12 @@ main(int argc, const char **argv)
- 				fprintf(stderr, "Result is surprisingly large, "
- 					"suppressing it.\n");
- 			}
--			return CM_SUBMIT_STATUS_REJECTED;
-+			rval = CM_SUBMIT_STATUS_REJECTED;
-+			goto done;
- 		}
- 		printf("%s\n", results);
--		return CM_SUBMIT_STATUS_ISSUED;
-+		rval = CM_SUBMIT_STATUS_ISSUED;
-+		goto done;
- 		break;
- 	case op_get_ca_certs:
- 		if ((strcasecmp(content_type,
-@@ -697,7 +705,8 @@ main(int argc, const char **argv)
- 				"application/x-x509-ca-ra-cert") != 0)) {
- 			printf(_("Server reply was of unexpected MIME type "
- 				 "\"%s\".\n"), content_type);
--			return CM_SUBMIT_STATUS_UNREACHABLE;
-+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+			goto done;
- 		}
- 		if (racert == NULL) {
- 			racertp = &racert;
-@@ -710,7 +719,8 @@ main(int argc, const char **argv)
- 						 n_buffers + 1);
- 			if ((buffers == NULL) || (lengths == NULL)) {
- 				fprintf(stderr, "Out of memory.\n");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			buffers[n_buffers] = (unsigned char *) racert;
- 			lengths[n_buffers] = strlen(racert);
-@@ -727,7 +737,8 @@ main(int argc, const char **argv)
- 						 n_buffers + 1);
- 			if ((buffers == NULL) || (lengths == NULL)) {
- 				fprintf(stderr, "Out of memory.\n");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			buffers[n_buffers] = (unsigned char *) cacert;
- 			lengths[n_buffers] = strlen(cacert);
-@@ -741,7 +752,8 @@ main(int argc, const char **argv)
- 						 n_buffers + 1);
- 			if ((buffers == NULL) || (lengths == NULL)) {
- 				fprintf(stderr, "Out of memory.\n");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			buffers[n_buffers] = (unsigned char *) results;
- 			lengths[n_buffers] = results_length;
-@@ -755,7 +767,8 @@ main(int argc, const char **argv)
- 						 n_buffers + 1);
- 			if ((buffers == NULL) || (lengths == NULL)) {
- 				fprintf(stderr, "Out of memory.\n");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			buffers[n_buffers] = (unsigned char *) results2;
- 			lengths[n_buffers] = results_length2;
-@@ -850,7 +863,8 @@ main(int argc, const char **argv)
- 						 n_buffers + 1);
- 			if ((buffers == NULL) || (lengths == NULL)) {
- 				fprintf(stderr, "Out of memory.\n");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			buffers[n_buffers] = (unsigned char *) results2;
- 			lengths[n_buffers] = results_length2;
-@@ -882,11 +896,11 @@ main(int argc, const char **argv)
- 					}
- 				}
- 			}
--			talloc_free(ctx);
--			return CM_SUBMIT_STATUS_ISSUED;
-+			rval = CM_SUBMIT_STATUS_ISSUED;
-+			goto done;
- 		} else {
--			talloc_free(ctx);
--			return CM_SUBMIT_STATUS_UNREACHABLE;
-+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+			goto done;
- 		}
- 		break;
- 	case op_get_cert_initial:
-@@ -957,42 +971,50 @@ main(int argc, const char **argv)
- 				fprintf(stderr, "%s", s);
- 				cm_log(1, "%s", s);
- 				free(s);
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if ((msgtype == NULL) ||
- 			    (strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) {
- 				printf(_("Error: reply was not a CertRep (%s).\n"),
- 				       msgtype ? msgtype : "none");
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if (tx == NULL) {
- 				printf(_("Error: reply is missing transactionId.\n"));
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if (sent_tx != NULL) {
- 				if (strcmp(sent_tx, tx) != 0) {
- 					printf(_("Error: reply contains a "
- 						 "different transactionId.\n"));
--					return CM_SUBMIT_STATUS_UNREACHABLE;
-+					rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+					goto done;
- 				}
- 			}
- 			if (pkistatus == NULL) {
- 				printf(_("Error: reply is missing pkiStatus.\n"));
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if (recipient_nonce == NULL) {
- 				printf(_("Error: reply is missing recipientNonce.\n"));
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if ((recipient_nonce_length != sent_nonce_length) ||
- 			    (memcmp(recipient_nonce, sent_nonce,
- 				    sent_nonce_length) != 0)) {
- 				printf(_("Error: reply nonce doesn't match request.\n"));
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if (sender_nonce == NULL) {
- 				printf(_("Error: reply is missing senderNonce.\n"));
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 			if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) {
- 				if (verbose > 0) {
-@@ -1002,7 +1024,8 @@ main(int argc, const char **argv)
- 				s = cm_store_base64_from_bin(ctx, sender_nonce,
- 							     sender_nonce_length);
- 				printf("%s\n", s);
--				return CM_SUBMIT_STATUS_WAIT;
-+				rval = CM_SUBMIT_STATUS_WAIT;
-+				goto done;
- 			} else
- 			if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) {
- 				if (verbose > 0) {
-@@ -1050,7 +1073,8 @@ main(int argc, const char **argv)
- 					printf(_("Server returned failure code \"%s\".\n"),
- 					       failinfo);
- 				}
--				return CM_SUBMIT_STATUS_REJECTED;
-+				rval = CM_SUBMIT_STATUS_REJECTED;
-+				goto done;
- 			} else
- 			if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) {
- 				if (verbose > 0) {
-@@ -1067,7 +1091,8 @@ main(int argc, const char **argv)
- 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- 					fprintf(stderr, "Full reply:\n%s", s);
- 					free(s);
--					return CM_SUBMIT_STATUS_UNREACHABLE;
-+					rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+					goto done;
- 				}
- 				if (!PKCS7_type_is_enveloped(p7)) {
- 					printf(_("Error: signed-data payload is not enveloped-data.\n"));
-@@ -1079,7 +1104,8 @@ main(int argc, const char **argv)
- 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- 					fprintf(stderr, "Full reply:\n%s", s);
- 					free(s);
--					return CM_SUBMIT_STATUS_UNREACHABLE;
-+					rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+					goto done;
- 				}
- 				if ((p7->d.enveloped == NULL) ||
- 				    (p7->d.enveloped->enc_data == NULL) ||
-@@ -1094,29 +1120,42 @@ main(int argc, const char **argv)
- 					s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- 					fprintf(stderr, "Full reply:\n%s", s);
- 					free(s);
--					return CM_SUBMIT_STATUS_UNREACHABLE;
-+					rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+					goto done;
- 				}
- 				s = cm_store_base64_from_bin(ctx, payload,
- 							     payload_length);
- 				s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
- 				printf("%s", s);
- 				free(s);
--				return CM_SUBMIT_STATUS_ISSUED;
-+				rval = CM_SUBMIT_STATUS_ISSUED;
-+				goto done;
- 			} else {
- 				if (verbose > 0) {
- 					fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus);
- 				}
- 				printf(_("Error: pkiStatus \"%s\" not recognized.\n"),
- 				       pkistatus);
--				return CM_SUBMIT_STATUS_UNREACHABLE;
-+				rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+				goto done;
- 			}
- 		} else {
- 			printf(_("Server reply was of unexpected MIME type "
- 				 "\"%s\".\n"), content_type);
- 			printf("Full reply:\n%.*s", results_length2, results2);
--			return CM_SUBMIT_STATUS_UNREACHABLE;
-+			rval = CM_SUBMIT_STATUS_UNREACHABLE;
-+			goto done;
- 		}
- 		break;
- 	}
--	return CM_SUBMIT_STATUS_UNCONFIGURED;
-+
-+done:
-+	if (pctx) {
-+		poptFreeContext(pctx);
-+	}
-+	free(cainfo);
-+	free(id);
-+	cm_submit_h_cleanup(hctx);
-+	talloc_free(ctx);
-+	return rval;
- }
-diff --git a/src/submit-h.c b/src/submit-h.c
-index 33f9b39..9b507db 100644
---- a/src/submit-h.c
-+++ b/src/submit-h.c
-@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx)
- 	return ret;
- }
- 
-+void
-+cm_submit_h_cleanup(struct cm_submit_h_context *ctx)
-+{
-+
-+	if (ctx != NULL && ctx->curl != NULL) {
-+		curl_easy_cleanup(ctx->curl);
-+	}
-+}
-+
- #ifdef CM_SUBMIT_H_MAIN
- int
- main(int argc, const char **argv)
-@@ -307,7 +316,7 @@ main(int argc, const char **argv)
- 	enum cm_submit_h_opt_negotiate negotiate;
- 	enum cm_submit_h_opt_delegate negotiate_delegate;
- 	enum cm_submit_h_opt_clientauth clientauth;
--	int c, fd, l, verbose = 0, length = 0;
-+	int c, fd, l, verbose = 0, length = 0, rval = 0;
- 	char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass;
- 	char *pinfile;
- 	const char *method, *url;
-@@ -423,6 +432,8 @@ main(int argc, const char **argv)
- 			cm_submit_h_result_code(ctx),
- 			cm_submit_h_result_code_text(ctx));
- 	}
--	return cm_submit_h_result_code(ctx);
-+	rval = cm_submit_h_result_code(ctx);
-+	cm_submit_h_cleanup(ctx);
-+	return rval;
- }
- #endif
-diff --git a/src/submit-h.h b/src/submit-h.h
-index 1283c53..931cc89 100644
---- a/src/submit-h.h
-+++ b/src/submit-h.h
-@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx);
- const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx);
- const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length);
- const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx);
-+void cm_submit_h_cleanup(struct cm_submit_h_context *ctx);
- 
- #endif
--- 
-2.21.1
-
diff --git a/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch b/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
deleted file mode 100644
index 6ae4b78..0000000
--- a/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
+++ /dev/null
@@ -1,232 +0,0 @@
-From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 15 Apr 2020 17:16:42 -0400
-Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are
- collected
-
-Put cacert into the ca store, the racert at the top of the
-othercerts list. Then we parse certs, placing all ca certs
-we find into the ca store, and all other certs we find after
-the racert.
-
-Variables are renamed to match the cm_pkcs7_parse() and
-cm_pkcs7_verify_signed() calls.
-
-A special case for IPA (dogtag) was added because dogtag
-uses its CA cert to sign the PKCS7 so it is both an RA cert
-and a CA cert. If a self-signed CA is detected and no other
-certs are provided then the CA is treated as the RA.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1808052
-
-Graham Leggett did the majority of the work on this patch.
----
- src/pkcs7.c |  18 +++++++++
- src/pkcs7.h |   1 +
- src/scep.c  | 104 +++++++++++++++++++++++++++++++++++-----------------
- 3 files changed, 89 insertions(+), 34 deletions(-)
-
-diff --git a/src/pkcs7.c b/src/pkcs7.c
-index 29420b9..f81174f 100644
---- a/src/pkcs7.c
-+++ b/src/pkcs7.c
-@@ -1189,3 +1189,21 @@ done:
- 	}
- 	return ret;
- }
-+
-+/* Return 0 if we think "issuer" could have issued "issued", which includes
-+ * self-signing. */
-+int
-+cm_selfsigned(char *cert) 
-+{
-+	BIO *in;
-+	X509 *c;
-+
-+	in = BIO_new_mem_buf(cert, -1);
-+	if (in == NULL) {
-+		cm_log(0, "Out of memory.\n");
-+		return 1;
-+	}
-+	c = PEM_read_bio_X509(in, NULL, NULL, NULL);
-+	BIO_free(in);
-+	return(issuerissued(c, c));
-+}
-diff --git a/src/pkcs7.h b/src/pkcs7.h
-index fae52f8..cbde1bc 100644
---- a/src/pkcs7.h
-+++ b/src/pkcs7.h
-@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 			   unsigned char **recipient_nonce,
- 			   size_t *recipient_nonce_length,
- 			   unsigned char **payload, size_t *payload_length);
-+int cm_selfsigned(char *cert);
- 
- void log_pkcs7_errors(int level, char *msg);
- 
-diff --git a/src/scep.c b/src/scep.c
-index 4d00692..b80278e 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -211,12 +211,12 @@ main(int argc, const char **argv)
- 	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
- 	void *ctx;
- 	char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL;
--	char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL;
-+	char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL;
- 	char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL;
- 	char buf[LINE_MAX] = "";
- 	const unsigned char **buffers = NULL;
- 	size_t n_buffers = 0, *lengths = NULL, j;
--	const char *cacerts[3], **racerts;
-+	const char *root[3], **othercerts;
- 	dbus_bool_t missing_args = FALSE;
- 	char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2;
- 	unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload;
-@@ -871,27 +871,27 @@ main(int argc, const char **argv)
- 			n_buffers++;
- 		}
- 		if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx,
--				    racertp, cacertp, &othercerts,
-+				    racertp, cacertp, &certothers,
- 				    NULL, NULL,
- 				    n_buffers, buffers, lengths) == 0) {
- 			if (racert != NULL) {
- 				printf("%s", racert);
- 				if (cacert != NULL) {
- 					printf("%s", cacert);
--					if (othercerts != NULL) {
-+					if (certothers != NULL) {
- 						for (c = 0;
--						     othercerts[c] != NULL;
-+						     certothers[c] != NULL;
- 						     c++) {
- 							printf("%s",
--							       othercerts[c]);
-+							       certothers[c]);
- 						}
- 					}
- 					if ((dracert != NULL) &&
--					    (cert_among(dracert, racert, cacert, othercerts) != 0)) {
-+					    (cert_among(dracert, racert, cacert, certothers) != 0)) {
- 						printf("%s", dracert);
- 					}
- 					if ((dcacert != NULL) &&
--					    (cert_among(dcacert, racert, cacert, othercerts) != 0)) {
-+					    (cert_among(dcacert, racert, cacert, certothers) != 0)) {
- 						printf("%s", dcacert);
- 					}
- 				}
-@@ -907,47 +907,83 @@ main(int argc, const char **argv)
- 	case op_pkcsreq:
- 		if ((content_type2 != NULL) && (strcasecmp(content_type2,
- 			       "application/x-pki-message") == 0)) {
--			memset(&cacerts, 0, sizeof(cacerts));
--			cacerts[0] = cacert ? cacert : racert;
--			cacerts[1] = cacert ? racert : NULL;
--			cacerts[2] = NULL;
--			racerts = NULL;
-+			/*
-+			 * At this point, we have:
-+			 * - zero or more ra certs; and
-+			 * - zero or more ca certificates; and
-+			 * - zero or more other certificates; that
-+			 * need to be reordered so that the leaf
-+			 * certificates go first, the ca certificates
-+			 * are separated into a seperate certificate
-+			 * store, and the other certificates go after
-+			 * the leaf certificates.
-+			 *
-+			 * To do this we put cacert into the ca store,
-+			 * the racert at the top of the othercerts list.
-+			 * Then we parse certs, placing all ca certs
-+			 * we find into the ca store, and all other
-+			 * certs we find after the racert.
-+			 *
-+			 * As a limitation of cm_pkcs7_parse(), we
-+			 * can only isolate one ca certificate in the
-+			 * list of other certificates.
-+			 */
-+			/* handle the other certs */
- 			if ((certs != NULL) &&
- 			    (cm_pkcs7_parse(0, ctx,
--					    &cert1, &cert2, &othercerts,
-+					    &certleaf, &certtop, &certothers,
- 					    NULL, NULL,
- 					    (const unsigned char *) certs,
- 					    strlen(certs), NULL) == 0)) {
--				for (c = 0;
--				     (othercerts != NULL) &&
--				     (othercerts[c] != NULL);
--				     c++) {
--					continue;
-+				/* Special case for IPA which uses dogtag which signs SCEP
-+				 * certs using the CA cert and the typical way to get
-+				 * verification to work is to use -I /etc/ipa/ca.crt.
-+				 * Because cm_pkcs7_parse explicitly doesn't allow
-+				 * certleaf to equal certtop we end up with no CAs so verification
-+				 * fails.
-+				 * 
-+				 * So if cacert and certleaf are both NULL and certtop is
-+				 * self-signed then assume the IPA case and set certtop equal
-+				 * to certleaf.
-+				 */
-+				if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) {
-+					if (cm_selfsigned(certleaf) == 0) {
-+						certtop = certleaf;
-+					}
- 				}
--				racerts = talloc_array_ptrtype(ctx, racerts, c + 5);
-+				memset(&root, 0, sizeof(root));
-+				root[0] = cacert ? cacert : certtop ? certtop : NULL;
-+				root[1] = cacert ? certtop : NULL;
-+				root[2] = NULL;
- 				for (c = 0;
--				     (othercerts != NULL) &&
--				     (othercerts[c] != NULL);
-+				     (certothers != NULL) &&
-+				     (certothers[c] != NULL);
- 				     c++) {
--					racerts[c] = othercerts[c];
--				}
--				if (cacert != NULL) {
--					racerts[c++] = cacert;
-+					continue;
- 				}
--				if (cert1 != NULL) {
--					racerts[c++] = cert1;
-+				othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3);
-+				c = 0;
-+				if (racert != NULL) {
-+					othercerts[c++] = racert;
- 				}
--				if (cert2 != NULL) {
--					racerts[c++] = cert2;
-+				if (certleaf != NULL) {
-+					othercerts[c++] = certleaf;
- 				}
--				if (racert != NULL) {
--					racerts[c++] = racert;
-+				while (certothers != NULL && *certothers != NULL) {
-+					othercerts[c++] = *certothers++;
- 				}
--				racerts[c++] = NULL;
-+				othercerts[c++] = NULL;
-+			}
-+			else {
-+				root[0] = cacert;
-+				root[1] = NULL;
-+				othercerts = talloc_array_ptrtype(ctx, othercerts, 2);
-+				othercerts[0] = racert ? racert : NULL;
-+				othercerts[1] = NULL;
- 			}
- 			ERR_clear_error();
- 			i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2,
--						   cacerts, racerts,
-+						   root, othercerts,
- 						   NID_pkcs7_data, ctx, NULL,
- 						   &tx, &msgtype, &pkistatus, &failinfo,
- 						   &sender_nonce, &sender_nonce_length,
--- 
-2.21.1
-
diff --git a/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch b/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
deleted file mode 100644
index 300bbfc..0000000
--- a/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Apr 2020 16:29:50 -0400
-Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA
- chain
-
-The -R option was doing double-duty for the SCEP CA.
-
-1. It was required if the SCEP URL used TLS
-2. It override the CA certificate downloaded from the SCEP server
-
-If the chains were different then validating the SCEP responses would
-fail.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1808613
----
- src/certmonger-scep-submit.8.in | 14 +++++++++-----
- src/getcert-add-scep-ca.1.in    | 12 ++++++++----
- src/getcert.c                   |  6 +++++-
- src/scep.c                      | 13 ++++++-------
- 4 files changed, 28 insertions(+), 17 deletions(-)
-
-diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
-index 95d674a..42ffcd6 100644
---- a/src/certmonger-scep-submit.8.in
-+++ b/src/certmonger-scep-submit.8.in
-@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL
- [-r ra-cert-file]
- [-R ca-cert-file]
- [-I other-certs-file]
-+[-N ca-cert-file]
- [-i ca-identifier]
- [-v]
- [-n]
-@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
- always required.
- .TP
- \fB\-R\fR CA-certificate-file
--The location of the SCEP server's CA certificate, which was used to
--issue the SCEP server's certificate, or the SCEP server's own
--certificate, if it is self-signed, in PEM form.  If the URL specified
--with the \fB-u\fR option is an \fIhttps\fR URL, then this option is
--required.
-+The location of the CA certificate which was used to issue the SCEP web
-+server's certificate in PEM form. If the URL specified with the
-+\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
-+.TP
-+\fB\-N\fR ca-certificate-file
-+The location of a PEM-formatted copy of the SCEP server's CA certificate.
-+A discovered value is normally supplied by the certmonger daemon, but one can
-+be specified for troubleshooting purposes.
- .TP
- \fB\-r\fR RA-certificate-file
- The location of the SCEP server's RA certificate, which is expected to
-diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
-index 11ab4ce..bf07306 100644
---- a/src/getcert-add-scep-ca.1.in
-+++ b/src/getcert-add-scep-ca.1.in
-@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface.  This option must be
- specified.
- .TP
- \fB\-R\fR ca-certificate-file
--The location of a PEM-formatted copy of the SCEP server's CA's certificate.
--A discovered value is supplied by the certmonger daemon for use in verifying
--the signature on data returned by the SCEP server, but it is not used for
--verifying HTTPS server certificates.
-+The location of a PEM-formatted copy of the CA's certificate used to verify
-+the TLS connection the SCEP server.
-+
- This option must be specified if the URL is an \fIhttps\fR location.
- .TP
-+\fB\-N\fR ca-certificate-file
-+The location of a PEM-formatted copy of the SCEP server's CA certificate.
-+A discovered value is normally supplied by the certmonger daemon, but one can
-+be specified for troubleshooting purposes.
-+.TP
- \fB\-r\fR ra-certificate-file
- The location of a PEM-formatted copy of the SCEP server's RA's certificate.
- A discovered value is normally supplied by the certmonger daemon, but one can
-diff --git a/src/getcert.c b/src/getcert.c
-index 3d78a73..493771f 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 	enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS;
- 	char *caname = NULL, *url = NULL, *path = NULL, *id = NULL;
- 	char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command;
-+	char *signingca = NULL;
- 	const char *err;
- 	int c, prefer_non_renewal = 0, verbose = 0;
- 	dbus_bool_t b;
-@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
- 		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
- 		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
-+		{"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
- 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
- 		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
- 		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
-@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 		return 1;
- 	}
- 	command = talloc_asprintf(globals.tctx,
--				  "%s -u %s %s %s %s %s %s %s %s",
-+				  "%s -u %s %s %s %s %s %s %s %s %s %s",
- 				  shell_escape(globals.tctx,
- 					       CM_SCEP_HELPER_PATH),
- 				  shell_escape(globals.tctx, url),
-@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 				  racert ? shell_escape(globals.tctx, racert) : "",
- 				  certs ? "-I" : "",
- 				  certs ? shell_escape(globals.tctx, certs) : "",
-+				  signingca ? "-N" : "",
-+				  signingca ? shell_escape(globals.tctx, signingca) : "",
- 				  prefer_non_renewal ? "-n" : "");
- 	for (c = 0; c < verbose; c++) {
- 		command = talloc_strdup_append(command, " -v");
-diff --git a/src/scep.c b/src/scep.c
-index b80278e..4294cda 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -206,7 +206,6 @@ main(int argc, const char **argv)
- 	enum known_ops op = op_unset;
- 	const char *id = NULL;
- 	char *cainfo = NULL;
--	char *poptarg;
- 	char *message = NULL, *rekey_message = NULL;
- 	const char *mode = NULL, *content_type = NULL, *content_type2 = NULL;
- 	void *ctx;
-@@ -235,8 +234,9 @@ main(int argc, const char **argv)
- 		{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
- 		{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
- 		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
--		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"},
-+		{"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"},
- 		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"},
-+		{"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"},
- 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL},
- 		{"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL},
- 		POPT_AUTOHELP
-@@ -329,9 +329,10 @@ main(int argc, const char **argv)
- 			racert = cm_submit_u_from_file(poptGetOptArg(pctx));
- 			break;
- 		case 'R':
--			poptarg = poptGetOptArg(pctx);
--			cainfo = strdup(poptarg);
--			cacert = cm_submit_u_from_file(poptarg);
-+			cainfo = poptGetOptArg(pctx);
-+			break;
-+		case 'N':
-+			cacert = cm_submit_u_from_file(poptGetOptArg(pctx));
- 			break;
- 		case 'I':
- 			certs = cm_submit_u_from_file(poptGetOptArg(pctx));
-@@ -340,7 +341,6 @@ main(int argc, const char **argv)
- 	}
- 	if (c != -1) {
- 		poptPrintUsage(pctx, stdout, 0);
--		free(cainfo);
- 		return CM_SUBMIT_STATUS_UNCONFIGURED;
- 	}
- 
-@@ -1189,7 +1189,6 @@ done:
- 	if (pctx) {
- 		poptFreeContext(pctx);
- 	}
--	free(cainfo);
- 	free(id);
- 	cm_submit_h_cleanup(hctx);
- 	talloc_free(ctx);
--- 
-2.21.1
-
diff --git a/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch b/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch
deleted file mode 100644
index 70f75aa..0000000
--- a/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Apr 2020 16:33:35 -0400
-Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template
- in output
-
----
- src/getcert.c               | 16 ++++++++++++++++
- tests/028-dbus/expected.out |  1 +
- 2 files changed, 17 insertions(+)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index 493771f..42281af 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv)
- 				printf("\t\t%s\n", as[j]);
- 			}
- 		}
-+		s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
-+					CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx);
-+		if (s1 != NULL && strlen(s1) > 0) {
-+			printf(_("\tprofile: %s\n"), s1);
-+		}
-+		s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
-+					CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE,
-+					verbose, globals.tctx);
-+		if (s1 != NULL && strlen(s1) > 0) {
-+			printf(_("\tms v2 template: %s\n"), s1);
-+		}
-+		s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
-+					CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx);
-+		if (s1 != NULL && strlen(s1) > 0) {
-+			printf(_("\tissuer template: %s\n"), s1);
-+		}
- 		printf(_("\tpre-save command: %s\n"),
- 		       query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE,
- 				    CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx));
-diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
-index 1d8bec4..a25eb34 100644
---- a/tests/028-dbus/expected.out
-+++ b/tests/028-dbus/expected.out
-@@ -15,6 +15,7 @@ Request ID 'Buddy':
- 	key usage: digitalSignature,dataEncipherment
- 	eku: id-kp-serverAuth
- 	certificate template/profile: SomeProfileName
-+	profile: SomeProfileName
- 	pre-save command: echo Pre
- 	post-save command: echo Post
- 	track: yes
--- 
-2.21.1
-
diff --git a/SOURCES/0039-Fix-broken-N-option-configuration.patch b/SOURCES/0039-Fix-broken-N-option-configuration.patch
deleted file mode 100644
index 3717bb6..0000000
--- a/SOURCES/0039-Fix-broken-N-option-configuration.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Apr 2020 16:34:53 -0400
-Subject: [PATCH 39/39] Fix broken -N option configuration
-
-There was an extra NULL value which caused it to not work.
----
- src/getcert.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index 42281af..5c8dc94 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
- 		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
- 		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
- 		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
--		{"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
-+		{"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
- 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
- 		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
- 		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
--- 
-2.21.1
-
diff --git a/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch b/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch
deleted file mode 100644
index 37e80b3..0000000
--- a/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 30 Apr 2020 12:46:41 -0400
-Subject: [PATCH] Address an include issue discovered by coverity
-
-nspr.h isn't included so use PORT_ErrorToString() instead
-of PR_ErrorToString(), and remain consistent with the
-other PORT calls even though they directly translate
-to their NSPR equivalents.
-
-Also remove a couple of unused variables in pkcs7.c
----
- src/pkcs7.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/pkcs7.c b/src/pkcs7.c
-index f81174f..a569256 100644
---- a/src/pkcs7.c
-+++ b/src/pkcs7.c
-@@ -57,6 +57,9 @@
- #define _(_text) (_text)
- #endif
- 
-+/* taken from nspr4.h */
-+#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */
-+
- /* Return 0 if we think "issuer" could have issued "issued", which includes
-  * self-signing. */
- static int
-@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg)
-     }
- 	nss_err = PORT_GetError();
-     if (nss_err < 0) {
--		cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0));
-+		cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err));
- 	}
- }
- 
-@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
- 	PKCS7_SIGNER_INFO *si;
- 	BIO *in, *out = NULL;
- 	const unsigned char *u;
--	char *s, buf[LINE_MAX], *p, *q;
-+	char *s, *p, *q;
- 	int ret = -1, i;
--	long error;
- 
- 	if (digest != NULL) {
- 		*digest = NULL;
--- 
-2.21.1
-
diff --git a/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch b/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
deleted file mode 100644
index b445f6e..0000000
--- a/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
+++ /dev/null
@@ -1,237 +0,0 @@
-From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Apr 2020 13:26:14 -0400
-Subject: [PATCH] Ensure that files read in have a trailing new-line
-
-In SCEP when retrieving the CA chain the certificates passed in
-on the command-line (RA agent and CA cert) area printed along with
-the contents of what was retrieved remotely.
-
-If one of the filesystem certificates lacks a newline then the
-output will be jumbled like:
-
------END CERTIFICATE----------BEGIN CERTIFICATE-----\n
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1814976
----
- src/submit-u.c                  | 11 +++++++
- tests/039-fromfile/expected.out |  4 +++
- tests/039-fromfile/run.sh       | 55 +++++++++++++++++++++++++++++++++
- tests/Makefile.am               | 10 ++++--
- tests/tools/Makefile.am         |  6 +++-
- tests/tools/fromfile.c          | 52 +++++++++++++++++++++++++++++++
- 6 files changed, 134 insertions(+), 4 deletions(-)
- create mode 100644 tests/039-fromfile/expected.out
- create mode 100755 tests/039-fromfile/run.sh
- create mode 100644 tests/tools/fromfile.c
-
-diff --git a/src/submit-u.c b/src/submit-u.c
-index b0b45ba..dca23a7 100644
---- a/src/submit-u.c
-+++ b/src/submit-u.c
-@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename)
- 	}
- 	if (csr == NULL) {
- 		csr = strdup("");
-+	} else {
-+		int length = strlen(csr);
-+		if (csr[length-1] != '\n') {
-+			length += 1;
-+			csr = realloc(csr, length + 1);
-+			if (csr == NULL) {
-+				return NULL;
-+			}
-+			csr[length - 1] = '\n';
-+			csr[length] = '\0';
-+		}
- 	}
- 	return csr;
- }
-diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out
-new file mode 100644
-index 0000000..9191a57
---- /dev/null
-+++ b/tests/039-fromfile/expected.out
-@@ -0,0 +1,4 @@
-+[trailing_nl]
-+Ok
-+[no_trailing_nl]
-+Ok
-diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh
-new file mode 100755
-index 0000000..8bae773
---- /dev/null
-+++ b/tests/039-fromfile/run.sh
-@@ -0,0 +1,55 @@
-+#!/bin/bash -e
-+
-+cd $tmpdir
-+
-+cat > $tmpdir/trailing_nl <<- EOF
-+-----BEGIN CERTIFICATE-----
-+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
-+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
-+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
-+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
-+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
-+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
-+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
-+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
-+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
-+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
-+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
-+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
-+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
-+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
-+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
-+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
-+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
-+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
-+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
-+8gM=
-+-----END CERTIFICATE-----
-+EOF
-+cat > $tmpdir/no_trailing_nl <<- EOF
-+-----BEGIN CERTIFICATE-----
-+MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw
-+UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk
-+NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0
-+OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo
-+b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0
-+NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy
-+nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8
-+OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs
-+jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N
-+peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE
-+Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd
-+GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS
-+FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO
-+BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j
-+MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ
-+hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5
-+1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D
-+AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2
-+rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS
-+8gM=
-+EOF
-+echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl
-+
-+$toolsdir/fromfile trailing_nl
-+$toolsdir/fromfile no_trailing_nl
-diff --git a/tests/Makefile.am b/tests/Makefile.am
-index fe368dc..1552c48 100644
---- a/tests/Makefile.am
-+++ b/tests/Makefile.am
-@@ -127,7 +127,9 @@ CLEANFILES = \
- 	037-rekey2/actual.out \
- 	037-rekey2/actual.err \
- 	038-ms-v2-template/actual.out \
--	038-ms-v2-template/actual.err
-+	038-ms-v2-template/actual.err \
-+	039-fromfile/actual.out \
-+	039-fromfile/actual.err
- EXTRA_DIST = \
- 	run-tests.sh functions certmonger.conf tools/cachain.sh \
- 	001-keyiread/run.sh \
-@@ -349,7 +351,8 @@ EXTRA_DIST = \
- 	037-rekey2/run.sh \
- 	038-ms-v2-template/expected.out \
- 	038-ms-v2-template/extract-extdata.py \
--	038-ms-v2-template/run.sh
-+	038-ms-v2-template/run.sh \
-+	039-fromfile/run.sh
- 
- subdirs = \
- 	001-keyiread \
-@@ -392,7 +395,8 @@ subdirs = \
- 	035-json \
- 	036-getcert \
- 	037-rekey2 \
--	038-ms-v2-template
-+	038-ms-v2-template \
-+	039-fromfile
- 
- if HAVE_DBM_NSSDB
- subdirs += \
-diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
-index 39fa954..e0d2f08 100644
---- a/tests/tools/Makefile.am
-+++ b/tests/tools/Makefile.am
-@@ -16,7 +16,7 @@ endif
- noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
- 		  name2oid iterate prefs dates listnicks pem2base base2pem \
- 		  dparse payload checksig base64 cadata citerate casave hooks \
--		  libexecdir canon srv addcinfo ls json json-utf8 printenv
-+		  libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
- noinst_LIBRARIES = libtools.a
- if HAVE_OPENSSL
- noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
-@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD)
- 
- srv_SOURCES = srv.c
- srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD)
-+
-+fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS)
-+fromfile_SOURCES = fromfile.c
-+fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS)
-diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c
-new file mode 100644
-index 0000000..bb70507
---- /dev/null
-+++ b/tests/tools/fromfile.c
-@@ -0,0 +1,52 @@
-+/*
-+ * Copyright (C) 2020 Red Hat, Inc.
-+ * 
-+ * This program is free software: you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation, either version 3 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include "../../src/config.h"
-+
-+#include <sys/types.h>
-+#include <errno.h>
-+#include <stdlib.h>
-+#include <stdio.h>
-+
-+#include <krb5.h>
-+
-+#include "../../src/submit-u.h"
-+#include "../../src/submit-u.c"
-+
-+int
-+main(int argc, char **argv)
-+{
-+	int i, result = 0;
-+	char *cert;
-+
-+	for (i = 1; i < argc; i++) {
-+		printf("[%s]\n", argv[i]);
-+		cert = cm_submit_u_from_file(argv[i]);
-+		if (cert == NULL) {
-+			printf("OOM error\n");
-+			result = 1;
-+		}
-+		else if (cert[strlen(cert) - 1] != '\n') {
-+			printf("Missing trailing newline\n");
-+			result = 1;
-+		} else {
-+			printf("Ok\n");
-+		}
-+		free(cert);
-+	}
-+	return result;
-+}
--- 
-2.18.4
-
diff --git a/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch b/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch
deleted file mode 100644
index 9feaf01..0000000
--- a/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch
+++ /dev/null
@@ -1,4160 +0,0 @@
-From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 14 May 2020 14:15:17 -0400
-Subject: [PATCH 42/43] Add long command-line options to man pages
-
-The man pages almost universally only documented the short
-options even though the long options were all defined in
-the popt configuration.
-
-Also do a bit of minor bit of reformatting and added a lint
-option. I'm not going to require mandoc as a requirement as
-the linting is pretty minor at the moment but it's better than
-nothing.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1782838
----
- src/Makefile.am                               |   6 +
- src/certmaster-getcert.1.in                   |  72 ++---
- src/certmonger-certmaster-submit.8.in         |  59 ++--
- ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++-------
- src/certmonger-dogtag-submit.8.in             | 252 ++++++++-------
- src/certmonger-ipa-submit.8.in                | 115 ++++---
- src/certmonger-local-submit.8.in              |  62 ++--
- src/certmonger-scep-submit.8.in               | 124 ++++----
- src/certmonger.8.in                           |  86 +++---
- src/certmonger.conf.5.in                      |  20 +-
- src/getcert-add-ca.1.in                       |  48 +--
- src/getcert-add-scep-ca.1.in                  |  80 ++---
- src/getcert-list-cas.1.in                     |  44 +--
- src/getcert-list.1.in                         |  84 ++---
- src/getcert-modify-ca.1.in                    |  46 +--
- src/getcert-refresh-ca.1.in                   |  50 +--
- src/getcert-refresh.1.in                      |  52 ++--
- src/getcert-rekey.1.in                        | 107 ++++---
- src/getcert-remove-ca.1.in                    |  44 +--
- src/getcert-request.1.in                      | 157 ++++++----
- src/getcert-resubmit.1.in                     | 112 ++++---
- src/getcert-start-tracking.1.in               | 134 ++++----
- src/getcert-status.1.in                       |  54 ++--
- src/getcert-stop-tracking.1.in                |  65 ++--
- src/getcert.1.in                              |  54 ++--
- src/ipa-getcert.1.in                          |  74 ++---
- src/local-getcert.1.in                        |  76 ++---
- src/selfsign-getcert.1.in                     |  74 ++---
- 28 files changed, 1321 insertions(+), 1118 deletions(-)
-
-diff --git a/src/Makefile.am b/src/Makefile.am
-index fe3b235..5343dbc 100644
---- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN
- submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h
- submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \
- 		 $(POPT_LIBS)
-+
-+.PHONY: manlint
-+manlint: $(man_MANS)
-+	for page in $(MANS); do \
-+		mandoc -T lint $${page}; \
-+	done
-diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in
-index ef1c14a..7a038f9 100644
---- a/src/certmaster-getcert.1.in
-+++ b/src/certmaster-getcert.1.in
-@@ -1,20 +1,20 @@
--.TH certmonger 1 "23 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual"
- 
- .SH NAME
--certmaster-getcert
-+certmaster\-getcert
- 
- .SH SYNOPSIS
-- certmaster-getcert request [options]
-- certmaster-getcert resubmit [options]
-- certmaster-getcert start-tracking [options]
-- certmaster-getcert status [options]
-- certmaster-getcert stop-tracking [options]
-- certmaster-getcert list [options]
-- certmaster-getcert list-cas [options]
-- certmaster-getcert refresh-cas [options]
-+ certmaster\-getcert request [options]
-+ certmaster\-getcert resubmit [options]
-+ certmaster\-getcert start\-tracking [options]
-+ certmaster\-getcert status [options]
-+ certmaster\-getcert stop\-tracking [options]
-+ certmaster\-getcert list [options]
-+ certmaster\-getcert list\-cas [options]
-+ certmaster\-getcert refresh\-cas [options]
- 
- .SH DESCRIPTION
--The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@
-+The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
- service on behalf of the invoking user.  It can ask the service to begin
- enrollment, optionally generating a key pair to use, it can ask the
- service to begin monitoring a certificate in a specified location for
-@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
- list the set of certificates that the service is already monitoring, or
- it can list the set of CAs that the service is capable of using.
- 
--If no command is given as the first command-line argument,
--\fIcertmaster-getcert\fR will print short usage information for each of
-+If no command is given as the first command\-line argument,
-+\fIcertmaster\-getcert\fR will print short usage information for each of
- its functions.
- 
--The \fIcertmaster-getcert\fR tool behaves identically to the generic
--\fIgetcert\fR tool when it is used with the \fB-c
-+The \fIcertmaster\-getcert\fR tool behaves identically to the generic
-+\fIgetcert\fR tool when it is used with the \fB\-c
- \fI@CM_CERTMASTER_CA_NAME@\fR option.
- 
- There is no standard authenticated method for obtaining the root certificate
- from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
--information from them.  While the \fB-F\fR and \fB-a\fR options will still
-+information from them.  While the \fB\-F\fR and \fB\-a\fR options will still
- be recognized, they will effectively be ignored.
- 
- .SH BUGS
-@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in
-index aec8b83..e3e990f 100644
---- a/src/certmonger-certmaster-submit.8.in
-+++ b/src/certmonger-certmaster-submit.8.in
-@@ -1,17 +1,17 @@
--.TH certmonger 8 "7 June 2010" "certmonger Manual"
-+.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual"
- 
- .SH NAME
--certmaster-submit
-+certmaster\-submit
- 
- .SH SYNOPSIS
--certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile]
-+certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile]
- 
- .SH DESCRIPTION
--\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make
--requests to certmaster-based CAs.  It is not normally run interactively,
-+\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make
-+requests to certmaster\-based CAs.  It is not normally run interactively,
- but it can be for troubleshooting purposes.  The signing request which is
- to be submitted should either be in a file whose name is given as an argument,
--or fed into \fIcertmaster-submit\fR via stdin.
-+or fed into \fIcertmaster\-submit\fR via stdin.
- 
- There is no standard authenticated method for obtaining the root certificate
- from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust
-@@ -19,21 +19,24 @@ information from them.
- 
- .SH OPTIONS
- .TP
--\fB\-h\fR serverHost
-+\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR
- Submit the request to the certmaster instance running on the named host.  The
- default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR
- is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR
- if that file is not found.
- .TP
--\fB\-c\fR cafile
-+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
- Submit the request over HTTPS instead of HTTP, and only trust the server
- if its certificate was issued by the CA whose certificate is in the named file.
- .TP
--\fB\-C\fR capath
-+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
- Submit the request over HTTPS instead of HTTP, and only trust the server
- if its certificate was issued by a CA whose certificate is in a file in
- the named directory.
--
-+.TP
-+\fB\-v\fR, \fB\-\-verbose\fR
-+Be verbose about errors.  Normally, the details of an error received from
-+the daemon will be suppressed if the client can make a diagnostic suggestion.
- .SH EXIT STATUS
- .TP
- 0
-@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
-index 84c8b0d..33e0648 100644
---- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
-+++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in
-@@ -1,44 +1,51 @@
--.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
-+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
- 
- .SH NAME
--dogtag-ipa-renew-agent-submit
-+dogtag\-ipa\-renew\-agent\-submit
- 
- .SH SYNOPSIS
--dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL
--[-d dbdir]
--[-n nickname]
--[-i cainfo]
--[-C capath]
--[-c certfile]
--[-k keyfile]
--[-p pinfile]
--[-P pin]
--[-s serial (hex)]
--[-D serial (decimal)]
--[-S state]
--[-T profile]
--[-O param=value]
--[-N | -R]
--[-t]
--[-o option=value]
--[-v]
-+dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL
-+[\-d dbdir]
-+[\-n nickname]
-+[\-i cainfo]
-+[\-C capath]
-+[\-c certfile]
-+[\-k keyfile]
-+[\-p pinfile]
-+[\-P pin]
-+[\-s serial (hex)]
-+[\-D serial (decimal)]
-+[\-S state]
-+[\-T profile]
-+[\-O param=value]
-+[\-N | \-R]
-+[\-t]
-+[\-o option=value]
-+[\-a]
-+[\-u uid]
-+[\-U udn]
-+[\-W pwd]
-+[\-w pwdfile]
-+[\-Y pin]
-+[\-y pinfile]
- [csrfile]
- 
-+
- .SH DESCRIPTION
--\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses
-+\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses
- to make certificate renewal requests to Dogtag instances running on IPA
- servers.  It is not normally run interactively, but it can be for
- troubleshooting purposes.
- 
--The preferred option is to request a renewal of an already-issued certificate,
--using its serial number, which can be read from a PEM-formatted certificate
-+The preferred option is to request a renewal of an already\-issued certificate,
-+using its serial number, which can be read from a PEM\-formatted certificate
- provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
--\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
-+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
- provided, then the client will attempt to obtain a new certificate by
- submitting a signing request to the CA.
- 
- The signing request which is to be submitted should either be in a file whose
--name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR
-+name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR
- via stdin.
- 
- \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
-@@ -46,8 +53,8 @@ CAs.
- 
- .SH OPTIONS
- .TP
--\fB\-E\fR EE-URL
--The top-level URL for the end-entity interface provided by the CA.  In IPA
-+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
-+The top\-level URL for the end\-entity interface provided by the CA.  In IPA
- installations, this is typically
- \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
- If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
-@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the
- if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will
- be set to 8080.  Otherwise it will be 9180.
- .TP
--\fB\-A\fR AGENT-URL
--The top-level URL for the agent interface provided by the CA.  In IPA
-+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
-+The top\-level URL for the agent interface provided by the CA.  In IPA
- installations, this is typically
- \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
- If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in
-@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the
- if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will
- be set to 8443.  Otherwise it will be 9443.
- .TP
--\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
--The location of the key and certificate which the client should use to
--authenticate to the CA's agent interface.  Exactly which values are
--meaningful depend on which cryptography library your copy of libcurl was
--linked with.
--
--If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR,
--\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is
--used:
-- \fB-i\fR \fI/etc/ipa/ca.crt\fR
-- \fB-d\fR \fI/etc/httpd/alias\fR
-- \fB-n\fR \fIipaCert\fR
-- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
--.TP
--\fB\-p\fR pinfile
--The name of a file which contains a PIN/password which will be needed in
--order to make use of the agent credentials.
--
--If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR,
--\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set
--of defaults is used:
-- \fB-i\fR \fI/etc/ipa/ca.crt\fR
-- \fB-d\fR \fI/etc/httpd/alias\fR
-- \fB-n\fR \fIipaCert\fR
-- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
--.TP
--\fB\-i\fR cainfo \fB\-C\fR capath
-+\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR
- The location of a file containing a copy of the CA's certificate, against which
--the CA server's certificate will be verified, or a directory containing, among
--other things, such a file.
--
--If these options are not specified, and none of the \fB-d\fR, \fB-n\fR,
--\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set
--of defaults is used:
-- \fB-i\fR \fI/etc/ipa/ca.crt\fR
-- \fB-d\fR \fI/etc/httpd/alias\fR
-- \fB-n\fR \fIipaCert\fR
-- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
--.TP
--\fB-s\fR serial
--The serial number of an already-issued certificate for which the client should
--attempt to obtain a new certificate, in hexadecimal form, if one can not be
-+the CA server's certificate will be verified. The default is
-+\fB/etc/ipa/ca.crt\fR.
-+.TP
-+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
-+The location of a directory containing a copy of the CA's certificate,
-+against which the CA server's certificate will be verified.
-+.TP
-+\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB
-+The serial number of an already\-issued certificate for which the client should
-+attempt to obtain a new certificate, in hexidecimal form, if one can not be
- read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
- .TP
--\fB-D\fR serial
--The serial number of an already-issued certificate for which the client should
-+\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB
-+The serial number of an already\-issued certificate for which the client should
- attempt to obtain a new certificate, in decimal form, if one can not be
- read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
- .TP
--\fB-S\fR state
-+\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR
- A cookie value provided by a previous instance of this helper, if the helper
--is being asked to continue a multi-step enrollment process.  If the
-+is being asked to continue a multi\-step enrollment process.  If the
- \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
- .TP
--\fB-T\fR profile/template
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- The name of the type of certificate which the client should request from the CA
--if it is not renewing a certificate (per the \fB-s\fR option above).  If the
-+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
- \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
- Otherwise, the default value is \fBcaServerCert\fP.
- .TP
--\fB-O\fR param=value
-+\fB\-t\fR, \fB\-\-profile\-list\fR
-+Instead of attempting to obtain a new certificate, query the server for a list
-+of the enabled enrollment profiles.
-+.TP
-+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR
- An additional parameter to pass to the server when approving the signing
--request using the agent's credentials.  By default, any server-supplied default
-+request using the agent's credentials.  By default, any server\-supplied default
- settings are applied.  This option can be used either to override a
--server-supplied default setting, or to supply one which would otherwise have
-+server\-supplied default setting, or to supply one which would otherwise have
- not been used.
- .TP
--\fB-N\fR
--Even if an already-issued certificate is available in the
-+\fB\-N\fR, \fB\-\-force\-new\fR
-+Even if an already\-issued certificate is available in the
- \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
- provided, don't attempt to renew a certificate using its serial number.
- Instead, attempt to obtain a new certificate using the signing request.
- The default behavior is to request a renewal if possible.
- .TP
--\fB-R\fR
--Negates the effect of the \fB-N\fR flag.
--.TP
--\fB-t\fR
--Instead of attempting to obtain a new certificate, query the server for a list
--of the enabled enrollment profiles.
-+\fB\-R\fR, \fB\-\-force\-renew\fR
-+Negates the effect of the \fB\-N\fR flag.
- .TP
--\fB-o\fR param=value
-+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
- When initially submitting a request to the CA, add the specified parameter and
- value along with any request parameters which would otherwise be sent.  This
- option is not typically used.
- .TP
--\fB-v\fR
-+\fB\-a\fR, \fB\-\-agent\-submit\fR
-+Use agent credentials, specified using some combination of the \fB\-d\fR,
-+\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
-+initially submitting a request to the CA or retrieving the list of enabled
-+enrollment profiles.
-+This is typically required when the enrollment profile being used uses
-+\fIAgentCertAuth\fR\-based
-+authentication,
-+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
-+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
-+.TP
-+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
-+When initially submitting a request to the CA, supply the specified value as a user name.
-+This is typically required when the enrollment profile being used uses
-+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
-+authentication..TP
-+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
-+When initially submitting a request to the CA, supply the specified value as the DN
-+(distinguished name) of the user's entry in a directory server which the CA is
-+configured to use for checking the user's password.
-+This is typically required when the enrollment profile being used uses
-+\fIUdnPwdDirAuth\fR\-based
-+authentication.
-+.TP
-+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
-+When initially submitting a request to the CA, supply the specified value as the password
-+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
-+specified with the \fB\-U\fR option.
-+This is typically only required when the enrollment profile being used uses
-+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
-+authentication.
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
-+will not be encrypted.
-+.TP
-+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
-+When initially submitting a request to the CA, read from the specified file a
-+password to supply for the user whose name is specified with the \fB\-u\fR
-+option, or whose DN is specified with the \fB\-U\fR option.
-+This is typically only required when the enrollment profile being used uses
-+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
-+authentication.
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
-+will not be encrypted.
-+.TP
-+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
-+When initially submitting a request to the CA, supply the specified value as the PIN
-+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
-+specified with the \fB\-U\fR option.
-+This is typically only required when the enrollment profile being used uses
-+\fIUidPwdPinDirAuth\fR\-based
-+authentication.
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
-+will not be encrypted.
-+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
-+When initially submitting a request to the CA, read from the specified file a
-+PIN to supply for the user whose name is specified with the \fB\-u\fR
-+option, or whose DN is specified with the \fB\-U\fR option.
-+This is typically only required when the enrollment profile being used uses
-+\fIUidPwdPinDirAuth\fR\-based
-+authentication.  If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
-+will not be encrypted.
-+.TP
-+\fB\-v\fR, \fB\-\-verbose\fR
- Increases the logging level.  Use twice for more logging.  This option is mainly
- useful for troubleshooting.
--
-+.SH AGENT KEY AND CERTIFICATE OPTIONS
-+Options that provide the location for the private key and public certificate
-+which the client should use to authenticate to the CA's agent interface.
-+The values to use depend on which cryptography library your copy of libcurl
-+was linked with.
-+.TP
-+If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used:
-+ \fB\-i\fR \fI/etc/ipa/ca.crt\fR
-+ \fB\-d\fR \fI/etc/httpd/alias\fR
-+ \fB\-n\fR \fIipaCert\fR
-+ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR
-+.TP
-+\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR
-+Use an NSS database in the specified directory for this certificate
-+and key. Only valid with \-n.
-+.TP
-+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
-+Use the NSS key with this nickname. Only valid with \-d.
-+.TP
-+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
-+The PEM file that contains the public certificate. Only valid with \-k.
-+.TP
-+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
-+The PEM file that contains the private certificate. Only valid with \-c.
-+.TP
-+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
-+The name of a file which contains a PIN/password which will be needed in
-+order to make use of the agent credentials.
-+.TP
-+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
-+The name of a file which contains a PIN/password which will be needed in
-+order to make use of the agent credentials.
- .SH EXIT STATUS
- .TP
- 0
-@@ -189,7 +259,7 @@ pair.
- .TP
- .I /etc/ipa/default.conf
- is the IPA client configuration file.  This file is consulted to determine
--the URL for the Dogtag server's end-entity and agent interfaces if they are
-+the URL for the Dogtag server's end\-entity and agent interfaces if they are
- not supplied as arguments.
- 
- .SH BUGS
-@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in
-index 19ecab7..e92de67 100644
---- a/src/certmonger-dogtag-submit.8.in
-+++ b/src/certmonger-dogtag-submit.8.in
-@@ -1,196 +1,214 @@
--.TH certmonger 8 "27 Oct 2015" "certmonger Manual"
-+.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual"
- 
- .SH NAME
--dogtag-submit
-+dogtag\-submit
- 
- .SH SYNOPSIS
--dogtag-submit -E EE-URL -A AGENT-URL
--[-d dbdir]
--[-n nickname]
--[-i cainfo]
--[-C capath]
--[-c certfile]
--[-k keyfile]
--[-p pinfile]
--[-P pin]
--[-s serial (hex)]
--[-D serial (decimal)]
--[-S state]
--[-T profile]
--[-O param=value]
--[-N | -R]
--[-t]
--[-o option=value]
--[-a ]
--[-u username]
--[-U userdn]
--[-W userpassword]
--[-w userpasswordfile]
--[-Y userpin]
--[-y userpinfile]
--[-v]
-+dogtag\-submit \-E EE\-URL \-A AGENT\-URL
-+[\-d DIR]
-+[\-n NAME]
-+[\-i FILE]
-+[\-C DIR]
-+[\-c FILE]
-+[\-k FILE]
-+[\-p FILE]
-+[\-P PIN]
-+[\-s serial (hex)]
-+[\-D serial (decimal)]
-+[\-S state]
-+[\-T profile]
-+[\-O param=value]
-+[\-N | \-R]
-+[\-t]
-+[\-o option=value]
-+[\-a]
-+[\-u username]
-+[\-U userdn]
-+[\-W PASSWORD]
-+[\-w FILE]
-+[\-Y PIN]
-+[\-y FILE]
-+[\-v]
- [csrfile]
- 
- .SH DESCRIPTION
--\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make
-+\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make
- certificate enrollment and renewal requests to Dogtag servers.  It is not
- normally run interactively, but it can be for troubleshooting purposes.
- 
--The preferred option is to request a renewal of an already-issued certificate,
--using its serial number, which can be read from a PEM-formatted certificate
-+The preferred option is to request a renewal of an already\-issued certificate,
-+using its serial number, which can be read from a PEM\-formatted certificate
- provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the
--\fB-s\fR or \fB-D\fR option on the command line.  If no serial number is
-+\fB\-s\fR or \fB\-D\fR option on the command line.  If no serial number is
- provided, then the client will attempt to obtain a new certificate by
- submitting a signing request to the CA.
- 
- The signing request which is to be submitted should either be in a file whose
--name is given as an argument, or fed into \fIdogtag-submit\fR via stdin.
-+name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin.
- 
- \fBcertmonger\fR does not yet support retrieving trust information from Dogtag
- CAs.
- 
- .SH OPTIONS
- .TP
--\fB\-E\fR EE-URL
--The top-level URL for the end-entity interface provided by the CA, through
-+\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR
-+The top\-level URL for the end\-entity interface provided by the CA, through
- which the initial enrollment request will be submitted.  This is typically
- \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR.
- .TP
--\fB\-A\fR AGENT-URL
--The top-level URL for the agent interface provided by the CA, through which the
-+\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR
-+The top\-level URL for the agent interface provided by the CA, through which the
- request can be approved using agent credentials.  This is typically
- \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR.
- .TP
--\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile
--The location of the key and certificate which the client should use to
--authenticate to the CA's agent interface.  Exactly which values are
--meaningful depend on which cryptography library your copy of libcurl was
--linked with.
--.TP
--\fB\-p\fR pinfile
--The name of a file which contains a PIN/password which will be needed in
--order to make use of the agent credentials.
--.TP
--\fB\-i\fR cainfo \fB\-C\fR capath
-+\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
- The location of a file containing a copy of the CA's certificate, against which
--the CA server's certificate will be verified, or a directory containing, among
--other things, such a file.
-+the CA server's certificate will be verified.
- .TP
--\fB-s\fR serial
--The serial number of an already-issued certificate for which the client should
--attempt to obtain a new certificate, in hexadecimal form, if one can not be
--read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
-+\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR
-+The location of a directory containing a copy of the CA's certificate(s),
-+against which the CA server's certificate will be verified.
- .TP
--\fB-D\fR serial
--The serial number of an already-issued certificate for which the client should
-+\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR
-+The serial number of an already\-issued certificate for which the client should
- attempt to obtain a new certificate, in decimal form, if one can not be
- read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
- .TP
--\fB-S\fR state
-+\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR
-+The serial number of an already\-issued certificate for which the client should
-+attempt to obtain a new certificate, in hexadecimal form, if one can not be
-+read from the \fICERTMONGER_CERTIFICATE\fR environment variable.
-+.TP
-+\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR
- A cookie value provided by a previous instance of this helper, if the helper
--is being asked to continue a multi-step enrollment process.  If the
-+is being asked to continue a multi\-step enrollment process.  If the
- \fICERTMONGER_COOKIE\fR environment variable is set, its value is used.
- .TP
--\fB-T\fR profile/template
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- The name of the type of certificate which the client should request from the CA
--if it is not renewing a certificate (per the \fB-s\fR option above).  If the
-+if it is not renewing a certificate (per the \fB\-s\fR option above).  If the
- \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used.
- Otherwise, the default value is \fBcaServerCert\fP.
- .TP
--\fB-O\fR param=value
-+\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR
- An additional parameter to pass to the server when approving the signing
--request using agent credentials.  By default, any server-supplied default
-+request using agent credentials.  By default, any server\-supplied default
- settings are applied.  This option can be used either to override a
--server-supplied default setting, or to supply one which would otherwise have
--not been used.  Requires the \fB-A\fR option.
-+server\-supplied default setting, or to supply one which would otherwise have
-+not been used.  Requires the \fB\-A\fR option.
- .TP
--\fB-N\fR
--Even if an already-issued certificate is available in the
-+\fB\-N\fR, \fB\-\-force\-new\fR
-+Even if an already\-issued certificate is available in the
- \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been
- provided, don't attempt to renew a certificate using its serial number.
- Instead, attempt to obtain a new certificate using the signing request.
- The default behavior is to request a renewal if possible.
- .TP
--\fB-R\fR
--Negates the effect of the \fB-N\fR flag.
-+\fB\-R\fR, \fB\-\-force\-renew\fR
-+Negates the effect of the \fB\-N\fR flag.
- .TP
--\fB-t\fR
-+\fB\-t\fR, \fB\-\-profile\-list\fR
- Instead of attempting to obtain a new certificate, query the server for a list
- of the enabled enrollment profiles.
- .TP
--\fB-o\fR param=value
-+\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR
- When initially submitting a request to the CA, add the specified parameter and
- value along with any request parameters which would otherwise be sent.
- .TP
--\fB-a\fR
-+\fB\-a\fR, \fB\-\-agent\-submit\fR
- Use agent credentials, specified using some combination of the \fB\-d\fR,
- \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when
- initially submitting a request to the CA or retrieving the list of enabled
- enrollment profiles.
- This is typically required when the enrollment profile being used uses
--\fIAgentCertAuth\fR-based
-+\fIAgentCertAuth\fR\-based
- authentication,
--and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL,
--or when the URL specified using the \fB-E\fR flag is an HTTPS URL.
-+and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL,
-+or when the URL specified using the \fB\-E\fR flag is an HTTPS URL.
- .TP
--\fB-u username\fR
-+\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR
- When initially submitting a request to the CA, supply the specified value as a user name.
- This is typically required when the enrollment profile being used uses
--\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based
-+\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based
- authentication.
- .TP
--\fB-U userdn\fR
-+\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR
- When initially submitting a request to the CA, supply the specified value as the DN
- (distinguished name) of the user's entry in a directory server which the CA is
- configured to use for checking the user's password.
- This is typically required when the enrollment profile being used uses
--\fIUdnPwdDirAuth\fR-based
-+\fIUdnPwdDirAuth\fR\-based
- authentication.
- .TP
--\fB-W userpassword\fR
-+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR
- When initially submitting a request to the CA, supply the specified value as the password
--for the user whose name is specified with the \fB-u\fR option, or whose DN is
--specified with the \fB-U\fR option.
-+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
-+specified with the \fB\-U\fR option.
- This is typically only required when the enrollment profile being used uses
--\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
-+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
- authentication.
--If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
- will not be encrypted.
- .TP
--\fB-w userpasswordfile\fR
-+\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR
- When initially submitting a request to the CA, read from the specified file a
--password to supply for the user whose name is specified with the \fB-u\fR
--option, or whose DN is specified with the \fB-U\fR option.
-+password to supply for the user whose name is specified with the \fB\-u\fR
-+option, or whose DN is specified with the \fB\-U\fR option.
- This is typically only required when the enrollment profile being used uses
--\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based
-+\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based
- authentication.
--If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
- will not be encrypted.
- .TP
--\fB-Y userpin\fR
-+\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR
- When initially submitting a request to the CA, supply the specified value as the PIN
--for the user whose name is specified with the \fB-u\fR option, or whose DN is
--specified with the \fB-U\fR option.
-+for the user whose name is specified with the \fB\-u\fR option, or whose DN is
-+specified with the \fB\-U\fR option.
- This is typically only required when the enrollment profile being used uses
--\fIUidPwdPinDirAuth\fR-based
-+\fIUidPwdPinDirAuth\fR\-based
- authentication.
--If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
- will not be encrypted.
- .TP
--\fB-y userpinfile\fR
-+\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR
- When initially submitting a request to the CA, read from the specified file a
--PIN to supply for the user whose name is specified with the \fB-u\fR
--option, or whose DN is specified with the \fB-U\fR option.
-+PIN to supply for the user whose name is specified with the \fB\-u\fR
-+option, or whose DN is specified with the \fB\-U\fR option.
- This is typically only required when the enrollment profile being used uses
--\fIUidPwdPinDirAuth\fR-based
-+\fIUidPwdPinDirAuth\fR\-based
- authentication.
--If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value
-+If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value
- will not be encrypted.
- .TP
--\fB-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Increases the logging level.  Use twice for more logging.  This option is mainly
- useful for troubleshooting.
--
-+.SH AGENT KEY AND CERTIFICATE OPTIONS
-+Options that provide the location for the private key and public certificate
-+which the client should use to authenticate to the CA's agent interface.
-+The values to use depend on which cryptography library your copy of libcurl
-+was linked with.
-+.TP
-+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
-+Use an NSS database in the specified directory for this certificate
-+and key. Only valid with \-n.
-+.TP
-+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
-+Use the NSS key with this nickname. Only valid with \-d.
-+.TP
-+\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
-+The PEM file that contains the public certificate. Only valid with \-k.
-+.TP
-+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
-+The PEM file that contains the private certificate. Only valid with \-c.
-+.TP
-+\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR
-+The name of a file which contains a PIN/password which will be needed in
-+order to make use of the agent credentials.
-+.TP
-+\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR
-+The name of a file which contains a PIN/password which will be needed in
-+order to make use of the agent credentials.
- .SH EXIT STATUS
- .TP
- 0
-@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in
-index 7915142..0e1c90f 100644
---- a/src/certmonger-ipa-submit.8.in
-+++ b/src/certmonger-ipa-submit.8.in
-@@ -1,21 +1,23 @@
--.TH certmonger 8 "16 April 2015" "certmonger Manual"
-+.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual"
- 
- .SH NAME
--ipa-submit
-+ipa\-submit
- 
- .SH SYNOPSIS
--ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath]
--[[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile]
-+ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn]
-+[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]]
-+[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile]
-+[\-X issuer] [csrfile]
- 
- .SH DESCRIPTION
--\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make
--requests to IPA-based CAs.  It is not normally run interactively,
-+\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make
-+requests to IPA\-based CAs.  It is not normally run interactively,
- but it can be for troubleshooting purposes.  The signing request which is
- to be submitted should either be in a file whose name is given as an argument,
--or fed into \fIipa-submit\fR via stdin.
-+or fed into \fIipa\-submit\fR via stdin.
- 
- \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
--\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
-+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
- specifying where those certificates should be stored on the local system.
- Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of
- entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA
-@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the
- 
- .SH OPTIONS
- .TP
--\fB\-P\fR csrPrincipal
-+\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR
- Identifies the principal name of the service for which the certificate is being
- issued.  This setting is required by IPA and must always be specified.
- .TP
--\fB\-X\fR issuer
-+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR
- Requests that the certificate be processed by the specified certificate issuer.
- By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR
- variable is set in the environment, then the value of the environment variable
- will be used.  This setting is optional, and if a server returns error 3005,
- indicating that it does not understand multiple profiles, the request will be
--re-submitted without specifying an issuer name.
-+re\-submitted without specifying an issuer name.
- .TP
--\fB\-T\fR profile
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- Requests that the certificate be processed using the specified certificate profile.
- By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR
- variable is set in the environment, then the value of the environment variable
- will be used.  This setting is optional, and if a server returns error 3005,
- indicating that it does not understand multiple profiles, the request will be
--re-submitted without specifying a profile.
-+re\-submitted without specifying a profile.
- .TP
--\fB\-h\fR serverHost
-+\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR
- Submit the request to the IPA server running on the named host.  The default is
- to read the location of the host from \fB/etc/ipa/default.conf\fR.
- If no server is configured, or the configured server cannot be reached, the
-@@ -53,7 +55,7 @@ domain.  If servers are found, they will be searched for entries pointing to
- IPA masters running the "CA" service, and the client will attempt to contact
- each of those in turn.
- .TP
--\fB\-H\fR serverURL
-+\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR
- Submit the request to the IPA server at the specified location.  The default is
- to read the location of the host from \fB/etc/ipa/default.conf\fR.
- If no server is configured, or the configured server cannot be reached, the
-@@ -62,49 +64,64 @@ domain.  If servers are found, they will be searched for entries pointing to
- IPA masters running the "CA" service, and the client will attempt to contact
- each of those in turn.
- .TP
--\fB\-c\fR cafile
-+\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR
-+Provide the IPA LDAP service location rather than using DNS discovery.
-+The default is to read the location of the host from
-+\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of
-+_ldap._tcp.DOMAIN values and pick one for use.
-+.TP
-+\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
-+Use this domain when doing DNS discovery to locate LDAP servers for the IPA
-+installation. The default is to read the location of the host from
-+\fB/etc/ipa/default.conf\fR.
-+.TP
-+\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR
-+Use this basedn to search for an IPA installation in LDAP. The default is to
-+read the location of the host from \fB/etc/ipa/default.conf\fR.
-+.TP
-+\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR
- The server's certificate was issued by the CA whose certificate is in the named
- file.  The default value is \fI/etc/ipa/ca.crt\fR.
- .TP
--\fB\-C\fR capath
-+\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR
- Trust the server if its certificate was issued by a CA whose certificate is in
- a file in the named directory.  There is no default for this option, and it
- is not expected to be necessary.
- .TP
--\fB\-t\fR keytab
-+\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR
- Authenticate to the IPA server using Kerberos with credentials derived from
- keys stored in the named keytab.  The default value can vary, but it is usually
- \fI/etc/krb5.keytab\fR.
--This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
-+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
- options.
- .TP
--\fB\-k\fR authPrincipal
-+\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR
- Authenticate to the IPA server using Kerberos with credentials derived from
- keys stored in the named keytab for this principal name.  The default value is
- the \fBhost\fR service for the local host in the local realm.
--This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
-+This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
- options.
- .TP
--\fB\-K\fR
-+\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR
- Authenticate to the IPA server using Kerberos with credentials derived from the
- default credential cache rather than a keytab.
--This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR
-+This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR
- options.
- .TP
--\fB\-u\fR uid
-+\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR
- Authenticate to the IPA server using a user name and password, using the
- specified value as the user name.
--This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options.
-+This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options.
- .TP
--\fB\-W\fR pwd
-+\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR
- Authenticate to the IPA server using a user name and password, using the
- specified value as the password.
--This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options.
-+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options.
- .TP
--\fB\-w\fR pwdfile
-+\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR
- Authenticate to the IPA server using a user name and password, reading the
- password from the specified file.
--This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options.
-+This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options.
- 
- .SH EXIT STATUS
- .TP
-@@ -131,7 +148,7 @@ pair.
- .TP
- .I /etc/ipa/default.conf
- is the IPA client configuration file.  This file is consulted to determine
--the URL for the IPA server's XML-RPC interface.
-+the URL for the IPA server's XML\-RPC interface.
- 
- .SH BUGS
- Please file tickets for any that you find at https://fedorahosted.org/certmonger/
-@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in
-index 59ed245..b68ffc3 100644
---- a/src/certmonger-local-submit.8.in
-+++ b/src/certmonger-local-submit.8.in
-@@ -1,35 +1,35 @@
--.TH certmonger 8 "7 June 2014" "certmonger Manual"
-+.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual"
- 
- .SH NAME
--local-submit
-+local\-submit
- 
- .SH SYNOPSIS
--local-submit [-d state-directory] [-v] [csrfile]
-+local\-submit [\-d state\-directory] [\-v] [csrfile]
- 
- .SH DESCRIPTION
--\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement
-+\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement
- its local signer.  It is not normally run interactively, but it can be for
- troubleshooting purposes.  The signing request which is to be submitted
- should either be in a file whose name is given as an argument, or fed into
--\fIlocal-submit\fR via stdin.
-+\fIlocal\-submit\fR via stdin.
- 
--The local signer is currently hard-coded to generate and use a
--@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based
-+The local signer is currently hard\-coded to generate and use a
-+@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based
- on a UUID, replacing that key and certificate at roughly the midpoint of their
- useful lifetime.
- 
--\fBcertmonger\fR supports retrieving the list of current and previously-used
--local CA certificates.  See \fBgetcert-request\fR(1) and
--\fBgetcert-resubmit\fR(1) for information about specifying where those
-+\fBcertmonger\fR supports retrieving the list of current and previously\-used
-+local CA certificates.  See \fBgetcert\-request\fR(1) and
-+\fBgetcert\-resubmit\fR(1) for information about specifying where those
- certificates should be stored.
- 
- .SH OPTIONS
- .TP
--\fB\-d\fR state-directory
-+\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR
- Identifies the directory which contains the local signer's private key,
- certificates, and other data used by the local signer.
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Increases the verbosity of the tool's diagnostic logging.
- 
- .SH EXIT STATUS
-@@ -47,7 +47,7 @@ if critical configuration information is missing.  An error message may be print
- .TP
- .I creds
- is currently a PKCS#12 bundle containing the local signer's current signing key
--and current and previously-used signer certificates.  It should not be modified
-+and current and previously\-used signer certificates.  It should not be modified
- except by the local signer.  A new key is currently generated when ever a new
- signer certificate is needed.
- .TP
-@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in
-index 42ffcd6..5b8b917 100644
---- a/src/certmonger-scep-submit.8.in
-+++ b/src/certmonger-scep-submit.8.in
-@@ -1,98 +1,98 @@
--.TH certmonger 8 "20 June 2015" "certmonger Manual"
-+.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual"
- 
- .SH NAME
--scep-submit
-+scep\-submit
- 
- .SH SYNOPSIS
--scep-submit -u SERVER-URL
--[-r ra-cert-file]
--[-R ca-cert-file]
--[-I other-certs-file]
--[-N ca-cert-file]
--[-i ca-identifier]
--[-v]
--[-n]
--[-c|-C|-g|-p]
--[pkimessage-filename]
-+scep\-submit \-u SERVER\-URL
-+[\-r ra\-cert\-file]
-+[\-R ca\-cert\-file]
-+[\-I other\-certs\-file]
-+[\-N ca\-cert\-file]
-+[\-i ca\-identifier]
-+[\-v]
-+[\-n]
-+[\-c|\-C|\-g|\-p]
-+[pkimessage\-filename]
- 
- .SH DESCRIPTION
--\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to
-+\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to
- transmit certificate enrollment and renewal requests to servers using
- SCEP.  It is not normally run interactively, but it can be for
- troubleshooting purposes.
- 
--The request which is to be submitted should be a PEM-encoded SCEP
-+The request which is to be submitted should be a PEM\-encoded SCEP
- pkiMessage either in a file whose name is given as an argument, or fed
--into \fIscep-submit\fR via stdin.
-+into \fIscep\-submit\fR via stdin.
- 
- .SH MODES
- .TP
--\fB\-c\fR
-+\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR
- \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and
- print the results.
- .TP
--\fB\-C\fR
--\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR
--requests to the server, parse the responses, and then print, in order,
-+\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR
-+\fIscep-submit\fR will issue a \fIGetCACert\fR
-+request to the server, parse the response, and then print, in order,
- the RA certificate, the CA certificate, and any additional certificates.
- .TP
--\fB\-p\fR
--\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
--using the passed-in message as the message content.  It will parse the
-+\fB\-p\fR, \fB\-\-pki\-message\fR
-+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
-+using the passed\-in message as the message content.  It will parse the
- server's response, verify the signature, and if the response includes an
- issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
- format.  If the response indicates an error, it will print the error.
- .TP
--\fB\-g\fR
--\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server
--using the passed-in message as the message content.  It will parse the
-+\fB\-g\fR, \fB\-\-get\-initial\-cert\fR
-+\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server
-+using the passed\-in message as the message content.  It will parse the
- server's response, verify the signature, and if the response includes an
- issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM
- format.  If the response indicates an error, it will print the error.
- .SH OPTIONS
- .TP
--\fB\-u\fR SERVER-URL
-+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
- The location of the SCEP interface provided by the CA.  This is
--typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or
-+typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or
- \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR.  This option is
- always required.
- .TP
--\fB\-R\fR CA-certificate-file
-+\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR
- The location of the CA certificate which was used to issue the SCEP web
- server's certificate in PEM form. If the URL specified with the
--\fB-u\fR option is an \fIhttps\fR URL, then this option is required.
-+\fB\-u\fR option is an \fIhttps\fR URL, then this option is required.
- .TP
--\fB\-N\fR ca-certificate-file
--The location of a PEM-formatted copy of the SCEP server's CA certificate.
-+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
-+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
- A discovered value is normally supplied by the certmonger daemon, but one can
- be specified for troubleshooting purposes.
- .TP
--\fB\-r\fR RA-certificate-file
-+\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR
- The location of the SCEP server's RA certificate, which is expected to
- be used for signing responses sent by the SCEP server back to the
--client.  This option is required when either the \fB-g\fR flag or the
--\fB-p\fR flag is specified.
-+client.  This option is required when either the \fB\-g\fR flag or the
-+\fB\-p\fR flag is specified.
- .TP
--\fB\-I\fR other-certificates-file
--The location of a file containing other PEM-formatted certificates which
-+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
-+The location of a file containing other PEM\-formatted certificates which
- may be needed in order to properly verify signed responses sent by the
- SCEP server back to the client.  This option may be necessary when
--either the \fB-g\fR flag or the \fB-p\fR flag is specified.
-+either the \fB\-g\fR flag or the \fB\-p\fR flag is specified.
- .TP
--\fB\-i\fR ca-identifier
--When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to
-+\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR
-+When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to
- specify the CA identifier which is passed to the server as part of the client's
- request.  The default is "0".
- .TP
--\fB\-n\fR
--The SCEP Renewal feature allows a client with a previously-issued certificate
-+\fB\-n\fR, \fB\-\-non\-renewal\fR
-+The SCEP Renewal feature allows a client with a previously\-issued certificate
- to use that certificate and the associated private key to request a new
- certificate for a different key pair, and can be used to support
- \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
--it.  This option forces the \fIscep-submit\fR helper to prefer to issue
-+it.  This option forces the \fIscep\-submit\fR helper to prefer to issue
- requests which do not make use of this feature.
- .TP
--\fB-v\fR
-+\fB-v\fR, \fB\-\-verbose\fR
- Increases the logging level.  Use twice for more logging.  This option
- is mainly useful for troubleshooting.
- 
-@@ -100,7 +100,7 @@ is mainly useful for troubleshooting.
- .TP
- 0
- if the certificate was issued. The pkcsPKIEnvelope will be printed in
--PEM-encoded form.
-+PEM\-encoded form.
- .TP
- 1
- if the CA is still thinking.  A cookie (state) value will be printed.
-@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger.8.in b/src/certmonger.8.in
-index 8c00d5a..a726e3b 100644
---- a/src/certmonger.8.in
-+++ b/src/certmonger.8.in
-@@ -1,14 +1,14 @@
--.TH certmonger 8 "14 June 2015" "certmonger Manual"
-+.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual"
- 
- .SH NAME
- certmonger
- 
- .SH SYNOPSIS
--certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v]
-+certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v]
- 
- .SH DESCRIPTION
- The \fIcertmonger\fR daemon monitors certificates for impending
--expiration, and can optionally refresh soon-to-be-expired certificates
-+expiration, and can optionally refresh soon\-to\-be\-expired certificates
- with the help of a CA.  If told to, it can drive the entire enrollment
- process from key generation through enrollment and refresh.
- 
-@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact.
- 
- .SH OPTIONS
- .TP
---s
-+\fB\-s\fR, \fB\-\-session\fR
- Listen on the session bus rather than the system bus.
- .TP
---S
-+\fB\-S\fR, \fB\-\-system\fR
- Listen on the system bus rather than the session bus.  This is the default.
- .TP
---l
-+\fB\-l\fR, \fB\-\-listening\-socket\fR
- Also listen on a private socket for connections from clients running under the
- same UID.
- .TP
---L
-+\fB\-L\fR, \fB\-\-only\-listening\-socket\fR
- Listen only on a private socket for connections from clients running under the
- same UID, and skip connecting to a bus.
- .TP
---P
-+\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR
- Specify a location for the private listening socket.  If the location beings
- with a '/' character, it will be prefixed with 'unix:path=', otherwise it will
- be prefixed with 'unix:'.  If this option is not specified, the listening
- socket, if one is created, will be placed in the abstract namespace.
- .TP
---b TIMEOUT
--Behave as a bus-activated service: if there are no certificates to be monitored
-+\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR
-+Behave as a bus\-activated service: if there are no certificates to be monitored
- or obtained, and no requests are received within TIMEOUT seconds, exit.  Not
--compatible with the -c option.
-+compatible with the \-c option.
- .TP
---B
--Don't behave as a bus-activated service.  This is the default.
-+\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR
-+Don't behave as a bus\-activated service.  This is the default.
- .TP
---n
-+\fB\-n\fR, \fB\-\-nofork\fR
- Don't fork, and log messages to stderr rather than syslog.
- .TP
---f
-+\fB\-f\fR, \fB\-\-fork\fR
- Do fork, and log messages to syslog rather than stderr.  This is the default.
- .TP
---d LEVEL
--Set debugging level.  Higher values produce more debugging output.  Implies -n.
-+\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR
-+Set debugging level.  Higher values produce more debugging output.  Implies \-n.
- .TP
---p FILE
-+\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR
- Store the daemon's process ID in the named file.
- .TP
---F
-+\fB\-F\fR, \fB\-\-fips\fR
- Force NSS to be initialized in FIPS mode.  The default behavior is to heed
- the setting stored in \fI/proc/sys/crypto/fips_enabled\fR.
- .TP
---c cmd
-+\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
- After the service has initialized, run the specified command, then shut down
--the service after the command exits.  If the -l or -L option was also
-+the service after the command exits.  If the \-l or \-L option was also
- specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR
- environment variable set to the listening socket's location.  Not compatible
--with the -b option.
-+with the \-b option.
- .TP
---v
-+\fB\-v\fR, \fB\-\-version\fR
- Print version information and exit.
- 
- .SH FILES
-@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- 
- .SH SEE ALSO
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
-index 241f48b..80de748 100644
---- a/src/certmonger.conf.5.in
-+++ b/src/certmonger.conf.5.in
-@@ -1,18 +1,18 @@
--.TH certmonger.conf 5 "12 May 2015" "certmonger Manual"
-+.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual"
- 
- .SH NAME
--certmonger.conf - configuration file for certmonger
-+certmonger.conf \- configuration file for certmonger
- 
- .SH DESCRIPTION
- The \fIcertmonger.conf\fR file contains default settings used by certmonger.
--Its format is more or less that of a typical INI-style file.  The only sections
-+Its format is more or less that of a typical INI\-style file.  The only sections
- currently of note are named \fIdefaults\fR and \fIselfsign\fR.
- 
- .SH DEFAULTS
- Within the \fIdefaults\fR section, these variables and values are recognized:
- 
- .IP notify_ttls
--This is the list of times, given in seconds, before a certificate's not-after
-+This is the list of times, given in seconds, before a certificate's not\-after
- validity date
- (often referred to as its expiration time) when \fIcertmonger\fR should warn
- that the certificate will soon no longer be valid.
-@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value
- of the \fIttls\fR setting.  The default list of values is "@CM_DEFAULT_TTL_LIST@".
- 
- .IP enroll_ttls
--This is the list of times, given in seconds, before a certificate's not-after
-+This is the list of times, given in seconds, before a certificate's not\-after
- validity date
- (often referred to as its expiration time) when \fIcertmonger\fR should attempt
- to automatically renew the certificate, if it is configured to do so.
-@@ -43,7 +43,7 @@ an email address, or it can be a command to run.  The default value is
- 
- .IP key_type
- This is the type of key pair which will be generated, used in certificate
--signing requests, and used when self-signing certificates.
-+signing requests, and used when self\-signing certificates.
- @NO_MAN_DSA@\fIRSA\fR is supported.
- @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported.
- @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported.
-@@ -58,7 +58,7 @@ software.
- 
- .IP digest
- This is the digest algorithm which will be used when signing certificate
--signing requests and self-signed certificates.  Recognized values include
-+signing requests and self\-signed certificates.  Recognized values include
- \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP.  The default is
- \fIsha256\fP.  It is not recommended that this value be changed except in cases
- where the default is incompatible with other software.
-@@ -95,14 +95,14 @@ There is effectively no default for this setting.
- Within the \fIselfsign\fR section, these variables and values are recognized:
- 
- .IP validity_period
--This is the validity period given to self-signed certificates.
-+This is the validity period given to self\-signed certificates.
- The value is specified as a combination of years (y), months (M), weeks (w),
- days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
- specified, seconds are assumed.
- The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
- 
- .IP populate_unique_id
--This controls whether or not self-signed certificates will have their
-+This controls whether or not self\-signed certificates will have their
- subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits
- their use, they may be needed and/or used by older applications.  The default
- value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
-@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR.
- Within the \fIlocal\fR section, these variables and values are recognized:
- 
- .IP validity_period
--This is the validity period given to the locally-signed CA's certificate when it
-+This is the validity period given to the locally\-signed CA's certificate when it
- is generated.
- The value is specified as a combination of years (y), months (M), weeks (w),
- days (d), hours (h), minutes (m), and/or seconds (s).  If no unit of time is
-diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in
-index 31b3b93..54f55f5 100644
---- a/src/getcert-add-ca.1.in
-+++ b/src/getcert-add-ca.1.in
-@@ -1,10 +1,10 @@
--.TH certmonger 1 "24 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert add-ca [options]
-+getcert add\-ca [options]
- 
- .SH DESCRIPTION
- Adds a CA configuration to \fIcertmonger\fR, which can subsequently be
-@@ -12,17 +12,17 @@ used to enroll certificates.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- The nickname to give to this CA configuration.  This same value can later be
- passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
--\fIstart-tracking\fR commands using the \fB-c\fR flag.
-+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
- .TP
--\fB\-e\fR COMMAND
-+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
- The helper command to run for communicating with the CA.  The helper will be
- used to pass signing requests to the CA, relay the CA's responses back to the
- \fIcertmonger\fR service, and to read information about the CA.
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
- 
-@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
-index bf07306..c2751ed 100644
---- a/src/getcert-add-scep-ca.1.in
-+++ b/src/getcert-add-scep-ca.1.in
-@@ -1,64 +1,64 @@
--.TH certmonger 1 "24 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert add-scep-ca [options]
-+getcert add\-scep\-ca [options]
- 
- .SH DESCRIPTION
- Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to
--enroll certificates.  The configuration will use the bundled \fIscep-submit\fR
--helper.  The \fIadd-scep-ca\fR command is more or less a wrapper for the
--\fIadd-ca\fR command.
-+enroll certificates.  The configuration will use the bundled \fIscep\-submit\fR
-+helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
-+\fIadd\-ca\fR command.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- The nickname to give to this CA configuration.  This same value can later be
- passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
--\fIstart-tracking\fR commands using the \fB-c\fR flag.
-+\fIstart\-tracking\fR commands using the \fB\-c\fR flag.
- .TP
--\fB\-u\fR URL
-+\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR
- The location of the SCEP server's enrollment interface.  This option must be
- specified.
- .TP
--\fB\-R\fR ca-certificate-file
--The location of a PEM-formatted copy of the CA's certificate used to verify
-+\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR
-+The location of a PEM\-formatted copy of the CA's certificate used to verify
- the TLS connection the SCEP server.
- 
- This option must be specified if the URL is an \fIhttps\fR location.
- .TP
--\fB\-N\fR ca-certificate-file
--The location of a PEM-formatted copy of the SCEP server's CA certificate.
-+\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR
-+The location of a PEM\-formatted copy of the SCEP server's CA certificate.
- A discovered value is normally supplied by the certmonger daemon, but one can
- be specified for troubleshooting purposes.
- .TP
--\fB\-r\fR ra-certificate-file
--The location of a PEM-formatted copy of the SCEP server's RA's certificate.
-+\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR
-+The location of a PEM\-formatted copy of the SCEP server's RA's certificate.
- A discovered value is normally supplied by the certmonger daemon, but one can
- be specified for troubleshooting purposes.
- .TP
--\fB\-I\fR other-certificates-file
--The location of a file containing other PEM-formatted certificates which may be
-+\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR
-+The location of a file containing other PEM\-formatted certificates which may be
- needed in order to properly verify signed responses sent by the SCEP server
- back to the client.  A discovered set is normally supplied by the certmonger
- daemon, but can be specified for troubleshooting purposes.
- .TP
--\fB\-i\fR identifier
-+\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR
- A CA identifier value which will passed to the server when the
--\fIscep-submit\fR helper is used to retrieve copies of the server's
-+\fIscep\-submit\fR helper is used to retrieve copies of the server's
- certificates.
- .TP
--\fB\-n\fR
--The SCEP Renewal feature allows a client with a previously-issued certificate
-+\fB\-n\fR, \fB\-\-non\-renewal\fR
-+The SCEP Renewal feature allows a client with a previously\-issued certificate
- to use that certificate and the associated private key to request a new
- certificate for a different key pair, and can be used to support
- \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for
--it.  This option forces the \fIscep-submit\fR helper to issue requests without
-+it.  This option forces the \fIscep\-submit\fR helper to issue requests without
- making use of this feature.
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
- 
-@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in
-index 7f250e5..ff4e14f 100644
---- a/src/getcert-list-cas.1.in
-+++ b/src/getcert-list-cas.1.in
-@@ -1,17 +1,17 @@
--.TH certmonger 1 "3 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert list-cas [options]
-+getcert list\-cas [options]
- 
- .SH DESCRIPTION
- Queries \fIcertmonger\fR for a list of known CAs.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- List only information about the CA which has the specified nickname.
- 
- .SH BUGS
-@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-list.1.in b/src/getcert-list.1.in
-index eded28a..9bf4826 100644
---- a/src/getcert-list.1.in
-+++ b/src/getcert-list.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "28 June 2016" "certmonger Manual"
-+.TH CERTMONGER 1 "June 28, 2016" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -12,35 +12,35 @@ monitoring or attempting to obtain.
- 
- .SH ENROLLMENT OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- List only entries which use the specified CA.  The name of the CA should
--correspond to one listed by \fIgetcert list-cas\fR.
-+correspond to one listed by \fIgetcert list\-cas\fR.
- 
- .SH LISTING OPTIONS
- .TP
--\fB\-r\fR
-+\fB\-r\fR, \fB\-\-requests\-only\fR
- List only entries which are either currently being enrolled or refreshed.
- .TP
--\fB\-t\fR
-+\fB\-t\fR, \fB\-\-tracking\-only\fR
- List only entries which are not currently being enrolled or refreshed.
- .TP
--\fB\-u\fR|\fB--utc\fR
-+\fB\-u\fR, \fB\-\-utc\fR
- Display timestamps in UTC instead of local time.
- 
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
- List only entries which use an NSS database in the specified directory
- for storing the certificate.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
- List only tracking requests which use an NSS database and the specified
- nickname for storing the certificate.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- List only tracking requests which specify that the certificate should be
- stored in the specified file.
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- List only tracking requests which use this request nickname.
- 
- .SH STATES
-@@ -53,11 +53,11 @@ The service is currently generating a new key pair.
- .TP
- NEED_KEY_GEN_PERMS
- The service encountered a filesystem permission error while attempting
--to save the newly-generated key pair.
-+to save the newly\-generated key pair.
- .TP
- NEED_KEY_GEN_PIN
- The service is missing the PIN which is required to access an NSS
--database in order to save the newly-generated key pair, or it has an
-+database in order to save the newly\-generated key pair, or it has an
- incorrect PIN for a database.
- .TP
- NEED_KEY_GEN_TOKEN
-@@ -75,7 +75,7 @@ The service is currently reading information about the key pair.
- .TP
- NEED_KEYINFO_READ_PIN
- The service is missing the PIN which is required to access an NSS
--database in order to read information about the newly-generated key pair, or
-+database in order to read information about the newly\-generated key pair, or
- it has an incorrect PIN for a database, or has an incorrect password for
- accessing a key stored in encrypted PEM format.
- .TP
-@@ -161,8 +161,8 @@ The CA approved the signing request, and the service is about to save the
- issued certificate to the location where it has been told to save it.
- .TP
- PRE_SAVE_CERT
--The service is running a configured pre-saving command before saving the
--newly-issued certificate to the location where it has been told to save
-+The service is running a configured pre\-saving command before saving the
-+newly\-issued certificate to the location where it has been told to save
- it.
- .TP
- START_SAVING_CERT
-@@ -175,16 +175,16 @@ where it has been told to save it.
- .TP
- NEED_CERTSAVE_PERMS
- The service encountered a filesystem permission error while attempting
--to save the newly-issued certificate to the location where it has been
-+to save the newly\-issued certificate to the location where it has been
- told to save it.
- .TP
- NEED_CERTSAVE_TOKEN
--The service is unable to find the token in which the newly-issued
-+The service is unable to find the token in which the newly\-issued
- certificate is to be stored.
- .TP
- NEED_CERTSAVE_PIN
- The service is missing the PIN which is required to access an NSS
--database in order to save the newly-issued certificate to the location
-+database in order to save the newly\-issued certificate to the location
- where it has been told to save it.
- .TP
- NEED_TO_SAVE_CA_CERTS
-@@ -231,22 +231,22 @@ issuer's certificate to the locations where it has been told to save
- them.
- .TP
- POST_SAVED_CERT
--The service is running a configured post-saving command after saving the
--newly-issued certificate to the location where it has been told to save
-+The service is running a configured post\-saving command after saving the
-+newly\-issued certificate to the location where it has been told to save
- them.
- .TP
- MONITORING
- The service is monitoring the certificate and waiting for its
--not-valid-after date to approach.  This is expected to be the status
-+not\-valid\-after date to approach.  This is expected to be the status
- most often seen.
- .TP
- NEED_TO_NOTIFY_VALIDITY
- The service is about to notify the system administrator that the
--certificate's not-valid-after date is approaching.
-+certificate's not\-valid\-after date is approaching.
- .TP
- NOTIFYING_VALIDITY
- The service is notifying the system administrator that the certificate's
--not-valid-after date is approaching.
-+not\-valid\-after date is approaching.
- .TP
- NEED_TO_NOTIFY_REJECTION
- The service is about to notify the system administrator that the
-@@ -350,23 +350,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-modify-ca.1.in b/src/getcert-modify-ca.1.in
-index 36677c5..90bc621 100644
---- a/src/getcert-modify-ca.1.in
-+++ b/src/getcert-modify-ca.1.in
-@@ -1,23 +1,23 @@
--.TH certmonger 1 "24 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert modify-ca [options]
-+getcert modify\-ca [options]
- 
- .SH DESCRIPTION
- Modifies the helper command in a \fIcertmonger\fR CA configuration.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- The nickname of the CA configuration to modify.
- .TP
--\fB\-e\fR COMMAND
-+\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR
- The new helper command to run for communicating with the CA.
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
- 
-@@ -27,22 +27,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-refresh-ca.1.in b/src/getcert-refresh-ca.1.in
-index 2662adc..86318e7 100644
---- a/src/getcert-refresh-ca.1.in
-+++ b/src/getcert-refresh-ca.1.in
-@@ -1,21 +1,21 @@
--.TH certmonger 1 "29 May 2014" "certmonger Manual"
-+.TH CERTMONGER 1 "May 29, 2014" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert refresh-ca [options]
-+getcert refresh\-ca [options]
- 
- .SH DESCRIPTION
- Forces \fIcertmonger\fR to refresh information specific to a CA, such as
--locally-stored copies of its certificates.
-+locally\-stored copies of its certificates.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- Refresh information about the CA which has the specified nickname.
- .TP
--\fB\-a\fR
-+\fB\-a\fR, \fB\-\-all\fR
- Refresh information about all known CAs.
- 
- .SH BUGS
-@@ -24,24 +24,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-refresh.1.in b/src/getcert-refresh.1.in
-index 660c2ec..79028c1 100644
---- a/src/getcert-refresh.1.in
-+++ b/src/getcert-refresh.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "21 July 2014" "certmonger Manual"
-+.TH CERTMONGER 1 "July 24, 2014" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -13,7 +13,7 @@ waiting for the CA.
- 
- .SH SPECIFYING REQUESTS BY NICKNAME
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Check on the status of the signing request which has this nickname.
- If this option is not specified, and a tracking entry which matches the
- certificate storage options which are specified already exists, that entry
-@@ -23,24 +23,24 @@ with the \fB\-f\fR option.
- 
- .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
- The certificate is in the NSS database in the specified directory.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
- The certificate in the NSS database named with \fB\-d\fR has the specified
- nickname.  Only valid with \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, the certificate
- is stored in this token.  This argument only rarely needs to be specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- The certificate is stored in the named file.
- 
- .SH OPTIONS
- .TP
--\fB\-a\fR
-+\fB\-a\fR, \fB\-\-all\fR
- Refresh information about all requests for which the service will need to
- attempt to contact the CA again.
- 
-@@ -50,23 +50,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in
-index 39ba761..fd848e7 100644
---- a/src/getcert-rekey.1.in
-+++ b/src/getcert-rekey.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "31 July 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "July 31, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -13,7 +13,7 @@ order to replace both a certificate and its private key.
- 
- .SH SPECIFYING REQUESTS BY NICKNAME
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- The new key pair will be generated and the new certificate will be obtained for
- the tracking request which has this nickname.  If this option is not specified,
- and a tracking entry which matches the key and certificate storage options
-@@ -23,62 +23,61 @@ of the \fB\-d\fR and \fB\-n\fR options, or with the \fB\-f\fR option.
- 
- .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR
- The certificate is in the NSS database in the specified directory.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR
- The certificate in the NSS database named with \fB\-d\fR has the specified
- nickname.  Only valid with \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, the certificate
- is stored in this token.  This argument only rarely needs to be specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- The certificate is stored in the named file.
- 
- .SH KEY GENERATION OPTIONS
- .TP
--\fB\-G\fR TYPE
-+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
- In case a new key pair needs to be generated, this option specifies the
- type of the keys to be generated.  If not specified, the current key type
- will be used.
- .TP
--\fB\-g\fR BITS
-+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
- This option specifies the size of the new key to be generated.  If not
- specified, a key of the same size as the existing key will be generated.
- 
--\fB\-c\fR NAME
- .SH ENROLLMENT OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- Submit the new signing request to the specified CA rather than the one which
- was previously associated with this certificate.  The name of
--the CA should correspond to one listed by \fIgetcert list-cas\fR.
-+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
- .TP
--\fB\-T\fR NAME
-+\fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR
- Request a certificate using the named profile, template, or certtype,
- from the specified CA.
- .TP
--\fB\-\-ms-template-spec\fR SPEC
-+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
- Include a V2 Certificate Template extension in the signing request.
- This datum includes an Object Identifier, a major version number
- (positive integer) and an optional minor version number.  The format
- is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
- .TP
--\fB\-X\fR NAME
-+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
- Request a certificate using the named issuer from the specified CA.
- .TP
--\fB\-I\fR NAME
-+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
- Assign the specified nickname to this task, replacing the previous nickname.
- 
- .SH SIGNING REQUEST OPTIONS
- .TP
--\fB\-N\fR NAME
-+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
- Change the subject name to include in the signing request.
- .TP
--\fB\-u\fR keyUsage
-+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
- Add an extensionRequest for the specified keyUsage to the
- signing request.  The keyUsage value is expected to be one of these names:
- 
-@@ -100,62 +99,74 @@ encipherOnly
- 
- decipherOnly
- .TP
--\fB\-U\fR EKU
-+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
- Change the extendedKeyUsage value specified in an extendedKeyUsage
- extension part of the extensionRequest attribute in the signing
- request.  The EKU value is expected to be an object identifier (OID).
- .TP
--\fB\-K\fR NAME
-+\fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR
- Change the Kerberos principal name specified as part of a subjectAltName
- extension part of the extensionRequest attribute in the signing request.
- .TP
--\fB\-E\fR EMAIL
-+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
- Change the email address specified as part of a subjectAltName
- extension part of the extensionRequest attribute in the signing request.
- .TP
--\fB\-D\fR DNSNAME
-+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
- Change the DNS name specified as part of a subjectAltName extension part of the
- extensionRequest attribute in the signing request.
- .TP
--\fB\-A\fR ADDRESS
-+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
- Change the IP address specified as part of a subjectAltName extension part of
- the extensionRequest attribute in the signing request.
- .TP
--\fB\-l\fR FILE
-+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR
- Add an optional ChallengePassword value, read from the file, to the signing
- request.  A ChallengePassword is often required when the CA is accessed using
- SCEP.
- .TP
--\fB\-L\fR PIN
-+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
- Add the argument value to the signing request as a ChallengePassword attribute.
- A ChallengePassword is often required when the CA is accessed using SCEP.
- 
- .SH OTHER OPTIONS
- .TP
--\fB\-B\fR COMMAND
-+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user before
- saving the certificates.
- .TP
--\fB\-C\fR COMMAND
-+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user after
- saving the certificates.
- .TP
--\fB\-a\fR DIR
-+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, save them to the specified NSS database.
- .TP
--\fB\-F\fR FILE
-+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, and when the local copies of the
- CA's root certificates are updated, save them to the specified file.
- .TP
--\fB\-w\fR
-+\fB\-\-for\-ca\fR
-+Request a CA certificate.
-+.TP
-+\fB\-\-not\-for\-ca\fR
-+Request a non\-CA certificate (the default).
-+.TP
-+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
-+Path length for CA certificate. Only valid with \-\-for\-ca.
-+.TP
-+\fB\-w\fR, \fB\-\-wait\fR
- Wait for the new certificate to be issued and saved, or for the attempt to obtain
- one using the new key to fail.
- .TP
--\fB\-v\fR
-+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
-+Maximum time to wait for the certificate to be issued.
-+.TP
-+\fB\-v\fR \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
- 
-@@ -165,22 +176,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-remove-ca.1.in b/src/getcert-remove-ca.1.in
-index 4b29db7..1839f84 100644
---- a/src/getcert-remove-ca.1.in
-+++ b/src/getcert-remove-ca.1.in
-@@ -1,10 +1,10 @@
--.TH certmonger 1 "24 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert remove-ca [options]
-+getcert remove\-ca [options]
- 
- .SH DESCRIPTION
- Remove a CA configuration from \fIcertmonger\fR.  Enrollment requests which
-@@ -12,10 +12,10 @@ reference the CA will behave as though they have no assigned CA.
- 
- .SH OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- The nickname of the CA configuration to remove.
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
- 
-@@ -25,22 +25,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in
-index ba43016..89bc080 100644
---- a/src/getcert-request.1.in
-+++ b/src/getcert-request.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "9 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -14,87 +14,87 @@ CA.
- 
- .SH KEY AND CERTIFICATE STORAGE OPTIONS
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
- Use an NSS database in the specified directory for storing this
- certificate and key.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
- Use the key with this nickname to generate the signing request.  If no
- such key is found, generate one.  Give the enrolled certificate this
- nickname, too.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, use the token
- with this name for storing and accessing the certificate and key.  This
- argument only rarely needs to be specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- Store the issued certificate in this file.  For safety's sake, do not
- use the same file specified with the \fB\-k\fR option.
- .TP
--\fB\-k\fR FILE
-+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
- Use the key stored in this file to generate the signing request.  If no
- such file is found, generate a new key pair and store them in the file.
- Only valid with \fB\-f\fR.
- 
- .SH KEY ENCRYPTION OPTIONS
- .TP
--\fB\-p\fR FILE
-+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
- Encrypt private key files or databases using the PIN stored in the named
- file as the passphrase.
- .TP
--\fB\-P\fR PIN
-+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
- Encrypt private key files or databases using the specified PIN as the
--passphrase.  Because command-line arguments to running processes are
-+passphrase.  Because command\-line arguments to running processes are
- trivially discoverable, use of this option is not recommended except
- for testing.
- 
- .SH KEY GENERATION OPTIONS
- .TP
--\fB\-G\fR TYPE
-+\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR
- In case a new key pair needs to be generated, this option specifies the
- type of the keys to be generated.  If not specified, a reasonable default
- (currently \fIRSA\fR) will be used.
- .TP
--\fB\-g\fR BITS
-+\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR
- In case a new key pair needs to be generated, this option specifies the
- size of the key.  If not specified, a reasonable default (currently
- @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used.
- 
- .SH TRACKING OPTIONS
- .TP
--\fB\-r\fR
-+\fB\-r\fR, \fB\-\-renew\fR
- Attempt to obtain a new certificate from the CA when the expiration date of a
- certificate nears.  This is the default setting.
- .TP
--\fB\-R\fR
-+\fB\-R\fR, \fB\-\-no\-renew\fR
- Don't attempt to obtain a new certificate from the CA when the expiration date
- of a certificate nears.  If this option is specified, an expired certificate
- will simply stay expired.
- .TP
--\fB\-I\fR NAME
-+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Assign the specified nickname to this task.  If this option is not specified,
- a name will be assigned automatically.
- 
- .SH ENROLLMENT OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- Enroll with the specified CA rather than a possible default.  The name of
--the CA should correspond to one listed by \fIgetcert list-cas\fR.
-+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
- .TP
--\fB\-T\fR NAME
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- Request a certificate using the named profile, template, or certtype,
- from the specified CA.
- .TP
--\fB\-\-ms-template-spec\fR SPEC
-+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
- Include a V2 Certificate Template extension in the signing request.
- This datum includes an Object Identifier, a major version number
- (positive integer) and an optional minor version number.  The format
- is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
- .TP
--\fB\-X\fR NAME
-+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
- Request a certificate using the named issuer from the specified CA.
- 
- .SH SIGNING REQUEST OPTIONS
-@@ -108,11 +108,11 @@ The options \fB\-K\fR, \fB\-E\fR, \fB\-D\fR and \fB\-A\fR may be provided
- multiple times to set multiple subjectAltName of the same type.
- 
- .TP
--\fB\-N\fR NAME
-+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
- Set the subject name to include in the signing request.  The default
- used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname.
- .TP
--\fB\-u\fR keyUsage
-+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
- Add an extensionRequest for the specified keyUsage to the
- signing request.  The keyUsage value is expected to be one of these names:
- 
-@@ -134,84 +134,113 @@ encipherOnly
- 
- decipherOnly
- .TP
--\fB\-U\fR EKU
-+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
- Add an extensionRequest for the specified extendedKeyUsage to the
- signing request.  The EKU value is expected to be an object identifier
- (OID), but some specific names are also recognized.  These are some
- names and their associated OID values:
- 
--id-kp-serverAuth 1.3.6.1.5.5.7.3.1
-+id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1
- 
--id-kp-clientAuth 1.3.6.1.5.5.7.3.2
-+id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2
- 
--id-kp-codeSigning 1.3.6.1.5.5.7.3.3
-+id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3
- 
--id-kp-emailProtection 1.3.6.1.5.5.7.3.4
-+id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4
- 
--id-kp-timeStamping 1.3.6.1.5.5.7.3.8
-+id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8
- 
--id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
-+id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9
- 
--id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
-+id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4
- 
--id-pkinit-KPKdc 1.3.6.1.5.2.3.5
-+id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5
- 
--id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
-+id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2
- .TP
--\fB\-K\fR NAME
-+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
- Add an extensionRequest for a subjectAltName, with the specified Kerberos
- principal name as its value, to the signing request.
- .TP
--\fB\-E\fR EMAIL
-+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
- Add an extensionRequest for a subjectAltName, with the specified email
- address as its value, to the signing request.
- .TP
--\fB\-D\fR DNSNAME
-+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
- Add an extensionRequest for a subjectAltName, with the specified DNS name
- as its value, to the signing request.
- .TP
--\fB\-A\fR ADDRESS
-+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
- Add an extensionRequest for a subjectAltName, with the specified IP address
- as its value, to the signing request.
- .TP
--\fB\-l\fR FILE
-+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
- Add an optional ChallengePassword value, read from the file, to the signing
- request.  A ChallengePassword is often required when the CA is accessed using
- SCEP.
- .TP
--\fB\-L\fR PIN
-+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
- Add the argument value to the signing request as a ChallengePassword attribute.
- A ChallengePassword is often required when the CA is accessed using SCEP.
- 
- .SH OTHER OPTIONS
- .TP
--\fB\-B\fR COMMAND
-+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user before
- saving the certificates.
- .TP
--\fB\-C\fR COMMAND
-+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user after
- saving the certificates.
- .TP
--\fB\-a\fR DIR
-+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, save them to the specified NSS database.
- .TP
--\fB\-F\fR FILE
-+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, and when the local copies of the
- CA's root certificates are updated, save them to the specified file.
- .TP
--\fB\-w\fR
-+\fB\-\-for\-ca\fR
-+Request a CA certificate.
-+.TP
-+\fB\-\-not\-for\-ca\fR
-+Request a non\-CA certificate (the default).
-+.TP
-+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
-+Path length for CA certificate. Only valid with \-\-for\-ca.
-+.TP
-+\fB\-w\fR, \fB\-\-wait\fR
- Wait for the certificate to be issued and saved, or for the attempt to obtain
- one to fail.
- .TP
--\fB\-v\fR
-+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
-+Maximum time to wait for the certificate to be issued.
-+.TP
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
--
-+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the private key file or database to OWNER.
-+.TP
-+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the private key file or database to MODE.
-+.TP
-+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the certificate file or database to OWNER.
-+.TP
-+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the certificate file or database to MODE.
-+.SH BUS OPTIONS
-+\fB\-s\fR, \fB\-\-session\fR
-+Connect to certmonger on the session bus rather than the system bus.
-+.TP
-+\fB\-S\fR, \fB\-\-system\fR
-+Connect to certmonger on the system bus rather than the session bus.  This
-+is the default.
- .SH NOTES
- Locations specified for key and certificate storage need to be
- accessible to the \fIcertmonger\fR daemon process.  When run as a system
-@@ -219,7 +248,7 @@ daemon on a system which uses a mandatory access control mechanism such
- as SELinux, the system policy must ensure that the daemon is allowed to
- access the locations where certificates and keys that it will manage
- will be stored (these locations are typically labeled as \fIcert_t\fR or
--an equivalent).  More SELinux-specific information can be found in the
-+an equivalent).  More SELinux\-specific information can be found in the
- \fIselinux.txt\fR documentation file for this package.
- 
- .SH BUGS
-@@ -228,23 +257,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in
-index f9e6bb1..aefea51 100644
---- a/src/getcert-resubmit.1.in
-+++ b/src/getcert-resubmit.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "9 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -12,7 +12,7 @@ submit (or resubmit) the signing request to a CA for signing.
- 
- .SH SPECIFYING REQUESTS BY NICKNAME
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Resubmit a signing request for the tracking request which has this nickname.
- If this option is not specified, and a tracking entry which matches the key
- and certificate storage options which are specified already exists, that entry
-@@ -22,50 +22,50 @@ with the \fB\-f\fR option.
- 
- .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
- The certificate is in the NSS database in the specified directory.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
- The certificate in the NSS database named with \fB\-d\fR has the specified
- nickname.  Only valid with \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, the certificate
- is stored in this token.  This argument only rarely needs to be specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- The certificate is stored in the named file.
- 
- .SH ENROLLMENT OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- Submit the new signing request to the specified CA rather than the one which
- was previously associated with this certificate.  The name of
--the CA should correspond to one listed by \fIgetcert list-cas\fR.
-+the CA should correspond to one listed by \fIgetcert list\-cas\fR.
- .TP
--\fB\-T\fR NAME
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- Request a certificate using the named profile, template, or certtype,
- from the specified CA.
- .TP
--\fB\-\-ms-template-spec\fR SPEC
-+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
- Include a V2 Certificate Template extension in the signing request.
- This datum includes an Object Identifier, a major version number
- (positive integer) and an optional minor version number.  The format
- is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
- .TP
--\fB\-X\fR NAME
-+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
- Request a certificate using the named issuer from the specified CA.
- .TP
--\fB\-I\fR NAME
-+\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Assign the specified nickname to this task, replacing the previous nickname.
- 
- .SH SIGNING REQUEST OPTIONS
- .TP
--\fB\-N\fR NAME
-+\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR
- Change the subject name to include in the signing request.
- .TP
--\fB\-u\fR keyUsage
-+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
- Add an extensionRequest for the specified keyUsage to the
- signing request.  The keyUsage value is expected to be one of these names:
- 
-@@ -87,64 +87,84 @@ encipherOnly
- 
- decipherOnly
- .TP
--\fB\-U\fR EKU
-++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
- Change the extendedKeyUsage value specified in an extendedKeyUsage
- extension part of the extensionRequest attribute in the signing
- request.  The EKU value is expected to be an object identifier (OID).
- .TP
--\fB\-K\fR NAME
-+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
- Change the Kerberos principal name specified as part of a subjectAltName
- extension part of the extensionRequest attribute in the signing request.
- .TP
--\fB\-E\fR EMAIL
-+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
- Change the email address specified as part of a subjectAltName
- extension part of the extensionRequest attribute in the signing request.
- .TP
--\fB\-D\fR DNSNAME
-+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
- Change the DNS name specified as part of a subjectAltName extension part of the
- extensionRequest attribute in the signing request.
- .TP
--\fB\-A\fR ADDRESS
-+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
- Change the IP address specified as part of a subjectAltName extension part of
- the extensionRequest attribute in the signing request.
- .TP
--\fB\-l\fR FILE
-+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
- Add an optional ChallengePassword value, read from the file, to the signing
- request.  A ChallengePassword is often required when the CA is accessed using
- SCEP.
- .TP
--\fB\-L\fR PIN
-+\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR
- Add the argument value to the signing request as a ChallengePassword attribute.
- A ChallengePassword is often required when the CA is accessed using SCEP.
- 
- .SH OTHER OPTIONS
- .TP
--\fB\-B\fR COMMAND
-+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user before
- saving the certificates.
- .TP
--\fB\-C\fR COMMAND
-+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user after
- saving the certificates.
- .TP
--\fB\-a\fR DIR
-+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, save them to the specified NSS database.
- .TP
--\fB\-F\fR FILE
-+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, and when the local copies of the
- CA's root certificates are updated, save them to the specified file.
- .TP
--\fB\-w\fR
-+\fB\-\-for\-ca\fR
-+Request a CA certificate.
-+.TP
-+\fB\-\-not\-for\-ca\fR
-+Request a non\-CA certificate (the default).
-+.TP
-+\fB\-\-ca\-path\-length\fR=\fILENGTH\fR
-+Path length for CA certificate. Only valid with \-\-for\-ca.
-+.TP
-+\fB\-w\fR, \fB\-\-wait\fR
- Wait for the certificate to be reissued and saved, or for the attempt to obtain
- one to fail.
- .TP
--\fB\-v\fR
-+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
-+Maximum time to wait for the certificate to be issued.
-+.TP
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
-+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the private key file or database to OWNER.
-+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the private key file or database to MODE.
-+\fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the certificate file or database to OWNER.
-+\fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the certificate file or database to MODE.
- 
- .SH BUGS
- Please file tickets for any that you find at https://fedorahosted.org/certmonger/
-@@ -152,23 +172,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in
-index f60e4a7..fff16f5 100644
---- a/src/getcert-start-tracking.1.in
-+++ b/src/getcert-start-tracking.1.in
-@@ -1,13 +1,13 @@
--.TH certmonger 1 "9 February 2015" "certmonger Manual"
-+.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert start-tracking [options]
-+getcert start\-tracking [options]
- 
- .SH DESCRIPTION
--Tells \fIcertmonger\fR to monitor an already-issued certificate.
-+Tells \fIcertmonger\fR to monitor an already\-issued certificate.
- Optionally, when the certificate nears expiration, use an existing key
- pair (or to generate one if one is not already found in the specified
- location), to generate a signing request using the key pair and to
-@@ -15,7 +15,7 @@ submit them for signing to a CA.
- 
- .SH SPECIFYING EXISTING REQUESTS
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Modify the request which has this nickname.  If this option is not specified,
- and a tracking entry which matches the key and certificate storage options
- which are specified already exists, that entry will be modified.  Otherwise, a
-@@ -23,27 +23,27 @@ new tracking entry will be added.
- 
- .SH KEY AND CERTIFICATE STORAGE OPTIONS
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
- Use an NSS database in the specified directory for reading this
- certificate and, if possible, the corresponding key.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
- Use the certificate with this nickname, and if a private key with the
- same nickname or which corresponds to the certificate is available, to
- use it, too.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, use the token
- with this name for accessing the certificate and key.  This argument
- only rarely needs to be specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- Read the certificate from this file.  For safety's sake, do not use the
- same file specified with the \fB\-k\fR option.
- .TP
--\fB\-k\fR FILE
-+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
- Use the key stored in this file to generate a signing request for
- refreshing the certificate.  If no such file is found when needed,
- generate a new key pair and store them in the file.
-@@ -51,58 +51,58 @@ Only valid with \fB\-f\fR.
- 
- .SH KEY ENCRYPTION OPTIONS
- .TP
--\fB\-p\fR FILE
-+\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR
- The private key files or databases are encrypted using the PIN stored in the
- named file as the passphrase.
- .TP
--\fB\-P\fR PIN
-+\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR
- The private key files or databases are encrypted using the specified PIN as the
--passphrase.  Because command-line arguments to running processes are trivially
-+passphrase.  Because command\-line arguments to running processes are trivially
- discoverable, use of this option is not recommended except for testing.
- 
- .SH TRACKING OPTIONS
- .TP
--\fB\-I\fR NAME
-+\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR
- Assign the specified nickname to this task.  If this option is not specified,
- a name will be assigned automatically.
- .TP
--\fB\-r\fR
-+\fB\-r\fR, \fB\-\-renew\fR
- Attempt to obtain a new certificate from the CA when the expiration date of a
- certificate nears.  This is the default setting.
- .TP
--\fB\-R\fR
-+\fB\-R\fR, \fB\-\-no\-renew\fR
- Don't attempt to obtain a new certificate from the CA when the expiration date
- of a certificate nears.  If this option is specified, an expired certificate
- will simply stay expired.
- 
- .SH ENROLLMENT OPTIONS
- .TP
--\fB\-c\fR NAME
-+\fB\-c\fR  \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
- Enroll with the specified CA rather than a possible default.  The name of
--the CA should correspond to one listed by \fIgetcert list-cas\fR.  Only
-+the CA should correspond to one listed by \fIgetcert list\-cas\fR.  Only
- useful in combination with \fB\-r\fR.
- .TP
--\fB\-T\fR NAME
-+\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR
- Request a certificate using the named profile, template, or certtype,
- from the specified CA.
- .TP
--\fB\-\-ms-template-spec\fR SPEC
-+\fB\-\-ms\-template\-spec\fR \fISPEC\fR
- Include a V2 Certificate Template extension in the signing request.
- This datum includes an Object Identifier, a major version number
- (positive integer) and an optional minor version number.  The format
- is: \fB<oid>:<majorVersion>[:<minorVersion>]\fR.
- .TP
--\fB\-X\fR NAME
-+\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR
- Request a certificate using the named issuer from the specified CA.
- 
- .SH SIGNING REQUEST OPTIONS
- If and when \fIcertmonger\fR attempts to obtain a new certificate to replace
- the one being monitored, the values to be added to the signing request will be
- taken from the current certificate, unless preferred values are set using one
--or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
-+or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR.
- 
- .TP
--\fB\-u\fR keyUsage
-+\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR
- Add an extensionRequest for the specified keyUsage to the
- signing request.  The keyUsage value is expected to be one of these names:
- 
-@@ -124,64 +124,86 @@ encipherOnly
- 
- decipherOnly
- .TP
--\fB\-U\fR EKU
-+\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR
- Add an extensionRequest for the specified extendedKeyUsage to the
- signing request.  The EKU value is expected to be an object identifier
- (OID).
- .TP
--\fB\-K\fR NAME
-+\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR
- Add an extensionRequest for a subjectAltName, with the specified Kerberos
- principal name as its value, to the signing request.
- .TP
--\fB\-E\fR EMAIL
-+\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR
- Add an extensionRequest for a subjectAltName, with the specified email
- address as its value, to the signing request.
- .TP
--\fB\-D\fR DNSNAME
-+\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR
- Add an extensionRequest for a subjectAltName, with the specified DNS name
- as its value, to the signing request.
--\fB\-A\fR ADDRESS
-+\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR
- Add an extensionRequest for a subjectAltName, with the specified IP address
- as its value, to the signing request.
- .TP
--\fB\-l\fR FILE
-+\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR
- Add an optional ChallengePassword value, read from the file, to the signing
- request.  A ChallengePassword is often required when the CA is accessed using
- SCEP.
- .TP
--\fB\-L\fR PIN
-+\fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR
- Add the argument value to the signing request as a ChallengePassword attribute.
- A ChallengePassword is often required when the CA is accessed using SCEP.
- 
- .SH OTHER OPTIONS
- .TP
--\fB\-B\fR COMMAND
-+\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user before
- saving the certificates.
- .TP
--\fB\-C\fR COMMAND
-+\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR
- When ever the certificate or the CA's certificates are saved to the
- specified locations, run the specified command as the client user after
- saving the certificates.
- .TP
--\fB\-a\fR DIR
-+\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, save them to the specified NSS database.
- .TP
--\fB\-F\fR FILE
-+\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR
- When ever the certificate is saved to the specified location, if root
- certificates for the CA are available, and when the local copies of the
- CA's root certificates are updated, save them to the specified file.
- .TP
--\fB\-w\fR
-+\fB\-w\fR, \fB\-\-wait\fR
- Wait for the certificate to become valid or to be reissued and saved, or for
- the attempt to obtain a new one to fail.
- .TP
--\fB\-v\fR
-+\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR
-+Maximum time to wait for the certificate to be issued.
-+.TP
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
--
-+.TP
-+\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the private key file or database to OWNER.
-+.TP
-+\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the private key file or database to MODE.
-+.TP
-+\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR
-+After generation set the owner on the certificate file or database to OWNER.
-+.TP
-+\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR
-+After generation set the file permissions on the certificate file or database to MODE.
-+.SH BUS OPTIONS
-+.TP
-+\fB\-s\fR, \fB\-\-session\fR
-+Connect to certmonger on the session bus rather than the system bus.
-+.TP
-+\fB\-S\fR, \fB\-\-system\fR
-+Connect to certmonger on the system bus rather than the session bus.  This
-+is the default.
- .SH NOTES
- Locations specified for key and certificate storage need to be
- accessible to the \fIcertmonger\fR daemon process.  When run as a system
-@@ -189,7 +211,7 @@ daemon on a system which uses a mandatory access control mechanism such
- as SELinux, the system policy must ensure that the daemon is allowed to
- access the locations where certificates and keys that it will manage
- will be stored (these locations are typically labeled as \fIcert_t\fR or
--an equivalent).  More SELinux-specific information can be found in the
-+an equivalent).  More SELinux\-specific information can be found in the
- \fIselinux.txt\fR documentation file for this package.
- 
- .SH BUGS
-@@ -198,23 +220,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-status.1.in b/src/getcert-status.1.in
-index 071d393..da2fbc6 100644
---- a/src/getcert-status.1.in
-+++ b/src/getcert-status.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "13 June 2014" "certmonger Manual"
-+.TH CERTMONGER 1 "June 13, 2014" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -12,18 +12,18 @@ request and sets an exit status to reflect that status.
- 
- .SH SELECTION OPTIONS
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
- Check that status of a certificate in the named NSS database.  Must be
--specified with the \fB-n\fR option.
-+specified with the \fB\-n\fR option.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
- Check that status of a certificate in with the specified nickname.  Must be
--specified with the \fB-d\fR option.
-+specified with the \fB\-d\fR option.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- Check that status of a certificate stored in the specified PEM file.
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- Check that status of a certificate with the specified request nickname.
- 
- .SH EXIT STATUS
-@@ -53,24 +53,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert-stop-tracking.1.in b/src/getcert-stop-tracking.1.in
-index a8657f3..96345d1 100644
---- a/src/getcert-stop-tracking.1.in
-+++ b/src/getcert-stop-tracking.1.in
-@@ -1,10 +1,10 @@
--.TH certmonger 1 "3 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
- 
- .SH NAME
- getcert
- 
- .SH SYNOPSIS
--getcert stop-tracking [options]
-+getcert stop\-tracking [options]
- 
- .SH DESCRIPTION
- Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or
-@@ -12,7 +12,7 @@ refresh a certificate.
- 
- .SH TRACKING OPTIONS
- .TP
--\fB\-i\fR NAME
-+\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR
- The certificate was tracked using the request with the specified nickname.
- If this option is not specified, some combination of \fB\-d\fR and
- \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should
-@@ -20,55 +20,62 @@ henceforth be forgotten.
- 
- .SH KEY AND CERTIFICATE STORAGE OPTIONS
- .TP
--\fB\-d\fR DIR
-+\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR
- The certificate is the one stored in the specified NSS database.
- .TP
--\fB\-n\fR NAME
-+\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR
- The certificate is the one which has this nickname.  Only valid with
- \fB\-d\fR.
- .TP
--\fB\-t\fR TOKEN
-+\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR
- If the NSS database has more than one token available, the certificate
- is stored in this token.  This argument only rarely needs to be
- specified.
- Only valid with \fB\-d\fR.
- .TP
--\fB\-f\fR FILE
-+\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR
- The certificate is or was to be stored in this file.
- .TP
--\fB\-k\fR FILE
-+\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR
- The private key is or was to be stored in this file.
- Only valid with \fB\-f\fR.
- 
- .SH OTHER OPTIONS
- .TP
--\fB\-v\fR
-+\fB\-v\fR, \fB\-\-verbose\fR
- Be verbose about errors.  Normally, the details of an error received from
- the daemon will be suppressed if the client can make a diagnostic suggestion.
--
-+.SH BUS OPTIONS
-+.TP
-+\fB\-s\fR, \fB\-\-session\fR
-+Connect to certmonger on the session bus rather than the system bus.
-+.TP
-+\fB\-S\fR, \fB\-\-system\fR
-+Connect to certmonger on the system bus rather than the session bus.  This
-+is the default.
- .SH BUGS
- Please file tickets for any that you find at https://fedorahosted.org/certmonger/
- 
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/getcert.1.in b/src/getcert.1.in
-index 7380f49..8669c76 100644
---- a/src/getcert.1.in
-+++ b/src/getcert.1.in
-@@ -1,4 +1,4 @@
--.TH certmonger 1 "3 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
- 
- .SH NAME
- getcert
-@@ -6,12 +6,12 @@ getcert
- .SH SYNOPSIS
-  getcert request [options]
-  getcert resubmit [options]
-- getcert start-tracking [options]
-+ getcert start\-tracking [options]
-  getcert status [options]
-- getcert stop-tracking [options]
-+ getcert stop\-tracking [options]
-  getcert list [options]
-- getcert list-cas [options]
-- getcert refresh-cas [options]
-+ getcert list\-cas [options]
-+ getcert refresh\-cas [options]
- 
- .SH DESCRIPTION
- The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on
-@@ -22,7 +22,7 @@ expiration, and optionally to refresh it when expiration nears, it can
- list the set of certificates that the service is already monitoring, or
- it can list the set of CAs that the service is capable of using.
- 
--If no command is given as the first command-line argument, \fIgetcert\fR
-+If no command is given as the first command\-line argument, \fIgetcert\fR
- will print short usage information for each of its functions.
- 
- If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus
-@@ -32,7 +32,7 @@ available, \fIgetcert\fR will attempt to launch a temporary copy of the
- .SH COMMON ARGUMENTS
- If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR
- contacts the service directly at the specified location.
--All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct
-+All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct
- \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system
- bus, if no value is set.  By default, \fIgetcert\fR consults the @CM_DBUS_NAME@
- service attached to the system bus.
-@@ -42,24 +42,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- 
- .SH SEE ALSO
- \fBcertmonger\fR(8)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/ipa-getcert.1.in b/src/ipa-getcert.1.in
-index a1d36d5..f1b3682 100644
---- a/src/ipa-getcert.1.in
-+++ b/src/ipa-getcert.1.in
-@@ -1,20 +1,20 @@
--.TH certmonger 1 "3 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
- 
- .SH NAME
--ipa-getcert
-+ipa\-getcert
- 
- .SH SYNOPSIS
-- ipa-getcert request [options]
-- ipa-getcert resubmit [options]
-- ipa-getcert start-tracking [options]
-- ipa-getcert status [options]
-- ipa-getcert stop-tracking [options]
-- ipa-getcert list [options]
-- ipa-getcert list-cas [options]
-- ipa-getcert refresh-cas [options]
-+ ipa\-getcert request [options]
-+ ipa\-getcert resubmit [options]
-+ ipa\-getcert start\-tracking [options]
-+ ipa\-getcert status [options]
-+ ipa\-getcert stop\-tracking [options]
-+ ipa\-getcert list [options]
-+ ipa\-getcert list\-cas [options]
-+ ipa\-getcert refresh\-cas [options]
- 
- .SH DESCRIPTION
--The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@
-+The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
- service on behalf of the invoking user.  It can ask the service to begin
- enrollment, optionally generating a key pair to use, it can ask the
- service to begin monitoring a certificate in a specified location for
-@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
- list the set of certificates that the service is already monitoring, or
- it can list the set of CAs that the service is capable of using.
- 
--If no command is given as the first command-line argument,
--\fIipa-getcert\fR will print short usage information for each of
-+If no command is given as the first command\-line argument,
-+\fIipa\-getcert\fR will print short usage information for each of
- its functions.
- 
--The \fIipa-getcert\fR tool behaves identically to the generic
--\fIgetcert\fR tool when it is used with the \fB-c
-+The \fIipa\-getcert\fR tool behaves identically to the generic
-+\fIgetcert\fR tool when it is used with the \fB\-c
- \fI@CM_IPA_CA_NAME@\fR option.
- 
- \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs.  See
--\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about
--using the \fB-F\fR and \fB-a\fR options to specify where those certificates
-+\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about
-+using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates
- should be stored.
- 
- .SH BUGS
-@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/local-getcert.1.in b/src/local-getcert.1.in
-index 526e31f..48a265b 100644
---- a/src/local-getcert.1.in
-+++ b/src/local-getcert.1.in
-@@ -1,20 +1,20 @@
--.TH certmonger 1 "7 June 2014" "certmonger Manual"
-+.TH CERTMONGER 1 "June 7, 2014" "certmonger Manual"
- 
- .SH NAME
--local-getcert
-+local\-getcert
- 
- .SH SYNOPSIS
-- local-getcert request [options]
-- local-getcert resubmit [options]
-- local-getcert start-tracking [options]
-- local-getcert status [options]
-- local-getcert stop-tracking [options]
-- local-getcert list [options]
-- local-getcert list-cas [options]
-- local-getcert refresh-cas [options]
-+ local\-getcert request [options]
-+ local\-getcert resubmit [options]
-+ local\-getcert start\-tracking [options]
-+ local\-getcert status [options]
-+ local\-getcert stop\-tracking [options]
-+ local\-getcert list [options]
-+ local\-getcert list\-cas [options]
-+ local\-getcert refresh\-cas [options]
- 
- .SH DESCRIPTION
--The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@
-+The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
- service on behalf of the invoking user.  It can ask the service to begin
- enrollment, optionally generating a key pair to use, it can ask the
- service to begin monitoring a certificate in a specified location for
-@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can
- list the set of certificates that the service is already monitoring, or
- it can list the set of CAs that the service is capable of using.
- 
--If no command is given as the first command-line argument,
--\fIlocal-getcert\fR will print short usage information for each of
-+If no command is given as the first command\-line argument,
-+\fIlocal\-getcert\fR will print short usage information for each of
- its functions.
- 
--The \fIlocal-getcert\fR tool behaves identically to the generic
--\fIgetcert\fR tool when it is used with the \fB-c
-+The \fIlocal\-getcert\fR tool behaves identically to the generic
-+\fIgetcert\fR tool when it is used with the \fB\-c
- \fIlocal\fR option.
- 
--\fBcertmonger\fR supports retrieving the list of current and previously-used
--local CA certificates.  See \fBgetcert-request\fR(1) and
--\fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR
-+\fBcertmonger\fR supports retrieving the list of current and previously\-used
-+local CA certificates.  See \fBgetcert\-request\fR(1) and
-+\fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR
- options to specify where those certificates should be stored.
- 
- .SH BUGS
-@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
-diff --git a/src/selfsign-getcert.1.in b/src/selfsign-getcert.1.in
-index 88389e8..d15c398 100644
---- a/src/selfsign-getcert.1.in
-+++ b/src/selfsign-getcert.1.in
-@@ -1,20 +1,20 @@
--.TH certmonger 1 "3 November 2009" "certmonger Manual"
-+.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual"
- 
- .SH NAME
--selfsign-getcert
-+selfsign\-getcert
- 
- .SH SYNOPSIS
-- selfsign-getcert request [options]
-- selfsign-getcert resubmit [options]
-- selfsign-getcert start-tracking [options]
-- selfsign-getcert status [options]
-- selfsign-getcert stop-tracking [options]
-- selfsign-getcert list [options]
-- selfsign-getcert list-cas [options]
-- selfsign-getcert refresh-cas [options]
-+ selfsign\-getcert request [options]
-+ selfsign\-getcert resubmit [options]
-+ selfsign\-getcert start\-tracking [options]
-+ selfsign\-getcert status [options]
-+ selfsign\-getcert stop\-tracking [options]
-+ selfsign\-getcert list [options]
-+ selfsign\-getcert list\-cas [options]
-+ selfsign\-getcert refresh\-cas [options]
- 
- .SH DESCRIPTION
--The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@
-+The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@
- service on behalf of the invoking user.  It can ask the service to begin
- enrollment, optionally generating a key pair to use, it can ask the
- service to begin monitoring a certificate in a specified location for
-@@ -22,16 +22,16 @@ expiration, and optionally to refresh it when expiration nears, it can
- list the set of certificates that the service is already monitoring, or
- it can list the set of CAs that the service is capable of using.
- 
--If no command is given as the first command-line argument,
--\fIselfsign-getcert\fR will print short usage information for each of
-+If no command is given as the first command\-line argument,
-+\fIselfsign\-getcert\fR will print short usage information for each of
- its functions.
- 
--The \fIselfsign-getcert\fR tool behaves identically to the generic
--\fIgetcert\fR tool when it is used with the \fB-c
-+The \fIselfsign\-getcert\fR tool behaves identically to the generic
-+\fIgetcert\fR tool when it is used with the \fB\-c
- \fI@CM_SELF_SIGN_CA_NAME@\fR option.
- 
--\fBcertmonger\fR's self-signer doesn't use root certificates.  While the
--\fB-F\fR and \fB-a\fR options will still be recognized, they will effectively
-+\fBcertmonger\fR's self\-signer doesn't use root certificates.  While the
-+\fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively
- be ignored.
- 
- .SH BUGS
-@@ -40,24 +40,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger
- .SH SEE ALSO
- \fBcertmonger\fR(8)
- \fBgetcert\fR(1)
--\fBgetcert-add-ca\fR(1)
--\fBgetcert-add-scep-ca\fR(1)
--\fBgetcert-list-cas\fR(1)
--\fBgetcert-list\fR(1)
--\fBgetcert-modify-ca\fR(1)
--\fBgetcert-refresh-ca\fR(1)
--\fBgetcert-refresh\fR(1)
--\fBgetcert-rekey\fR(1)
--\fBgetcert-remove-ca\fR(1)
--\fBgetcert-request\fR(1)
--\fBgetcert-resubmit\fR(1)
--\fBgetcert-start-tracking\fR(1)
--\fBgetcert-status\fR(1)
--\fBgetcert-stop-tracking\fR(1)
--\fBcertmonger-certmaster-submit\fR(8)
--\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8)
--\fBcertmonger-dogtag-submit\fR(8)
--\fBcertmonger-ipa-submit\fR(8)
--\fBcertmonger-local-submit\fR(8)
--\fBcertmonger-scep-submit\fR(8)
-+\fBgetcert\-add\-ca\fR(1)
-+\fBgetcert\-add\-scep\-ca\fR(1)
-+\fBgetcert\-list\-cas\fR(1)
-+\fBgetcert\-list\fR(1)
-+\fBgetcert\-modify\-ca\fR(1)
-+\fBgetcert\-refresh\-ca\fR(1)
-+\fBgetcert\-refresh\fR(1)
-+\fBgetcert\-rekey\fR(1)
-+\fBgetcert\-remove\-ca\fR(1)
-+\fBgetcert\-request\fR(1)
-+\fBgetcert\-resubmit\fR(1)
-+\fBgetcert\-start\-tracking\fR(1)
-+\fBgetcert\-status\fR(1)
-+\fBgetcert\-stop\-tracking\fR(1)
-+\fBcertmonger\-certmaster\-submit\fR(8)
-+\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8)
-+\fBcertmonger\-dogtag\-submit\fR(8)
-+\fBcertmonger\-ipa\-submit\fR(8)
-+\fBcertmonger\-local\-submit\fR(8)
-+\fBcertmonger\-scep\-submit\fR(8)
- \fBcertmonger_selinux\fR(8)
--- 
-2.21.1
-
diff --git a/SOURCES/0043-Add-long-options-to-command-line-help.patch b/SOURCES/0043-Add-long-options-to-command-line-help.patch
deleted file mode 100644
index 6e52b5c..0000000
--- a/SOURCES/0043-Add-long-options-to-command-line-help.patch
+++ /dev/null
@@ -1,757 +0,0 @@
-From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 14 May 2020 14:37:31 -0400
-Subject: [PATCH 43/43] Add long options to command-line help
-
-The command-line help mostly consisted of only the short options.
-Add the long-option and clean up some of the output.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1782838
----
- src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------
- src/scep.c    |   2 +-
- 2 files changed, 345 insertions(+), 193 deletions(-)
-
-diff --git a/src/getcert.c b/src/getcert.c
-index 5c8dc94..84e0bf3 100644
---- a/src/getcert.c
-+++ b/src/getcert.c
-@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
-+		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),
-+		N_("			(only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -k FILE	PEM file for private key\n"),
--		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),
-+		N_("  -k FILE, --keyfile=FILE\n"),
-+		N_("			PEM file for private key\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			PEM file for certificate (only valid with -k)\n"),
- 		N_("* If keys are to be encrypted:\n"),
--		N_("  -p FILE	file which holds the encryption PIN\n"),
--		N_("  -P PIN	PIN value\n"),
-+		N_("  -p FILE, --pinfile=FILE\n"),
-+		N_("			file which holds the encryption PIN\n"),
-+		N_("  -P PIN, --pin=PIN	PIN value\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Certificate handling settings:\n"),
--		N_("  -I NAME	nickname to assign to the request\n"),
--		N_("  -G TYPE	type of key to be generated if one is not already in place\n"),
--		N_("  -g SIZE	size of key to be generated if one is not already in place\n"),
--		N_("  -r		attempt to renew the certificate when expiration nears (default)\n"),
--		N_("  -R		don't attempt to renew the certificate when expiration nears\n"),
-+		N_("  -I NAME, --new-id=NAME\n"),
-+		N_("			new nickname to give to tracking request\n"),
-+		N_("  -G TYPE, --key-type=TYPE\n"),
-+		N_("			type of key to be generated if one is not already\n"),
-+		N_("			in place\n"),
-+		N_("  -g BITS, --key-size=BITS\n"),
-+		N_("			size of key to be generated if one is not already\n"),
-+		N_("			in place\n"),
-+		N_("  -r, --renew		attempt to renew the certificate when\n"),
-+		N_("			expiration nears (default)\n"),
-+		N_("  -R, --no-renew	don't attempt to renew the certificate when\n"),
-+		N_("			expiration nears\n"),
- #ifndef FORCE_CA
--		N_("  -c CA		use the specified CA rather than the default\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
--		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
-+		N_("  -T PROFILE, --profile=NAME\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named profile or template\n"),
- 		N_("  --ms-template-spec SPEC\n"),
--		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
--		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
-+		N_("	 		include V2 template specifier in CSR\n"),
-+		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
-+		N_("  -X ISSUER, --issuer=ISSUER\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named issuer\n"),
- 		N_("* Parameters for the signing request:\n"),
--		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),
--		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),
--		N_("  -u KEYUSAGE	set requested key usage value\n"),
--		N_("  -K NAME	set requested principal name\n"),
--		N_("  -D DNSNAME	set requested DNS name\n"),
--		N_("  -E EMAIL	set requested email address\n"),
--		N_("  -A ADDRESS	set requested IP address\n"),
--		N_("  -l FILE	file which holds an optional challenge password\n"),
--		N_("  -L PASSWORD	an optional challenge password value\n"),
-+		N_("  -N NAME, --subject-name=NAME\n"),
-+		N_("			set requested subject name (default: CN=<hostname>)\n"),
-+		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
-+		N_("			override requested extended key usage OID\n"),
-+		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
-+		N_("			set requested key usage value\n"),
-+		N_("  -K NAME, --principal=NAME\n"),
-+		N_("			override requested principal name\n"),
-+		N_("  -D DNSNAME, --dns=DNSNAME\n"),
-+		N_("			override requested DNS name\n"),
-+		N_("  -E EMAIL, --email=EMAIL\n"),
-+		N_("			override requested email address\n"),
-+		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),
-+		N_("			override requested IP address\n"),
-+		N_("  -l FILE, --challenge-password-file=FILE\n"),
-+		N_("			file which holds an optional challenge password\n"),
-+		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),
-+		N_("			an optional challenge password value\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -B	command to run before saving the certificate\n"),
--		N_("  -C	command to run after saving the certificate\n"),
--		N_("  -F	file in which to store the CA's certificates\n"),
--		N_("  -a	NSS database in which to store the CA's certificates\n"),
--		N_("  -w	try to wait for the certificate to be issued\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -B COMMAND, --before-command=COMMAND\n"),
-+		N_("			command to run before saving the certificate\n"),
-+		N_("  -C COMMAND, --after-command=COMMAND\n"),
-+		N_("			command to run after saving the certificate\n"),
-+		N_("  -F FILE, --ca-file=FILE\n"),
-+		N_("			file in which to store the CA's certificates\n"),
-+		N_("  -a DIR, --ca-dbdir=DIR\n"),
-+		N_("			NSS database in which to store the CA's certificates\n"),
-+		N_("  -w, --wait		try to wait for the certificate to be issued\n"),
-+		N_("  --wait-timeout TIMEOUT\n"),
-+		N_("			Maximum time to wait for the certificateto be issued\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
-+		N_("  -o OWNER, --key-owner=OWNER\n"),
-+		N_("			owner information for private key\n"),
-+		N_("  -m MODE, --key-perms=MODE\n"),
-+		N_("			file permissions for private key\n"),
-+		N_("  -O OWNER, --cert-owner=OWNER\n"),
-+		N_("			owner information for certificate\n"),
-+		N_("  -M MODE, --cert-perms=MODE\n"),
-+		N_("			file permissions for certificate\n"),
- 		NULL,
- 	};
- 	const char *start_tracking_help[] = {
-@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* If modifying an existing request:\n"),
--		N_("  -i NAME	nickname of an existing tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname of an existing tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
-+		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),
-+		N_("			(only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -k FILE	PEM file for private key\n"),
--		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),
-+		N_("  -k FILE, --keyfile=FILE\n"),
-+		N_("			PEM file for private key\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			PEM file for certificate (only valid with -k)\n"),
- 		N_("* If keys are encrypted:\n"),
--		N_("  -p FILE	file which holds the encryption PIN\n"),
--		N_("  -P PIN	PIN value\n"),
-+		N_("  -p FILE, --pinfile=FILE\n"),
-+		N_("			file which holds the encryption PIN\n"),
-+		N_("  -P PIN, --pin=PIN	PIN value\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Certificate handling settings:\n"),
--		N_("  -I NAME	nickname to give to tracking request\n"),
--		N_("  -r		attempt to renew the certificate when expiration nears (default)\n"),
--		N_("  -R		don't attempt to renew the certificate when expiration nears\n"),
-+		N_("  -I NAME, --new-id=NAME\n"),
-+		N_("			nickname to give to tracking request\n"),
-+		N_("  -r, --renew		attempt to renew the certificate when\n"),
-+		N_("			expiration nears (default)\n"),
-+		N_("  -R, --no-renew	don't attempt to renew the certificate when\n"),
-+		N_("			expiration nears\n"),
- #ifndef FORCE_CA
--		N_("  -c CA		use the specified CA rather than the default\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
--		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
-+		N_("  -T PROFILE, --profile=NAME\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named profile or template\n"),
- 		N_("  --ms-template-spec SPEC\n"),
--		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
--		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
-+		N_("	 		include V2 template specifier in CSR\n"),
-+		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
-+		N_("  -X ISSUER, --issuer=ISSUER\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named issuer\n"),
- 		N_("* Parameters for the signing request at renewal time:\n"),
--		N_("  -U EXTUSAGE	override requested extended key usage OID\n"),
--		N_("  -u KEYUSAGE	set requested key usage value\n"),
--		N_("  -K NAME	override requested principal name\n"),
--		N_("  -D DNSNAME	override requested DNS name\n"),
--		N_("  -E EMAIL	override requested email address\n"),
--		N_("  -A ADDRESS	override requested IP address\n"),
--		N_("  -l FILE	file which holds an optional challenge password\n"),
--		N_("  -L PASSWORD	an optional challenge password value\n"),
-+		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
-+		N_("			override requested extended key usage OID\n"),
-+		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
-+		N_("			set requested key usage value\n"),
-+		N_("  -K NAME, --principal=NAME\n"),
-+		N_("			override requested principal name\n"),
-+		N_("  -D DNSNAME, --dns=DNSNAME\n"),
-+		N_("			override requested DNS name\n"),
-+		N_("  -E EMAIL, --email=EMAIL\n"),
-+		N_("			override requested email address\n"),
-+		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),
-+		N_("			override requested IP address\n"),
-+		N_("  -l FILE, --challenge-password-file=FILE\n"),
-+		N_("			file which holds an optional challenge password\n"),
-+		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),
-+		N_("			an optional challenge password value\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -B	command to run before saving the certificate\n"),
--		N_("  -C	command to run after saving the certificate\n"),
--		N_("  -F	file in which to store the CA's certificates\n"),
--		N_("  -a	NSS database in which to store the CA's certificates\n"),
--		N_("  -w	try to wait for the certificate to be issued\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -B COMMAND, --before-command=COMMAND\n"),
-+		N_("			command to run before saving the certificate\n"),
-+		N_("  -C COMMAND, --after-command=COMMAND\n"),
-+		N_("			command to run after saving the certificate\n"),
-+		N_("  -F FILE, --ca-file=FILE\n"),
-+		N_("			file in which to store the CA's certificates\n"),
-+		N_("  -a DIR, --ca-dbdir=DIR\n"),
-+		N_("			NSS database in which to store the CA's certificates\n"),
-+		N_("  -w, --wait		try to wait for the certificate to be issued\n"),
-+		N_("  --wait-timeout TIMEOUT\n"),
-+		N_("			Maximum time to wait for the certificateto be issued\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
-+		N_("  -o OWNER, --key-owner=OWNER\n"),
-+		N_("			owner information for private key\n"),
-+		N_("  -m MODE, --key-perms=MODE\n"),
-+		N_("			file permissions for private key\n"),
-+		N_("  -O OWNER, --cert-owner=OWNER\n"),
-+		N_("			owner information for certificate\n"),
-+		N_("  -M MODE, --cert-perms=MODE\n"),
-+		N_("			file permissions for certificate\n"),
- 		NULL,
- 	};
- 	const char *stop_tracking_help[] = {
-@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* By request identifier:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -k FILE	PEM file for private key\n"),
--		N_("  -f FILE	PEM file for certificate (only valid with -k)\n"),
-+		N_("  -k FILE, --keyfile=FILE\n"),
-+		N_("			PEM file for private key\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			PEM file for certificate (only valid with -k)\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
-+		"\n",
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *resubmit_help[] = {
-@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* By request identifier:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
-+		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),
-+		N_("			(only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
- 		N_("  -f FILE	PEM file for certificate\n"),
- 		"\n",
- 		N_("* If keys are encrypted:\n"),
--		N_("  -p FILE	file which holds the encryption PIN\n"),
--		N_("  -P PIN	PIN value\n"),
-+		N_("  -p FILE, --pinfile=FILE\n"),
-+		N_("			file which holds the encryption PIN\n"),
-+		N_("  -P PIN, --pin=PIN	PIN value\n"),
- 		"\n",
- 		N_("* New parameter values for the signing request:\n"),
--		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),
--		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),
--		N_("  -u KEYUSAGE	set requested key usage value\n"),
--		N_("  -K NAME	set requested principal name\n"),
--		N_("  -D DNSNAME	set requested DNS name\n"),
--		N_("  -E EMAIL	set requested email address\n"),
--		N_("  -A ADDRESS	set requested IP address\n"),
--		N_("  -l FILE	file which holds an optional challenge password\n"),
--		N_("  -L PASSWORD	an optional challenge password value\n"),
-+		N_("  -N NAME, --subject-name=NAME\n"),
-+		N_("			set requested subject name (default: CN=<hostname>)\n"),
-+		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
-+		N_("			override requested extended key usage OID\n"),
-+		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
-+		N_("			set requested key usage value\n"),
-+		N_("  -K NAME, --principal=NAME\n"),
-+		N_("			override requested principal name\n"),
-+		N_("  -D DNSNAME, --dns=DNSNAME\n"),
-+		N_("			override requested DNS name\n"),
-+		N_("  -E EMAIL, --email=EMAIL\n"),
-+		N_("			override requested email address\n"),
-+		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),
-+		N_("			override requested IP address\n"),
-+		N_("  -l FILE, --challenge-password-file=FILE\n"),
-+		N_("			file which holds an optional challenge password\n"),
-+		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),
-+		N_("			an optional challenge password value\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Certificate handling settings:\n"),
--		N_("  -I NAME	new nickname to give to tracking request\n"),
-+		N_("  -I NAME, --new-id=NAME\n"),
-+		N_("			nickname to give to tracking request\n"),
- #ifndef FORCE_CA
--		N_("  -c CA		use the specified CA rather than the current one\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
--		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
-+		N_("  -T PROFILE, --profile=NAME\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named profile or template\n"),
- 		N_("  --ms-template-spec SPEC\n"),
--		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
--		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
-+		N_("	 		include V2 template specifier in CSR\n"),
-+		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
-+		N_("  -X ISSUER, --issuer=ISSUER\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named issuer\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -B	command to run before saving the certificate\n"),
--		N_("  -C	command to run after saving the certificate\n"),
--		N_("  -F	file in which to store the CA's certificates\n"),
--		N_("  -a	NSS database in which to store the CA's certificates\n"),
--		N_("  -w	try to wait for the certificate to be issued\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -B COMMAND, --before-command=COMMAND\n"),
-+		N_("			command to run before saving the certificate\n"),
-+		N_("  -C COMMAND, --after-command=COMMAND\n"),
-+		N_("			command to run after saving the certificate\n"),
-+		N_("  -F FILE, --ca-file=FILE\n"),
-+		N_("			file in which to store the CA's certificates\n"),
-+		N_("  -a DIR, --ca-dbdir=DIR\n"),
-+		N_("			NSS database in which to store the CA's certificates\n"),
-+		N_("  -w, --wait		try to wait for the certificate to be issued\n"),
-+		N_("  --wait-timeout TIMEOUT\n"),
-+		N_("			Maximum time to wait for the certificateto be issued\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
-+		N_("  -o OWNER, --key-owner=OWNER\n"),
-+		N_("			owner information for private key\n"),
-+		N_("  -m MODE, --key-perms=MODE\n"),
-+		N_("			file permissions for private key\n"),
-+		N_("  -O OWNER, --cert-owner=OWNER\n"),
-+		N_("			owner information for certificate\n"),
-+		N_("  -M MODE, --cert-perms=MODE\n"),
-+		N_("			file permissions for certificate\n"),
- 		NULL,
- 	};
- 	const char *rekey_help[] = {
-@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* By request identifier:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
-+		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),
-+		N_("			(only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -f FILE	PEM file for certificate\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			PEM file for certificate\n"),
- 		"\n",
- 		N_("* If keys are encrypted:\n"),
--		N_("  -p FILE	file which holds the encryption PIN\n"),
--		N_("  -P PIN	PIN value\n"),
-+		N_("  -p FILE, --pinfile=FILE\n"),
-+		N_("			file which holds the encryption PIN\n"),
-+		N_("  -P PIN, --pin=PIN	PIN value\n"),
- 		"\n",
- 		N_("* New parameter values for the signing request:\n"),
--		N_("  -N NAME	set requested subject name (default: CN=<hostname>)\n"),
--		N_("  -U EXTUSAGE	set requested extended key usage OID\n"),
--		N_("  -u KEYUSAGE	set requested key usage value\n"),
--		N_("  -K NAME	set requested principal name\n"),
--		N_("  -D DNSNAME	set requested DNS name\n"),
--		N_("  -E EMAIL	set requested email address\n"),
--		N_("  -A ADDRESS	set requested IP address\n"),
--		N_("  -l FILE	file which holds an optional challenge password\n"),
--		N_("  -L PASSWORD	an optional challenge password value\n"),
-+		N_("  -N NAME, --subject-name=NAME\n"),
-+		N_("			set requested subject name (default: CN=<hostname>)\n"),
-+		N_("  -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"),
-+		N_("			override requested extended key usage OID\n"),
-+		N_("  -u KEYUSAGE, --key-usage=KEYUSAGE\n"),
-+		N_("			set requested key usage value\n"),
-+		N_("  -K NAME, --principal=NAME\n"),
-+		N_("			override requested principal name\n"),
-+		N_("  -D DNSNAME, --dns=DNSNAME\n"),
-+		N_("			override requested DNS name\n"),
-+		N_("  -E EMAIL, --email=EMAIL\n"),
-+		N_("			override requested email address\n"),
-+		N_("  -A ADDRESS, --ip-address=ADDRESS\n"),
-+		N_("			override requested IP address\n"),
-+		N_("  -l FILE, --challenge-password-file=FILE\n"),
-+		N_("			file which holds an optional challenge password\n"),
-+		N_("  -L PASSWORD, --challenge-password=PASSWORD\n"),
-+		N_("			an optional challenge password value\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Certificate handling settings:\n"),
--		N_("  -I NAME	new nickname to give to tracking request\n"),
-+		N_("  -I NAME, --new-id=NAME\n"),
-+		N_("			new nickname to give to tracking request\n"),
- #ifndef FORCE_CA
--		N_("  -c CA		use the specified CA rather than the current one\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
--		N_("  -T PROFILE	ask the CA to process the request using the named profile or template\n"),
-+		N_("  -T PROFILE, --profile=NAME\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named profile or template\n"),
- 		N_("  --ms-template-spec SPEC\n"),
--		N_("	 include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
--		N_("  -X ISSUER	ask the CA to process the request using the named issuer\n"),
--		N_("  -G TYPE	type of new key to be generated\n"),
--		N_("  -g SIZE	size of new key to be generated\n"),
-+		N_("	 		include V2 template specifier in CSR\n"),
-+		N_("			(format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"),
-+		N_("  -X ISSUER, --issuer=ISSUER\n"),
-+		N_("			ask the CA to process the request using the\n"),
-+		N_("			named issuer\n"),
-+		N_("  -G TYPE, --key-type=TYPE\n"),
-+		N_("			type of key to be generated if one is not already\n"),
-+		N_("			in place\n"),
-+		N_("  -g BITS, --key-size=BITS\n"),
-+		N_("			size of key to be generated if one is not already\n"),
-+		N_("			in place\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -B	command to run before saving the certificate\n"),
--		N_("  -C	command to run after saving the certificate\n"),
--		N_("  -F	file in which to store the CA's certificates\n"),
--		N_("  -a	NSS database in which to store the CA's certificates\n"),
--		N_("  -w	try to wait for the certificate to be issued\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -B COMMAND, --before-command=COMMAND\n"),
-+		N_("			command to run before saving the certificate\n"),
-+		N_("  -C COMMAND, --after-command=COMMAND\n"),
-+		N_("			command to run after saving the certificate\n"),
-+		N_("  -F FILE, --ca-file=FILE\n"),
-+		N_("			file in which to store the CA's certificates\n"),
-+		N_("  -a DIR, --ca-dbdir=DIR\n"),
-+		N_("			NSS database in which to store the CA's certificates\n"),
-+		N_("  -w, --wait		try to wait for the certificate to be issued\n"),
-+		N_("  --wait-timeout TIMEOUT\n"),
-+		N_("			Maximum time to wait for the certificateto be issued\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *list_help[] = {
-@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category)
- 		N_("Optional arguments:\n"),
- 		N_("* General options:\n"),
- #ifndef FORCE_CA
--		N_("  -c CA	list only requests and certs associated with this CA\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
--		N_("  -r	list only information about outstanding requests\n"),
--		N_("  -t	list only information about tracked certificates\n"),
--		N_("  -u	display times in UTC instead of local time\n"),
-+		N_("  -r, --requests-only	list only information about outstanding requests\n"),
-+		N_("  -t, --tracking-only	list only information about tracked certificates\n"),
-+		N_("  -u, --utc		display times in UTC instead of local time\n"),
- 		N_("* If selecting a specific request:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	only list requests and certs which use this NSS database\n"),
--		N_("  -n NAME	only list requests and certs which use this nickname\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -f FILE	only list requests and certs stored in this PEM file\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			only list requests and certs stored in this PEM file\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *refresh_help[] = {
- 		N_("Usage: %s refresh [options]\n"),
- 		"\n",
- 		N_("* General options:\n"),
--		N_("  -a	refresh information about all outstanding requests\n"),
-+		N_("  -a, --all		refresh information about all outstanding requests\n"),
- 		"\n",
- 		N_("Required arguments:\n"),
- 		N_("* By request identifier:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* If using an NSS database for storage:\n"),
--		N_("  -d DIR	NSS database for key and cert\n"),
--		N_("  -n NAME	nickname for NSS-based storage (only valid with -d)\n"),
--		N_("  -t NAME	optional token name for NSS-based storage (only valid with -d)\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
-+		N_("  -t NAME, --token=NAME	optional token name for NSS-based storage\n"),
-+		N_("			(only valid with -d)\n"),
- 		N_("* If using files for storage:\n"),
--		N_("  -f FILE	PEM file for certificate\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			PEM file for certificate\n"),
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S		connect to the certmonger service on the system bus\n"),
--		N_("  -s		connect to the certmonger service on the session bus\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
-+		N_("* Other options:\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *status_help[] = {
-@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* Selecting a specific request:\n"),
--		N_("  -i NAME	nickname for tracking request\n"),
-+		N_("  -i NAME, --id=NAME	nickname for tracking request\n"),
- 		N_("* When using an NSS database for storage:\n"),
--		N_("  -d DIR	return status for the request in this NSS database\n"),
--		N_("  -n NAME	return status for cert which uses this nickname\n"),
-+		N_("  -d DIR, --dbdir=DIR	NSS database for key and cert\n"),
-+		N_("  -n NAME, --nickname NAME\n"),
-+		N_("			nickname for NSS-based storage (only valid with -d)\n"),
- 		N_("* When using files for storage:\n"),
--		N_("  -f FILE	return status for cert stored in this PEM file\n"),
-+		N_("  -f FILE, --certfile=FILE\n"),
-+		N_("			return status for cert stored in this PEM file\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *list_cas_help[] = {
-@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category)
- 		N_("Optional arguments:\n"),
- #ifndef FORCE_CA
- 		N_("* General options:\n"),
--		N_("  -c CA	list only information about the CA with this name\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- #endif
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *refresh_ca_help[] = {
-@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category)
- 		N_("Optional arguments:\n"),
- #ifndef FORCE_CA
- 		N_("* General options:\n"),
--		N_("  -c CA	refresh information about the CA with this name\n"),
--		N_("  -a	refresh information about all known CAs\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
-+		N_("  -a, --all		refresh information about all known CAs\n"),
- #endif
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- #ifndef FORCE_CA
-@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* General options:\n"),
--		N_("  -c CA		nickname to give to the new CA configuration\n"),
--		N_("  -e CMD	helper command to run to communicate with CA\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
-+		N_("  -e CMD, --command CMD	helper command to run to communicate with CA\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *add_scep_ca_help[] = {
-@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* General options:\n"),
--		N_("  -c CA		nickname to give to the new CA configuration\n"),
--		N_("  -u URL	location of SCEP server\n"),
--		N_("  -i ID		CA identifier\n"),
--		N_("  -R FILE	file containing CA's certificate\n"),
--		N_("  -r FILE	file containing RA's certificate\n"),
--		N_("  -I FILE	file containing certificates in RA's certifying chain\n"),
--		N_("  -n	prefer not to use the SCEP Renewal feature\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
-+		N_("  -u URL, --URL URL	location of SCEP server\n"),
-+		N_("  -i ID, --id ID	CA identifier\n"),
-+		N_("  -R FILE, --cacert=FILE\n"),
-+		N_("			file containing web server's certificate\n"),
-+		N_("  -r FILE, --racert=FILE\n"),
-+		N_("			file containing RA's certificate\n"),
-+		N_("  -N FILE, --signingca=FILE\n"),
-+		N_("			file containing CA's certificate\n"),
-+		N_("  -I FILE, --other-certs=FILE\n"),
-+		N_("			file containing certificates in RA's certifying chain\n"),
-+		N_("  -n, --non-renewal	prefer not to use the SCEP Renewal feature\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *modify_ca_help[] = {
-@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* General options:\n"),
--		N_("  -c CA		nickname of the CA configuration\n"),
--		N_("  -e CMD	updated helper command to run to communicate with CA\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
-+		N_("  -e CMD, --command CMD	helper command to run to communicate with CA\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- 	const char *remove_ca_help[] = {
-@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category)
- 		"\n",
- 		N_("Optional arguments:\n"),
- 		N_("* General options:\n"),
--		N_("  -c CA	nickname of CA configuration to remove\n"),
-+		N_("  -c CA, --ca=NAME	use the specified CA rather than the default\n"),
- 		N_("* Bus options:\n"),
--		N_("  -S	connect to the certmonger service on the system bus\n"),
--		N_("  -s	connect to the certmonger service on the session bus\n"),
-+		N_("  -S, --system		connect to the certmonger service on the system bus\n"),
-+		N_("  -s, --session		connect to the certmonger service on the session bus\n"),
- 		N_("* Other options:\n"),
--		N_("  -v	report all details of errors\n"),
-+		N_("  -v, --verbose		report all details of errors\n"),
- 		NULL,
- 	};
- #endif
-diff --git a/src/scep.c b/src/scep.c
-index 4294cda..4dde1ce 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -230,7 +230,7 @@ main(int argc, const char **argv)
- 		{"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"},
- 		{"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"},
- 		{"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL},
--		{"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL},
-+		{"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL},
- 		{"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL},
- 		{"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL},
- 		{"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"},
--- 
-2.21.1
-
diff --git a/SOURCES/0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch b/SOURCES/0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
deleted file mode 100644
index 35cf57b..0000000
--- a/SOURCES/0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From bf409dbab5f5910de6c2691f978bb8644532728a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 18 May 2020 15:01:02 -0400
-Subject: [PATCH] Adapt to the new behavior of disconnect in dbus-broker
-
-The dbus server was replaced in Fedora-29 to use dbus-broker.
-
-This server does not allow reconnects on a disconnect. certmonger
-was crashing as a result.
-
-The only way to directly pass a message between the dbus queue and
-the main tevent handle is via a signal. So when a disconnect is
-detected send a SIGTERM to getpid() in order to force a graceful
-shutdown.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1687698
----
- src/tdbus.c | 61 ++++++++++-------------------------------------------
- 1 file changed, 11 insertions(+), 50 deletions(-)
-
-diff --git a/src/tdbus.c b/src/tdbus.c
-index a81b534..402022e 100644
---- a/src/tdbus.c
-+++ b/src/tdbus.c
-@@ -22,6 +22,7 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-+#include <signal.h>
- 
- #include <talloc.h>
- #include <tevent.h>
-@@ -522,60 +523,24 @@ cm_tdbus_timeout_cleanup(void *data)
- }
- 
- static void
--cm_tdbus_reconnect(struct tevent_context *ec, struct tevent_timer *timer,
-+cm_tdbus_disconnected(struct tevent_context *ec, struct tevent_timer *timer,
- 		   struct timeval current_time, void *pvt)
- {
--	const char *bus_desc;
- 	struct tdbus_connection *tdb;
--	struct timeval later;
--	dbus_bool_t exit_on_disconnect = TRUE;
-+	pid_t pid;
- 
- 	tdb = pvt;
- 	talloc_free(timer);
- 	if ((tdb->conn == NULL) ||
- 	    !dbus_connection_get_is_connected(tdb->conn)) {
--		/* Close the current connection and open a new one. */
-+		/* Close the current connection and exit. */
- 		if (tdb->conn != NULL) {
- 			dbus_connection_unref(tdb->conn);
- 			tdb->conn = NULL;
- 		}
--		bus_desc = NULL;
--		switch (tdb->conn_type) {
--		case cm_tdbus_system:
--			cm_log(1, "Attempting to reconnect to system bus.\n");
--			tdb->conn = dbus_bus_get(DBUS_BUS_SYSTEM, NULL);
--			cm_set_conn_ptr(tdb->data, tdb->conn);
--			/* Don't exit if we get disconnected. */
--			exit_on_disconnect = FALSE;
--			bus_desc = "system";
--			break;
--		case cm_tdbus_session:
--			cm_log(1, "Attempting to reconnect to session bus.\n");
--			tdb->conn = dbus_bus_get(DBUS_BUS_SESSION, NULL);
--			cm_set_conn_ptr(tdb->data, tdb->conn);
--			/* Exit if we get disconnected. */
--			exit_on_disconnect = TRUE;
--			bus_desc = "session";
--			break;
--		case cm_tdbus_private:
--			abort();
--			break;
--		}
--		if ((tdb->conn != NULL) &&
--		    dbus_connection_get_is_connected(tdb->conn)) {
--			/* We're reconnected; reset our handlers. */
--			cm_log(1, "Reconnected to %s bus.\n", bus_desc);
--			dbus_connection_set_exit_on_disconnect(tdb->conn,
--							       exit_on_disconnect);
--			cm_tdbus_setup_public_connection(tdb, tdb->conn,
--							 bus_desc, NULL);
--		} else {
--			/* Try reconnecting again later. */
--			later = tevent_timeval_current_ofs(CM_DBUS_RECONNECT_TIMEOUT, 0),
--			tevent_add_timer(ec, tdb, later,
--					 cm_tdbus_reconnect,
--					 tdb);
--		}
-+		pid = getpid();
-+		cm_log(0, "Disconnected from dbus, exiting with SIGTERM.\n");
-+		kill(pid, SIGTERM);
- 	}
- }
- 
-@@ -585,12 +550,12 @@ cm_tdbus_filter(DBusConnection *conn, DBusMessage *dmessage, void *data)
- 	struct tdbus_connection *tdb = data;
- 	const char *destination, *unique_name, *path, *interface, *member;
- 
--	/* If we're disconnected, queue a reconnect. */
-+	/* If we're disconnected, queue an exit. */
- 	if ((tdb->conn_type != cm_tdbus_private) &&
- 	    !dbus_connection_get_is_connected(conn)) {
- 		tevent_add_timer(talloc_parent(tdb), tdb,
- 				 tevent_timeval_current(),
--				 cm_tdbus_reconnect,
-+				 cm_tdbus_disconnected,
- 				 tdb);
- 		return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
- 	}
-@@ -745,7 +710,6 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
- 	DBusError err;
- 	const char *bus_desc;
- 	struct tdbus_connection *tdb;
--	dbus_bool_t exit_on_disconnect;
- 
- 	/* Build our own context. */
- 	tdb = talloc_ptrtype(ec, tdb);
-@@ -764,15 +728,11 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
- 	case cm_tdbus_system:
- 		conn = dbus_bus_get(DBUS_BUS_SYSTEM, error);
- 		cm_set_conn_ptr(data, conn);
--		/* Don't exit if we get disconnected. */
--		exit_on_disconnect = FALSE;
- 		bus_desc = "system";
- 		break;
- 	case cm_tdbus_session:
- 		conn = dbus_bus_get(DBUS_BUS_SESSION, error);
- 		cm_set_conn_ptr(data, conn);
--		/* Exit if we get disconnected. */
--		exit_on_disconnect = TRUE;
- 		bus_desc = "session";
- 		break;
- 	case cm_tdbus_private:
-@@ -784,7 +744,8 @@ cm_tdbus_setup_public(struct tevent_context *ec, enum cm_tdbus_type bus_type,
- 		talloc_free(tdb);
- 		return -1;
- 	}
--	dbus_connection_set_exit_on_disconnect(conn, exit_on_disconnect);
-+	/* Exit on disconnect is handled in cm_tdbus_disconnected(). */
-+	dbus_connection_set_exit_on_disconnect(conn, FALSE);
- 	tdb->conn = conn;
- 	tdb->conn_type = bus_type;
- 	tdb->data = data;
--- 
-2.21.1
-
diff --git a/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch b/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
deleted file mode 100644
index 6d2634c..0000000
--- a/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 22 May 2020 12:58:44 -0400
-Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert
- requests
-
-The guttman spec is quite unclear on this and in the GetCACaps
-section doesn't mention &message at all. It only appears in the
-generic GET requests section 4.1
-
-The nourse spec is clearer and requires &message=CA-IDENT on
-GetCACaps requests.
-
-AD 2012 R2 servers also require message on GetCACert requests.
-
-This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1839181
-https://pagure.io/certmonger/issue/103
----
- src/scep.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/scep.c b/src/scep.c
-index 4dde1ce..11ebd6f 100644
---- a/src/scep.c
-+++ b/src/scep.c
-@@ -370,11 +370,11 @@ main(int argc, const char **argv)
- 		break;
- 	case op_get_ca_caps:
- 		/* Only step: read capabilities for the daemon. */
--		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
-+		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
- 		break;
- 	case op_get_ca_certs:
- 		/* First step: get the root certificate. */
--		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT);
-+		params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id);
- 		break;
- 	case op_get_cert_initial:
- 		if ((racert == NULL) || (strlen(racert) == 0)) {
-@@ -393,7 +393,7 @@ main(int argc, const char **argv)
- 				goto done;
- 			}
- 			/* First step: read capabilities for our use. */
--			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
-+			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
- 		}
- 		break;
- 	case op_pkcsreq:
-@@ -413,7 +413,7 @@ main(int argc, const char **argv)
- 				goto done;
- 			}
- 			/* First step: read capabilities for our use. */
--			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS);
-+			params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id);
- 		}
- 		break;
- 	}
--- 
-2.25.4
-
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index f03cff8..69eac18 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -7,9 +7,11 @@
 
 %global sysvinitdir %{_initddir}
 
+%bcond_without xmlrpc
+
 Name:		certmonger
-Version:	0.79.7
-Release:	14%{?dist}
+Version:	0.79.13
+Release:	2%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -17,6 +19,9 @@ License:	GPLv3+
 URL:		http://pagure.io/certmonger/
 Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 
+Patch0001:	0001-Don-t-run-the-002-keygen-tests-when-root.patch
+Patch0002:	0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
+
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	gettext-devel
@@ -31,7 +36,11 @@ BuildRequires:	openssl-devel
 BuildRequires:	libuuid-devel
 BuildRequires:	libtalloc-devel, libtevent-devel
 BuildRequires:	libcurl-devel
-BuildRequires:	libxml2-devel, xmlrpc-c-devel
+BuildRequires:	libxml2-devel
+%if %{with xmlrpc}
+BuildRequires:	xmlrpc-c-devel
+%endif
+BuildRequires:	jansson-devel
 # Required for 'make check':
 #  for diff and cmp
 BuildRequires:	diffutils
@@ -51,7 +60,7 @@ BuildRequires:	/usr/bin/which
 BuildRequires:	popt-devel
 #  for make check
 BuildRequires:	python3-devel
-BuildRequires:  krb5-devel
+BuildRequires:	krb5-devel
 
 # we need a running system bus
 Requires:	dbus
@@ -80,74 +89,13 @@ Requires(post):	/sbin/chkconfig, /sbin/service
 Requires(preun):	/sbin/chkconfig, /sbin/service, dbus, sed
 %endif
 
-Patch1:		0001-NSS-crypto-policy-sets-minimum-RSA-and-DSA-key-size-.patch
-Patch2:		0002-Convert-tests-to-use-python3.patch
-Patch18:	0018-clang-more-Dead-assignment.patch
-Patch19:	0019-clang-more-Memory-leaks.patch
-Patch20:	0020-clang-Avoid-buffer-overflow.patch
-Patch21:	0021-clang-Garbage-value-possible.patch
-Patch22:	0022-Uninitialized-variable.patch
-Patch23:	0023-merge-into-clang-more-Memory-leaks.patch
-Patch24:	0024-Add-missing-return-type-declaration.patch
-Patch25:	0025-Discards-const-qualifier.patch
-Patch26:	0026-Optimize-closing-open-file-descriptors.patch
-Patch27:	0027-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
-Patch28:	0028-Don-t-close-STDOUT-when-calling-the-CA-fetch_roots-f.patch
-Patch29:	0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch
-Patch30:	0030-Update-tests-to-include-the-security-module-DB-in-ex.patch
-Patch31:	0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch
-Patch32:	0032-Fix-use-after-free-issue.patch
-Patch33:	0033-Improve-logging-in-SCEP-helper.patch
-Patch34:	0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch
-Patch35:	0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch
-Patch36:	0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch
-Patch37:	0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch
-Patch38:	0038-Include-template-profile-issuer-and-MS-cert-template.patch
-Patch39:	0039-Fix-broken-N-option-configuration.patch
-Patch40:	0040-Address-an-include-issue-discovered-by-coverity.patch
-Patch41:	0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch
-Patch42:	0042-Add-long-command-line-options-to-man-pages.patch
-Patch43:	0043-Add-long-options-to-command-line-help.patch
-Patch44:	0044-Adapt-to-the-new-behavior-of-disconnect-in-dbus-brok.patch
-Patch45:	0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch
-
 
 %description
 Certmonger is a service which is primarily concerned with getting your
 system enrolled with a certificate authority (CA) and keeping it enrolled.
 
 %prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
+%autosetup -p1
 
 %build
 autoreconf -i -f
@@ -162,10 +110,17 @@ autoreconf -i -f
 	--enable-tmpfiles \
 %endif
 	--with-homedir=/run/certmonger \
+%if %{with xmlrpc}
+	--with-xmlrpc \
+%endif
 	--with-tmpdir=/run/certmonger --enable-pie --enable-now
+%if %{with xmlrpc}
 # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
 # tell us about libxmlrpc_client, but we need more.  Work around.
 make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
+%else
+make %{?_smp_mflags}
+%endif
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -185,6 +140,12 @@ make check
 if test $1 -eq 1 ; then
 	%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
 fi
+%if %{without xmlrpc}
+# remove any existing certmaster CA configuration
+if test $1 -gt 1 ; then
+	%{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+fi
+%endif
 %if %{systemd}
 if test $1 -eq 1 ; then
 	/bin/systemctl daemon-reload >/dev/null 2>&1 || :
@@ -274,6 +235,16 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
+- Rebuild with xmlrpc-c support enabled (#1687698)
+
+* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
+- Rebase to 0.79.13 (#1891743)
+ 
+* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
+- Replace the previous fix for dbus restarting with PartOf in the
+  certmonger systemd service file to link the two (#1687698)
+
 * Tue Jun  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
 - Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)