diff --git a/SOURCES/0033-Improve-logging-in-SCEP-helper.patch b/SOURCES/0033-Improve-logging-in-SCEP-helper.patch new file mode 100644 index 0000000..571d2c0 --- /dev/null +++ b/SOURCES/0033-Improve-logging-in-SCEP-helper.patch @@ -0,0 +1,931 @@ +From 0aa25dc4f8c44434e3f28a7fe25a72c0871ac13b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Apr 2020 16:50:16 -0400 +Subject: [PATCH 33/39] Improve logging in SCEP helper + +Always check return value of cm_pkcs7_verify_signed() and return +a unique error message. + +Change log level from 1 to 0 for all errors in scep.c and pkcs7.c +so they appear by default. + +Centralize logging across scep.c and pkcs7.c to reduce code +duplication. + +Check the return code to cm_pkcs7_verify_signed in all cases. + +Add the last available message, if any, to the error returned +via stdout to certmonger as a hint to what is going on. +--- + src/pkcs7.c | 111 +++++++++++++++++++++++++++--------------------- + src/pkcs7.h | 2 + + src/scep.c | 59 ++++++++++--------------- + src/scepgen-n.c | 28 ++++++------ + src/scepgen-o.c | 72 ++++++++++++++++--------------- + src/scepgen.c | 2 +- + 6 files changed, 140 insertions(+), 134 deletions(-) + +diff --git a/src/pkcs7.c b/src/pkcs7.c +index 6de1775..29420b9 100644 +--- a/src/pkcs7.c ++++ b/src/pkcs7.c +@@ -274,6 +274,25 @@ cm_pkcs7_parse_buffer(const unsigned char *buffer, size_t length, + } + } + ++void ++log_pkcs7_errors(int level, char *msg) ++{ ++ char buf[LINE_MAX] = ""; ++ long error; ++ int nss_err; ++ ++ cm_log(level, "%s\n", msg); ++ while ((error = ERR_get_error()) != 0) { ++ memset(buf, '\0', sizeof(buf)); ++ ERR_error_string_n(error, buf, sizeof(buf)); ++ cm_log(level, "%s\n", buf); ++ } ++ nss_err = PORT_GetError(); ++ if (nss_err < 0) { ++ cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0)); ++ } ++} ++ + int + cm_pkcs7_parsev(unsigned int flags, void *parent, + char **certleaf, char **certtop, char ***certothers, +@@ -520,26 +539,26 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher, + + in = BIO_new_mem_buf(encryption_cert, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + recipient = PEM_read_bio_X509(in, NULL, NULL, NULL); + if (recipient == NULL) { +- cm_log(1, "Error parsing recipient certificate.\n"); ++ log_pkcs7_errors(0, "Error parsing recipient certificate.\n"); + goto done; + } + BIO_free(in); + + recipients = sk_X509_new(util_o_cert_cmp); + if (recipients == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + sk_X509_push(recipients, recipient); + + in = BIO_new_mem_buf(data, dlength); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + p7 = PKCS7_encrypt(recipients, in, cm_prefs_ossl_cipher_by_pref(cipher), +@@ -547,22 +566,22 @@ cm_pkcs7_envelope_data(char *encryption_cert, enum cm_prefs_cipher cipher, + BIO_free(in); + + if (p7 == NULL) { +- cm_log(1, "Error encrypting signing request.\n"); ++ log_pkcs7_errors(0, "Error encrypting signing request.\n"); + goto done; + } + len = i2d_PKCS7(p7, NULL); + if (len < 0) { +- cm_log(1, "Error encoding encrypted signing request.\n"); ++ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n"); + goto done; + } + dp7 = malloc(len); + if (dp7 == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + u = dp7; + if (i2d_PKCS7(p7, &u) != len) { +- cm_log(1, "Error encoding encrypted signing request.\n"); ++ log_pkcs7_errors(0, "Error encoding encrypted signing request.\n"); + goto done; + } + *enveloped = dp7; +@@ -593,29 +612,29 @@ cm_pkcs7_envelope_csr(char *encryption_cert, enum cm_prefs_cipher cipher, + + in = BIO_new_mem_buf(csr, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); + BIO_free(in); + if (req == NULL) { +- cm_log(1, "Error parsing certificate signing request.\n"); ++ log_pkcs7_errors(0, "Error parsing certificate signing request.\n"); + goto done; + } + + dlen = i2d_X509_REQ(req, NULL); + if (dlen < 0) { +- cm_log(1, "Error encoding certificate signing request.\n"); ++ log_pkcs7_errors(0, "Error encoding certificate signing request.\n"); + goto done; + } + dreq = malloc(dlen); + if (dreq == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + u = dreq; + if (i2d_X509_REQ(req, &u) != dlen) { +- cm_log(1, "Error encoding certificate signing request.\n"); ++ log_pkcs7_errors(0, "Error encoding certificate signing request.\n"); + goto done; + } + ret = cm_pkcs7_envelope_data(encryption_cert, cipher, dreq, dlen, +@@ -671,59 +690,61 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert, + + in = BIO_new_mem_buf(cacert, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + ca = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (ca == NULL) { +- cm_log(1, "Error parsing CA certificate.\n"); ++ log_pkcs7_errors(0, "Error parsing CA certificate.\n"); + goto done; + } + + in = BIO_new_mem_buf(minicert, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + mini = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (mini == NULL) { +- cm_log(1, "Error parsing client certificate.\n"); ++ log_pkcs7_errors(0, "Error parsing client certificate.\n"); + goto done; + } + + issuerlen = i2d_X509_NAME(X509_get_issuer_name(ca), NULL); + if (issuerlen < 0) { +- cm_log(1, "Error encoding CA certificate issuer name.\n"); ++ cm_log(0, "Error encoding CA certificate issuer name.\n"); + goto done; + } + issuer = malloc(issuerlen); + if (issuer == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + u = issuer; + if (i2d_X509_NAME(X509_get_issuer_name(ca), &u) != issuerlen) { +- cm_log(1, "Error encoding CA certificate issuer name.\n"); ++ log_pkcs7_errors(0, "Error encoding CA certificate issuer name.\n"); + goto done; + } + + subjectlen = i2d_X509_NAME(X509_get_subject_name(mini), NULL); + if (subjectlen < 0) { +- cm_log(1, "Error encoding client certificate subject name.\n"); ++ cm_log(0, "Error encoding client certificate subject name.\n"); + goto done; + } + subject = malloc(subjectlen); + if (subject == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + u = subject; + if (i2d_X509_NAME(X509_get_subject_name(mini), &u) != subjectlen) { +- cm_log(1, "Error encoding client certificate subject name.\n"); ++ log_pkcs7_errors(0, "Error encoding client certificate subject name.\n"); + goto done; + } ++ PORT_SetError(0); ++ ERR_clear_error(); + memset(&issuerandsubject, 0, sizeof(issuerandsubject)); + issuerandsubject.issuer.data = issuer; + issuerandsubject.issuer.len = issuerlen; +@@ -731,7 +752,7 @@ cm_pkcs7_generate_ias(char *cacert, char *minicert, + issuerandsubject.subject.len = subjectlen; + if (SEC_ASN1EncodeItem(NULL, &encoded, &issuerandsubject, + cm_pkcs7_ias_template) != &encoded) { +- cm_log(1, "Error encoding issuer and subject names.\n"); ++ log_pkcs7_errors(0, "Error encoding issuer and subject names.\n"); + goto done; + } + *ias = malloc(encoded.len); +@@ -948,28 +969,28 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + u = data; + p7 = d2i_PKCS7(NULL, &u, length); + if ((p7 == NULL) || (u != data + length)) { +- cm_log(1, "Error parsing what should be PKCS#7 signed-data.\n"); ++ cm_log(0, "Error parsing what should be PKCS#7 signed-data.\n"); + goto done; + } + if ((p7->type == NULL) || (OBJ_obj2nid(p7->type) != NID_pkcs7_signed)) { +- cm_log(1, "PKCS#7 data is not signed-data.\n"); ++ cm_log(0, "PKCS#7 data is not signed-data.\n"); + goto done; + } + store = X509_STORE_new(); + if (store == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + X509_STORE_set_verify_cb_func(store, &ignore_purpose_errors); + certs = sk_X509_new(util_o_cert_cmp); + if (certs == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + for (i = 0; (roots != NULL) && (roots[i] != NULL); i++) { + s = talloc_strdup(parent, roots[i]); + if (s == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + /* In case one of these is multiple PEM certificates +@@ -990,13 +1011,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + } + in = BIO_new_mem_buf(p, q - p); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + x = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (x == NULL) { +- cm_log(1, "Error parsing chain certificate.\n"); ++ cm_log(0, "Error parsing chain certificate.\n"); + goto done; + } + X509_STORE_add_cert(store, x); +@@ -1008,7 +1029,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + for (i = 0; (othercerts != NULL) && (othercerts[i] != NULL); i++) { + s = talloc_strdup(parent, othercerts[i]); + if (s == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + /* In case one of these is multiple PEM certificates +@@ -1028,13 +1049,13 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + } + in = BIO_new_mem_buf(p, q - p); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + x = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (x == NULL) { +- cm_log(1, "Error parsing chain certificate.\n"); ++ cm_log(0, "Error parsing chain certificate.\n"); + goto done; + } + sk_X509_push(certs, x); +@@ -1044,7 +1065,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + } + out = BIO_new(BIO_s_mem()); + if (out == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + if (roots != NULL) { +@@ -1057,19 +1078,19 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + for (i = 0; i < sk_X509_num(certs); i++) { + x = X509_dup(sk_X509_value(certs, i)); + if (x == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + PKCS7_add_certificate(p7, x); + } + if (PKCS7_verify(p7, certs, store, NULL, out, 0) != 1) { +- cm_log(1, "Message failed verification.\n"); ++ cm_log(0, "Message failed verification.\n"); + goto done; + } + } + p7s = p7->d.sign; + if (sk_PKCS7_SIGNER_INFO_num(p7s->signer_info) != 1) { +- cm_log(1, "Number of PKCS#7 signed-data signers != 1.\n"); ++ cm_log(0, "Number of PKCS#7 signed-data signers != 1.\n"); + goto done; + } + si = sk_PKCS7_SIGNER_INFO_value(p7s->signer_info, 0); +@@ -1077,12 +1098,12 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + encapsulated = p7s->contents; + if (expected_content_type != NID_undef) { + if (encapsulated == NULL) { +- cm_log(1, "Error parsing PKCS#7 encapsulated content.\n"); ++ cm_log(0, "Error parsing PKCS#7 encapsulated content.\n"); + goto done; + } + if ((encapsulated->type == NULL) || + (OBJ_obj2nid(encapsulated->type) != expected_content_type)) { +- cm_log(1, "PKCS#7 encapsulated data is not %s (%s).\n", ++ cm_log(0, "PKCS#7 encapsulated data is not %s (%s).\n", + OBJ_nid2ln(expected_content_type), + encapsulated->type ? + OBJ_nid2ln(OBJ_obj2nid(encapsulated->type)) : +@@ -1091,7 +1112,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + } + } + if (attrs == NULL) { +- cm_log(1, "PKCS#7 signed-data contains no signed attributes.\n"); ++ cm_log(0, "PKCS#7 signed-data contains no signed attributes.\n"); + goto done; + } + ret = 0; +@@ -1146,7 +1167,7 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + if (*payload_length > 0) { + *payload = talloc_size(parent, *payload_length + 1); + if (*payload == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + goto done; + } + memcpy(*payload, s, *payload_length); +@@ -1154,12 +1175,6 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + } + } + done: +- if (ret != 0) { +- while ((error = ERR_get_error()) != 0) { +- ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); +- } +- } + if (p7 != NULL) { + PKCS7_free(p7); + } +diff --git a/src/pkcs7.h b/src/pkcs7.h +index 097f7ca..fae52f8 100644 +--- a/src/pkcs7.h ++++ b/src/pkcs7.h +@@ -63,4 +63,6 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length, + size_t *recipient_nonce_length, + unsigned char **payload, size_t *payload_length); + ++void log_pkcs7_errors(int level, char *msg); ++ + #endif +diff --git a/src/scep.c b/src/scep.c +index b37711c..0b8bef9 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -428,11 +428,15 @@ main(int argc, const char **argv) + if ((rekey_message != NULL) && (strlen(rekey_message) != 0)) { + tmp1 = cm_submit_u_base64_from_text(rekey_message); + tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c); +- cm_pkcs7_verify_signed((unsigned char *) tmp2, c, ++ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c, + NULL, NULL, NID_pkcs7_data, ctx, NULL, + NULL, &msgtype, NULL, NULL, + NULL, NULL, + NULL, NULL, NULL, NULL); ++ if (i != 0) { ++ log_pkcs7_errors(0, "Error: failed to verify signature on " ++ "rekey PKCSReq.\n"); ++ } + if ((msgtype == NULL) || + ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) && + (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) { +@@ -454,11 +458,15 @@ main(int argc, const char **argv) + if ((message != NULL) && (strlen(message) != 0)) { + tmp1 = cm_submit_u_base64_from_text(message); + tmp2 = cm_store_base64_as_bin(ctx, tmp1, -1, &c); +- cm_pkcs7_verify_signed((unsigned char *) tmp2, c, ++ i = cm_pkcs7_verify_signed((unsigned char *) tmp2, c, + NULL, NULL, NID_pkcs7_data, ctx, NULL, + &sent_tx, &msgtype, NULL, NULL, + &sent_nonce, &sent_nonce_length, + NULL, NULL, NULL, NULL); ++ if (i != 0) { ++ log_pkcs7_errors(0, "Error: failed to verify signature on " ++ "message.\n"); ++ } + if ((msgtype == NULL) || + ((strcmp(msgtype, SCEP_MSGTYPE_PKCSREQ) != 0) && + (strcmp(msgtype, SCEP_MSGTYPE_GETCERTINITIAL) != 0))) { +@@ -933,14 +941,16 @@ main(int argc, const char **argv) + &payload, &payload_length); + if (i != 0) { + printf(_("Error: failed to verify signature on " +- "server response.\n")); +- cm_log(1, "Error: failed to verify signature on " +- "server response.\n"); +- while ((error = ERR_get_error()) != 0) { ++ "server response. ")); ++ error = ERR_peek_last_error(); ++ if (error != 0) { + memset(buf, '\0', sizeof(buf)); + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ printf("%s", buf); + } ++ printf("\n"); ++ log_pkcs7_errors(0, "Error: failed to verify signature on " ++ "server response.\n"); + s = cm_store_base64_from_bin(ctx, (unsigned char *) results2, + results_length2); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); +@@ -1050,26 +1060,7 @@ main(int argc, const char **argv) + p7 = d2i_PKCS7(NULL, &u, payload_length); + if (p7 == NULL) { + printf(_("Error: couldn't parse signed-data.\n")); +- while ((error = ERR_get_error()) != 0) { +- memset(buf, '\0', sizeof(buf)); +- ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); +- } +- s = cm_store_base64_from_bin(ctx, +- (unsigned char *) results2, +- results_length2); +- s = cm_submit_u_pem_from_base64("PKCS7", 0, s); +- fprintf(stderr, "Full reply:\n%s", s); +- free(s); +- return CM_SUBMIT_STATUS_UNREACHABLE; +- } +- if (!PKCS7_type_is_enveloped(p7)) { +- printf(_("Error: signed-data payload is not enveloped-data.\n")); +- while ((error = ERR_get_error()) != 0) { +- memset(buf, '\0', sizeof(buf)); +- ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); +- } ++ log_pkcs7_errors(0, "Error: couldn't parse signed-data.\n"); + s = cm_store_base64_from_bin(ctx, + (unsigned char *) results2, + results_length2); +@@ -1080,11 +1071,8 @@ main(int argc, const char **argv) + } + if (!PKCS7_type_is_enveloped(p7)) { + printf(_("Error: signed-data payload is not enveloped-data.\n")); +- while ((error = ERR_get_error()) != 0) { +- memset(buf, '\0', sizeof(buf)); +- ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); +- } ++ log_pkcs7_errors(0, "Error: signed-data payload is not " ++ "enveloped-data.\n"); + s = cm_store_base64_from_bin(ctx, + (unsigned char *) results2, + results_length2); +@@ -1098,11 +1086,8 @@ main(int argc, const char **argv) + (p7->d.enveloped->enc_data->content_type == NULL) || + (OBJ_obj2nid(p7->d.enveloped->enc_data->content_type) != NID_pkcs7_data)) { + printf(_("Error: enveloped-data payload is not data.\n")); +- while ((error = ERR_get_error()) != 0) { +- memset(buf, '\0', sizeof(buf)); +- ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); +- } ++ log_pkcs7_errors(0, "Error: enveloped-data payload is " ++ "not data.\n"); + s = cm_store_base64_from_bin(ctx, + (unsigned char *) results2, + results_length2); +diff --git a/src/scepgen-n.c b/src/scepgen-n.c +index 8c67b12..ce73c31 100644 +--- a/src/scepgen-n.c ++++ b/src/scepgen-n.c +@@ -86,14 +86,14 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) + return; + } + if (sk_PKCS7_SIGNER_INFO_num(p7->d.sign->signer_info) != 1) { +- cm_log(1, "More than one signer, not sure what to do.\n"); ++ cm_log(0, "More than one signer, not sure what to do.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + sinfo = sk_PKCS7_SIGNER_INFO_value(p7->d.sign->signer_info, 0); + salen = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, NULL, &PKCS7_ATTR_SIGN_it); + u = sabuf = malloc(salen); + if (sabuf == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + /* ASN1_item_i2d doesn't actually modify the passed-in pointer, which +@@ -101,7 +101,7 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) + * that ourselves. */ + l = ASN1_item_i2d((ASN1_VALUE *)sinfo->auth_attr, &u, &PKCS7_ATTR_SIGN_it); + if (l != salen) { +- cm_log(1, "Error encoding attributes.\n"); ++ cm_log(0, "Error encoding attributes.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + +@@ -109,12 +109,12 @@ cm_scepgen_n_resign(PKCS7 *p7, SECKEYPrivateKey *privkey) + digalg = cm_submit_n_tag_from_nid(OBJ_obj2nid(sinfo->digest_alg->algorithm)); + sigalg = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digalg); + if (sigalg == SEC_OID_UNKNOWN) { +- cm_log(1, "Unable to match digest algorithm and key.\n"); ++ cm_log(0, "Unable to match digest algorithm and key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + if (SEC_SignData(&signature, sabuf, salen, privkey, + sigalg) != SECSuccess) { +- cm_log(1, "Error re-signing: %s.\n", ++ cm_log(0, "Error re-signing: %s.\n", + PR_ErrorToName(PORT_GetError())); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +@@ -143,7 +143,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + } + + if (ca->cm_ca_encryption_cert == NULL) { +- cm_log(1, "Can't generate new SCEP request data without " ++ cm_log(0, "Can't generate new SCEP request data without " + "the RA/CA encryption certificate.\n"); + _exit(CM_SUB_STATUS_NEED_SCEP_DATA); + } +@@ -166,12 +166,12 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + fprintf(status, "Error opening database " + "'%s': %s.\n", + entry->cm_key_storage_location, es); +- cm_log(1, "Error opening database '%s': %s.\n", ++ cm_log(0, "Error opening database '%s': %s.\n", + entry->cm_key_storage_location, es); + } else { + fprintf(status, "Error opening database '%s'.\n", + entry->cm_key_storage_location); +- cm_log(1, "Error opening database '%s'.\n", ++ cm_log(0, "Error opening database '%s'.\n", + entry->cm_key_storage_location); + } + switch (ec) { +@@ -190,7 +190,7 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + NSS_INIT_NOROOTINIT); + reason = util_n_fips_hook(); + if (reason != NULL) { +- cm_log(1, "Error putting NSS into FIPS mode: %s\n", reason); ++ cm_log(0, "Error putting NSS into FIPS mode: %s\n", reason); + _exit(CM_SUB_STATUS_ERROR_INITIALIZING); + } + +@@ -198,23 +198,23 @@ cm_scepgen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + cm_log(1, "Generating dummy key.\n"); + key = EVP_PKEY_new(); + if (key == NULL) { +- cm_log(1, "Error allocating new key.\n"); ++ cm_log(0, "Error allocating new key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + exponent = BN_new(); + if (exponent == NULL) { +- cm_log(1, "Error setting up exponent.\n"); ++ cm_log(0, "Error setting up exponent.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + BN_set_word(exponent, CM_DEFAULT_RSA_EXPONENT); + rsa = RSA_new(); + if (rsa == NULL) { +- cm_log(1, "Error allocating new RSA key.\n"); ++ cm_log(0, "Error allocating new RSA key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + retry_gen: + if (RSA_generate_key_ex(rsa, CM_DEFAULT_PUBKEY_SIZE, exponent, NULL) != 1) { +- cm_log(1, "Error generating key.\n"); ++ cm_log(0, "Error generating key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + if (RSA_check_key(rsa) != 1) { /* should be unnecessary */ +@@ -228,7 +228,7 @@ retry_gen: + if ((keys->privkey->keyType != rsaKey) || + ((keys->privkey_next != NULL) && + (keys->privkey_next->keyType != rsaKey))) { +- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); ++ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n"); + _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); + } + +diff --git a/src/scepgen-o.c b/src/scepgen-o.c +index 010abb7..a431815 100644 +--- a/src/scepgen-o.c ++++ b/src/scepgen-o.c +@@ -76,14 +76,14 @@ key_from_file(const char *filename, struct cm_store_entry *entry) + keyfp = fopen(filename, "r"); + if (keyfp == NULL) { + if (errno != ENOENT) { +- cm_log(1, "Error opening key file \"%s\" " ++ cm_log(0, "Error opening key file \"%s\" " + "for reading: %s.\n", + filename, strerror(errno)); + } + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + if (cm_pin_read_for_key(entry, &pin) != 0) { +- cm_log(1, "Internal error reading key encryption PIN.\n"); ++ cm_log(0, "Internal error reading key encryption PIN.\n"); + _exit(CM_SUB_STATUS_ERROR_AUTH); + } + memset(&cb_data, 0, sizeof(cb_data)); +@@ -93,24 +93,24 @@ key_from_file(const char *filename, struct cm_store_entry *entry) + cm_pin_read_for_key_ossl_cb, &cb_data); + if (pkey == NULL) { + error = errno; +- cm_log(1, "Error reading private key '%s': %s.\n", ++ cm_log(0, "Error reading private key '%s': %s.\n", + filename, strerror(error)); + while ((error = ERR_get_error()) != 0) { + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ cm_log(0, "%s\n", buf); + } + _exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */ + } else { + if ((pin != NULL) && + (strlen(pin) > 0) && + (cb_data.n_attempts == 0)) { +- cm_log(1, "PIN was not needed to read private " ++ cm_log(0, "PIN was not needed to read private " + "key '%s', though one was provided. " + "Treating this as an error.\n", + filename); + while ((error = ERR_get_error()) != 0) { + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ cm_log(0, "%s\n", buf); + } + _exit(CM_SUB_STATUS_ERROR_AUTH); /* XXX */ + } +@@ -127,13 +127,13 @@ cert_from_pem(char *pem, struct cm_store_entry *entry) + if ((pem != NULL) && (strlen(pem) > 0)) { + in = BIO_new_mem_buf(pem, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + cert = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (cert == NULL) { +- cm_log(1, "Error parsing certificate \"%s\".\n", pem); ++ cm_log(0, "Error parsing certificate \"%s\".\n", pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + return cert; +@@ -155,19 +155,19 @@ certs_from_nickcerts(struct cm_nickcert **list) + if ((this->cm_cert != NULL) && (strlen(this->cm_cert) > 0)) { + in = BIO_new_mem_buf(this->cm_cert, -1); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + cert = PEM_read_bio_X509(in, NULL, NULL, NULL); + BIO_free(in); + if (cert == NULL) { +- cm_log(1, "Error parsing certificate.\n"); ++ cm_log(0, "Error parsing certificate.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + if (sk == NULL) { + sk = sk_X509_new(util_o_cert_cmp); + if (sk == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + } +@@ -300,19 +300,19 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, + + in = BIO_new_mem_buf(data, data_length); + if (in == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + ret = PKCS7_sign(signer, key, certs, in, flags); + if (ret == NULL) { +- cm_log(1, "Error signing data.\n"); ++ cm_log(0, "Error signing data.\n"); + goto errors; + } + BIO_free(in); + + /* Set the digest to use for signing. */ + if (sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info) != 1) { +- cm_log(1, "Error signing data: %d signers.\n", ++ cm_log(0, "Error signing data: %d signers.\n", + sk_PKCS7_SIGNER_INFO_num(ret->d.sign->signer_info)); + goto errors; + } +@@ -356,7 +356,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, + PKCS7_content_new(ret, NID_pkcs7_data); + out = PKCS7_dataInit(ret, NULL); + if (out == NULL) { +- cm_log(1, "Error signing data.\n"); ++ cm_log(0, "Error signing data.\n"); + goto errors; + } + BIO_write(out, data, data_length); +@@ -366,7 +366,7 @@ build_pkimessage(EVP_PKEY *key, X509 *signer, STACK_OF(X509) *certs, + errors: + while ((error = ERR_get_error()) != 0) { + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ cm_log(0, "%s\n", buf); + } + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +@@ -394,11 +394,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + util_o_init(); + ERR_load_crypto_strings(); + if (RAND_status() != 1) { +- cm_log(1, "PRNG not seeded for generating key.\n"); ++ cm_log(0, "PRNG not seeded for generating key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + if (RAND_bytes(nonce, nonce_length) == -1) { +- cm_log(1, "PRNG unable to generate nonce.\n"); ++ cm_log(0, "PRNG unable to generate nonce.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + +@@ -410,14 +410,14 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + pem = cm_submit_u_pem_from_base64("CERTIFICATE", 0, + entry->cm_minicert); + if (pem == NULL) { +- cm_log(1, "Out of memory.\n"); ++ cm_log(0, "Out of memory.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + new_cert = cert_from_pem(pem, entry); + if (new_cert == NULL) { + while ((error = ERR_get_error()) != 0) { + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ cm_log(0, "%s\n", buf); + } + free(pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); +@@ -442,7 +442,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + cipher = cm_prefs_des; + } + else { +- cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); ++ cm_log(0, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher); + _exit(1); + } + +@@ -516,7 +516,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + digest = cm_prefs_md5; + } + else { +- cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); ++ cm_log(0, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest); + _exit(1); + } + +@@ -578,7 +578,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + ca->cm_ca_encryption_issuer_cert, + entry->cm_cert, + &old_ias, &old_ias_length) != 0) { +- cm_log(1, "Error generating enveloped issuer-and-subject.\n"); ++ cm_log(0, "Error generating enveloped issuer-and-subject.\n"); + free(pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +@@ -590,7 +590,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + ca->cm_ca_encryption_issuer_cert, + pem, + &new_ias, &new_ias_length) != 0) { +- cm_log(1, "Error generating enveloped issuer-and-subject.\n"); ++ cm_log(0, "Error generating enveloped issuer-and-subject.\n"); + free(pem); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +@@ -598,7 +598,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + if (cm_pkcs7_envelope_csr(ca->cm_ca_encryption_cert, cipher, + entry->cm_csr, + &csr, &csr_length) != 0) { +- cm_log(1, "Error generating enveloped CSR.\n"); ++ cm_log(0, "Error generating enveloped CSR.\n"); ++ while ((error = ERR_get_error()) != 0) { ++ ERR_error_string_n(error, buf, sizeof(buf)); ++ cm_log(0, "%s\n", buf); ++ } + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + +@@ -608,7 +612,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + * the matching key. */ + pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(old_cert)); + if (pubkey == NULL) { +- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n"); ++ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + util_X509_set_pubkey(old_cert, old_pkey); +@@ -639,7 +643,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + * if we do, we did that in another code path. */ + pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert)); + if (pubkey == NULL) { +- cm_log(1, "Error generating PKCSREQ pkiMessage: error copying key.\n"); ++ cm_log(0, "Error generating PKCSREQ pkiMessage: error copying key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + util_X509_set_pubkey(new_cert, old_pkey); +@@ -673,7 +677,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + * any previously-issued certificate won't match. */ + pubkey = util_public_EVP_PKEY_dup(util_X509_get0_pubkey(new_cert)); + if (pubkey == NULL) { +- cm_log(1, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n"); ++ cm_log(0, "Error generating rekeying PKCSREQ pkiMessage: error copying key.\n"); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + util_X509_set_pubkey(new_cert, new_pkey); +@@ -703,7 +707,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry, + X509_free(new_cert); + while ((error = ERR_get_error()) != 0) { + ERR_error_string_n(error, buf, sizeof(buf)); +- cm_log(1, "%s\n", buf); ++ cm_log(0, "%s\n", buf); + } + } + +@@ -723,14 +727,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + } + + if (ca->cm_ca_encryption_cert == NULL) { +- cm_log(1, "Can't generate new SCEP request data without " ++ cm_log(0, "Can't generate new SCEP request data without " + "the RA/CA encryption certificate.\n"); + _exit(CM_SUB_STATUS_NEED_SCEP_DATA); + } + + old_pkey = key_from_file(entry->cm_key_storage_location, entry); + if (old_pkey == NULL) { +- cm_log(1, "Error reading key from file \"%s\".\n", ++ cm_log(0, "Error reading key from file \"%s\".\n", + entry->cm_key_storage_location); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } +@@ -739,14 +743,14 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + filename = util_build_next_filename(entry->cm_key_storage_location, + entry->cm_key_next_marker); + if (filename == NULL) { +- cm_log(1, "Error opening key file \"%s\" " ++ cm_log(0, "Error opening key file \"%s\" " + "for reading: %s.\n", + filename, strerror(errno)); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); + } + new_pkey = key_from_file(filename, entry); + if (new_pkey == NULL) { +- cm_log(1, "Error reading key from file \"%s\".\n", ++ cm_log(0, "Error reading key from file \"%s\".\n", + filename); + free(filename); + _exit(CM_SUB_STATUS_INTERNAL_ERROR); +@@ -757,7 +761,7 @@ cm_scepgen_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, + } + if ((util_EVP_PKEY_base_id(old_pkey) != EVP_PKEY_RSA) || + ((new_pkey != NULL) && (util_EVP_PKEY_base_id(new_pkey) != EVP_PKEY_RSA))) { +- cm_log(1, "Keys aren't RSA. They won't work with SCEP.\n"); ++ cm_log(0, "Keys aren't RSA. They won't work with SCEP.\n"); + _exit(CM_SUB_STATUS_ERROR_KEY_TYPE); + } + +diff --git a/src/scepgen.c b/src/scepgen.c +index eaf2b7c..115446f 100644 +--- a/src/scepgen.c ++++ b/src/scepgen.c +@@ -32,7 +32,7 @@ cm_scepgen_start(struct cm_store_ca *ca, struct cm_store_entry *entry) + { + switch (entry->cm_key_storage_type) { + case cm_key_storage_none: +- cm_log(1, "Can't generate new SCEP data for %s('%s') without " ++ cm_log(0, "Can't generate new SCEP data for %s('%s') without " + "the key, and we don't know where that is or should " + "be.\n", entry->cm_busname, entry->cm_nickname); + break; +-- +2.21.1 + diff --git a/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch b/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch new file mode 100644 index 0000000..b43e285 --- /dev/null +++ b/SOURCES/0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch @@ -0,0 +1,33 @@ +From e4d0a60836e1ecbcd6390b88dceb2ca29d3179dc Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 27 Feb 2020 18:15:02 -0500 +Subject: [PATCH 34/39] Add verbose option to SCEP CA if requested in + add-scep-ca + +This option was silently dropped from the helper arguments even +if requested on the add-scep-ca CLI and was only passed to the +dbus helper. + +Add as many -v as requested though the scep helper only logs at +most at level 1. +--- + src/getcert.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/getcert.c b/src/getcert.c +index 4713dd1..3d78a73 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4580,6 +4580,9 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + certs ? "-I" : "", + certs ? shell_escape(globals.tctx, certs) : "", + prefer_non_renewal ? "-n" : ""); ++ for (c = 0; c < verbose; c++) { ++ command = talloc_strdup_append(command, " -v"); ++ } + if (command == NULL) { + printf(_("Error building command line.\n")); + exit(1); +-- +2.21.1 + diff --git a/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch b/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch new file mode 100644 index 0000000..07fe0f4 --- /dev/null +++ b/SOURCES/0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch @@ -0,0 +1,422 @@ +From 0897d5131489c7eac21d558625c30d23b0a1774d Mon Sep 17 00:00:00 2001 +From: Your Name +Date: Tue, 14 Apr 2020 13:17:14 +0000 +Subject: [PATCH 35/39] Cleanup the SCEP helper curl and talloc contexts when + finished + +The talloc context was freed in only a few cases and the curl +context was never freed. +--- + src/scep.c | 127 ++++++++++++++++++++++++++++++++----------------- + src/submit-h.c | 15 +++++- + src/submit-h.h | 1 + + 3 files changed, 97 insertions(+), 46 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index 0b8bef9..4d00692 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -199,7 +199,7 @@ int + main(int argc, const char **argv) + { + const char *url = NULL, *results = NULL, *results2 = NULL; +- struct cm_submit_h_context *hctx; ++ struct cm_submit_h_context *hctx = NULL; + int c, verbose = 0, results_length = 0, results_length2 = 0, i; + int prefer_non_renewal = 0, can_renewal = 0; + int response_code = 0, response_code2 = 0; +@@ -225,7 +225,8 @@ main(int argc, const char **argv) + size_t payload_length; + long error; + PKCS7 *p7; +- poptContext pctx; ++ int rval = CM_SUBMIT_STATUS_UNCONFIGURED; ++ poptContext pctx = NULL; + struct poptOption popts[] = { + {"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"}, + {"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"}, +@@ -388,8 +389,8 @@ main(int argc, const char **argv) + } + if ((message == NULL) || (strlen(message) == 0)) { + printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); +- free(cainfo); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ goto done; + } + /* First step: read capabilities for our use. */ + params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); +@@ -408,8 +409,8 @@ main(int argc, const char **argv) + } + if ((message == NULL) || (strlen(message) == 0)) { + printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n")); +- free(cainfo); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ goto done; + } + /* First step: read capabilities for our use. */ + params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); +@@ -420,8 +421,8 @@ main(int argc, const char **argv) + /* Supply help output, if it's needed. */ + if (missing_args) { + poptPrintUsage(pctx, stdout, 0); +- free(cainfo); +- return CM_SUBMIT_STATUS_UNCONFIGURED; ++ rval = CM_SUBMIT_STATUS_UNCONFIGURED; ++ goto done; + } + + /* Check the rekey PKCSReq message, if we have one. */ +@@ -505,7 +506,6 @@ main(int argc, const char **argv) + verbose > 1 ? + cm_submit_h_curl_verbose_on : + cm_submit_h_curl_verbose_off); +- free(cainfo); + cm_submit_h_run(hctx); + content_type = cm_submit_h_result_type(hctx); + if (content_type == NULL) { +@@ -551,7 +551,8 @@ main(int argc, const char **argv) + } + if ((tmp2 == NULL) || (strlen(tmp2) == 0)) { + printf(_("Error reading request. Expected PKCS7 data containing a GetInitialCert pkiMessage, got nothing.\n")); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ goto done; + } else + if (verbose > 0) { + if (tmp2 == rekey_message) { +@@ -576,7 +577,8 @@ main(int argc, const char **argv) + } + if ((tmp2 == NULL) || (strlen(tmp2) == 0)) { + printf(_("Error reading request. Expected PKCS7 data containing a PKCSReq pkiMessage, got nothing.\n")); +- return CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ rval = CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES; ++ goto done; + } else + if (verbose > 0) { + if (tmp2 == rekey_message) { +@@ -638,7 +640,8 @@ main(int argc, const char **argv) + cm_submit_h_result_code(hctx), + url); + } +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + switch (op) { + case op_unset: +@@ -651,16 +654,19 @@ main(int argc, const char **argv) + response_code, url); + if (response_code == 500) { + /* The server might recover, right? */ +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } else { + /* Maybe not? */ +- return CM_SUBMIT_STATUS_REJECTED; ++ rval = CM_SUBMIT_STATUS_REJECTED; ++ goto done; + } + } + if (results == NULL) { + printf(_("Internal error: no response to \"%s?%s\".\n"), + url, params); +- return CM_SUBMIT_STATUS_REJECTED; ++ rval = CM_SUBMIT_STATUS_REJECTED; ++ goto done; + } + break; + case op_get_cert_initial: +@@ -685,10 +691,12 @@ main(int argc, const char **argv) + fprintf(stderr, "Result is surprisingly large, " + "suppressing it.\n"); + } +- return CM_SUBMIT_STATUS_REJECTED; ++ rval = CM_SUBMIT_STATUS_REJECTED; ++ goto done; + } + printf("%s\n", results); +- return CM_SUBMIT_STATUS_ISSUED; ++ rval = CM_SUBMIT_STATUS_ISSUED; ++ goto done; + break; + case op_get_ca_certs: + if ((strcasecmp(content_type, +@@ -697,7 +705,8 @@ main(int argc, const char **argv) + "application/x-x509-ca-ra-cert") != 0)) { + printf(_("Server reply was of unexpected MIME type " + "\"%s\".\n"), content_type); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (racert == NULL) { + racertp = &racert; +@@ -710,7 +719,8 @@ main(int argc, const char **argv) + n_buffers + 1); + if ((buffers == NULL) || (lengths == NULL)) { + fprintf(stderr, "Out of memory.\n"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + buffers[n_buffers] = (unsigned char *) racert; + lengths[n_buffers] = strlen(racert); +@@ -727,7 +737,8 @@ main(int argc, const char **argv) + n_buffers + 1); + if ((buffers == NULL) || (lengths == NULL)) { + fprintf(stderr, "Out of memory.\n"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + buffers[n_buffers] = (unsigned char *) cacert; + lengths[n_buffers] = strlen(cacert); +@@ -741,7 +752,8 @@ main(int argc, const char **argv) + n_buffers + 1); + if ((buffers == NULL) || (lengths == NULL)) { + fprintf(stderr, "Out of memory.\n"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + buffers[n_buffers] = (unsigned char *) results; + lengths[n_buffers] = results_length; +@@ -755,7 +767,8 @@ main(int argc, const char **argv) + n_buffers + 1); + if ((buffers == NULL) || (lengths == NULL)) { + fprintf(stderr, "Out of memory.\n"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + buffers[n_buffers] = (unsigned char *) results2; + lengths[n_buffers] = results_length2; +@@ -850,7 +863,8 @@ main(int argc, const char **argv) + n_buffers + 1); + if ((buffers == NULL) || (lengths == NULL)) { + fprintf(stderr, "Out of memory.\n"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + buffers[n_buffers] = (unsigned char *) results2; + lengths[n_buffers] = results_length2; +@@ -882,11 +896,11 @@ main(int argc, const char **argv) + } + } + } +- talloc_free(ctx); +- return CM_SUBMIT_STATUS_ISSUED; ++ rval = CM_SUBMIT_STATUS_ISSUED; ++ goto done; + } else { +- talloc_free(ctx); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + break; + case op_get_cert_initial: +@@ -957,42 +971,50 @@ main(int argc, const char **argv) + fprintf(stderr, "%s", s); + cm_log(1, "%s", s); + free(s); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if ((msgtype == NULL) || + (strcmp(msgtype, SCEP_MSGTYPE_CERTREP) != 0)) { + printf(_("Error: reply was not a CertRep (%s).\n"), + msgtype ? msgtype : "none"); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (tx == NULL) { + printf(_("Error: reply is missing transactionId.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (sent_tx != NULL) { + if (strcmp(sent_tx, tx) != 0) { + printf(_("Error: reply contains a " + "different transactionId.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + } + if (pkistatus == NULL) { + printf(_("Error: reply is missing pkiStatus.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (recipient_nonce == NULL) { + printf(_("Error: reply is missing recipientNonce.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if ((recipient_nonce_length != sent_nonce_length) || + (memcmp(recipient_nonce, sent_nonce, + sent_nonce_length) != 0)) { + printf(_("Error: reply nonce doesn't match request.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (sender_nonce == NULL) { + printf(_("Error: reply is missing senderNonce.\n")); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (strcmp(pkistatus, SCEP_PKISTATUS_PENDING) == 0) { + if (verbose > 0) { +@@ -1002,7 +1024,8 @@ main(int argc, const char **argv) + s = cm_store_base64_from_bin(ctx, sender_nonce, + sender_nonce_length); + printf("%s\n", s); +- return CM_SUBMIT_STATUS_WAIT; ++ rval = CM_SUBMIT_STATUS_WAIT; ++ goto done; + } else + if (strcmp(pkistatus, SCEP_PKISTATUS_FAILURE) == 0) { + if (verbose > 0) { +@@ -1050,7 +1073,8 @@ main(int argc, const char **argv) + printf(_("Server returned failure code \"%s\".\n"), + failinfo); + } +- return CM_SUBMIT_STATUS_REJECTED; ++ rval = CM_SUBMIT_STATUS_REJECTED; ++ goto done; + } else + if (strcmp(pkistatus, SCEP_PKISTATUS_SUCCESS) == 0) { + if (verbose > 0) { +@@ -1067,7 +1091,8 @@ main(int argc, const char **argv) + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "Full reply:\n%s", s); + free(s); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if (!PKCS7_type_is_enveloped(p7)) { + printf(_("Error: signed-data payload is not enveloped-data.\n")); +@@ -1079,7 +1104,8 @@ main(int argc, const char **argv) + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "Full reply:\n%s", s); + free(s); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + if ((p7->d.enveloped == NULL) || + (p7->d.enveloped->enc_data == NULL) || +@@ -1094,29 +1120,42 @@ main(int argc, const char **argv) + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + fprintf(stderr, "Full reply:\n%s", s); + free(s); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + s = cm_store_base64_from_bin(ctx, payload, + payload_length); + s = cm_submit_u_pem_from_base64("PKCS7", 0, s); + printf("%s", s); + free(s); +- return CM_SUBMIT_STATUS_ISSUED; ++ rval = CM_SUBMIT_STATUS_ISSUED; ++ goto done; + } else { + if (verbose > 0) { + fprintf(stderr, "SCEP status is \"%s\".\n", pkistatus); + } + printf(_("Error: pkiStatus \"%s\" not recognized.\n"), + pkistatus); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + } else { + printf(_("Server reply was of unexpected MIME type " + "\"%s\".\n"), content_type); + printf("Full reply:\n%.*s", results_length2, results2); +- return CM_SUBMIT_STATUS_UNREACHABLE; ++ rval = CM_SUBMIT_STATUS_UNREACHABLE; ++ goto done; + } + break; + } +- return CM_SUBMIT_STATUS_UNCONFIGURED; ++ ++done: ++ if (pctx) { ++ poptFreeContext(pctx); ++ } ++ free(cainfo); ++ free(id); ++ cm_submit_h_cleanup(hctx); ++ talloc_free(ctx); ++ return rval; + } +diff --git a/src/submit-h.c b/src/submit-h.c +index 33f9b39..9b507db 100644 +--- a/src/submit-h.c ++++ b/src/submit-h.c +@@ -298,6 +298,15 @@ cm_submit_h_result_type(struct cm_submit_h_context *ctx) + return ret; + } + ++void ++cm_submit_h_cleanup(struct cm_submit_h_context *ctx) ++{ ++ ++ if (ctx != NULL && ctx->curl != NULL) { ++ curl_easy_cleanup(ctx->curl); ++ } ++} ++ + #ifdef CM_SUBMIT_H_MAIN + int + main(int argc, const char **argv) +@@ -307,7 +316,7 @@ main(int argc, const char **argv) + enum cm_submit_h_opt_negotiate negotiate; + enum cm_submit_h_opt_delegate negotiate_delegate; + enum cm_submit_h_opt_clientauth clientauth; +- int c, fd, l, verbose = 0, length = 0; ++ int c, fd, l, verbose = 0, length = 0, rval = 0; + char *ctype, *accept, *capath, *cainfo, *sslcert, *sslkey, *sslpass; + char *pinfile; + const char *method, *url; +@@ -423,6 +432,8 @@ main(int argc, const char **argv) + cm_submit_h_result_code(ctx), + cm_submit_h_result_code_text(ctx)); + } +- return cm_submit_h_result_code(ctx); ++ rval = cm_submit_h_result_code(ctx); ++ cm_submit_h_cleanup(ctx); ++ return rval; + } + #endif +diff --git a/src/submit-h.h b/src/submit-h.h +index 1283c53..931cc89 100644 +--- a/src/submit-h.h ++++ b/src/submit-h.h +@@ -61,5 +61,6 @@ int cm_submit_h_result_code(struct cm_submit_h_context *ctx); + const char *cm_submit_h_result_code_text(struct cm_submit_h_context *ctx); + const char *cm_submit_h_results(struct cm_submit_h_context *ctx, int *length); + const char *cm_submit_h_result_type(struct cm_submit_h_context *ctx); ++void cm_submit_h_cleanup(struct cm_submit_h_context *ctx); + + #endif +-- +2.21.1 + diff --git a/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch b/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch new file mode 100644 index 0000000..6ae4b78 --- /dev/null +++ b/SOURCES/0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch @@ -0,0 +1,232 @@ +From b3dad1c94f2fca289fdf22ded38a1f1463bab95f Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 15 Apr 2020 17:16:42 -0400 +Subject: [PATCH 36/39] Re-order the way the SCEP signing and CA certs are + collected + +Put cacert into the ca store, the racert at the top of the +othercerts list. Then we parse certs, placing all ca certs +we find into the ca store, and all other certs we find after +the racert. + +Variables are renamed to match the cm_pkcs7_parse() and +cm_pkcs7_verify_signed() calls. + +A special case for IPA (dogtag) was added because dogtag +uses its CA cert to sign the PKCS7 so it is both an RA cert +and a CA cert. If a self-signed CA is detected and no other +certs are provided then the CA is treated as the RA. + +https://bugzilla.redhat.com/show_bug.cgi?id=1808052 + +Graham Leggett did the majority of the work on this patch. +--- + src/pkcs7.c | 18 +++++++++ + src/pkcs7.h | 1 + + src/scep.c | 104 +++++++++++++++++++++++++++++++++++----------------- + 3 files changed, 89 insertions(+), 34 deletions(-) + +diff --git a/src/pkcs7.c b/src/pkcs7.c +index 29420b9..f81174f 100644 +--- a/src/pkcs7.c ++++ b/src/pkcs7.c +@@ -1189,3 +1189,21 @@ done: + } + return ret; + } ++ ++/* Return 0 if we think "issuer" could have issued "issued", which includes ++ * self-signing. */ ++int ++cm_selfsigned(char *cert) ++{ ++ BIO *in; ++ X509 *c; ++ ++ in = BIO_new_mem_buf(cert, -1); ++ if (in == NULL) { ++ cm_log(0, "Out of memory.\n"); ++ return 1; ++ } ++ c = PEM_read_bio_X509(in, NULL, NULL, NULL); ++ BIO_free(in); ++ return(issuerissued(c, c)); ++} +diff --git a/src/pkcs7.h b/src/pkcs7.h +index fae52f8..cbde1bc 100644 +--- a/src/pkcs7.h ++++ b/src/pkcs7.h +@@ -62,6 +62,7 @@ int cm_pkcs7_verify_signed(unsigned char *data, size_t length, + unsigned char **recipient_nonce, + size_t *recipient_nonce_length, + unsigned char **payload, size_t *payload_length); ++int cm_selfsigned(char *cert); + + void log_pkcs7_errors(int level, char *msg); + +diff --git a/src/scep.c b/src/scep.c +index 4d00692..b80278e 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -211,12 +211,12 @@ main(int argc, const char **argv) + const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; + void *ctx; + char *params = "", *params2 = NULL, *racert = NULL, *cacert = NULL; +- char **othercerts = NULL, *cert1 = NULL, *cert2 = NULL, *certs = NULL; ++ char **certothers = NULL, *certleaf = NULL, *certtop = NULL, *certs = NULL; + char **racertp, **cacertp, *dracert = NULL, *dcacert = NULL; + char buf[LINE_MAX] = ""; + const unsigned char **buffers = NULL; + size_t n_buffers = 0, *lengths = NULL, j; +- const char *cacerts[3], **racerts; ++ const char *root[3], **othercerts; + dbus_bool_t missing_args = FALSE; + char *sent_tx, *tx, *msgtype, *pkistatus, *failinfo, *s, *tmp1, *tmp2; + unsigned char *sent_nonce, *sender_nonce, *recipient_nonce, *payload; +@@ -871,27 +871,27 @@ main(int argc, const char **argv) + n_buffers++; + } + if (cm_pkcs7_parsev(CM_PKCS7_LEAF_PREFER_ENCRYPT, ctx, +- racertp, cacertp, &othercerts, ++ racertp, cacertp, &certothers, + NULL, NULL, + n_buffers, buffers, lengths) == 0) { + if (racert != NULL) { + printf("%s", racert); + if (cacert != NULL) { + printf("%s", cacert); +- if (othercerts != NULL) { ++ if (certothers != NULL) { + for (c = 0; +- othercerts[c] != NULL; ++ certothers[c] != NULL; + c++) { + printf("%s", +- othercerts[c]); ++ certothers[c]); + } + } + if ((dracert != NULL) && +- (cert_among(dracert, racert, cacert, othercerts) != 0)) { ++ (cert_among(dracert, racert, cacert, certothers) != 0)) { + printf("%s", dracert); + } + if ((dcacert != NULL) && +- (cert_among(dcacert, racert, cacert, othercerts) != 0)) { ++ (cert_among(dcacert, racert, cacert, certothers) != 0)) { + printf("%s", dcacert); + } + } +@@ -907,47 +907,83 @@ main(int argc, const char **argv) + case op_pkcsreq: + if ((content_type2 != NULL) && (strcasecmp(content_type2, + "application/x-pki-message") == 0)) { +- memset(&cacerts, 0, sizeof(cacerts)); +- cacerts[0] = cacert ? cacert : racert; +- cacerts[1] = cacert ? racert : NULL; +- cacerts[2] = NULL; +- racerts = NULL; ++ /* ++ * At this point, we have: ++ * - zero or more ra certs; and ++ * - zero or more ca certificates; and ++ * - zero or more other certificates; that ++ * need to be reordered so that the leaf ++ * certificates go first, the ca certificates ++ * are separated into a seperate certificate ++ * store, and the other certificates go after ++ * the leaf certificates. ++ * ++ * To do this we put cacert into the ca store, ++ * the racert at the top of the othercerts list. ++ * Then we parse certs, placing all ca certs ++ * we find into the ca store, and all other ++ * certs we find after the racert. ++ * ++ * As a limitation of cm_pkcs7_parse(), we ++ * can only isolate one ca certificate in the ++ * list of other certificates. ++ */ ++ /* handle the other certs */ + if ((certs != NULL) && + (cm_pkcs7_parse(0, ctx, +- &cert1, &cert2, &othercerts, ++ &certleaf, &certtop, &certothers, + NULL, NULL, + (const unsigned char *) certs, + strlen(certs), NULL) == 0)) { +- for (c = 0; +- (othercerts != NULL) && +- (othercerts[c] != NULL); +- c++) { +- continue; ++ /* Special case for IPA which uses dogtag which signs SCEP ++ * certs using the CA cert and the typical way to get ++ * verification to work is to use -I /etc/ipa/ca.crt. ++ * Because cm_pkcs7_parse explicitly doesn't allow ++ * certleaf to equal certtop we end up with no CAs so verification ++ * fails. ++ * ++ * So if cacert and certleaf are both NULL and certtop is ++ * self-signed then assume the IPA case and set certtop equal ++ * to certleaf. ++ */ ++ if ((cacert == NULL) && (certtop == NULL) && (certleaf != NULL)) { ++ if (cm_selfsigned(certleaf) == 0) { ++ certtop = certleaf; ++ } + } +- racerts = talloc_array_ptrtype(ctx, racerts, c + 5); ++ memset(&root, 0, sizeof(root)); ++ root[0] = cacert ? cacert : certtop ? certtop : NULL; ++ root[1] = cacert ? certtop : NULL; ++ root[2] = NULL; + for (c = 0; +- (othercerts != NULL) && +- (othercerts[c] != NULL); ++ (certothers != NULL) && ++ (certothers[c] != NULL); + c++) { +- racerts[c] = othercerts[c]; +- } +- if (cacert != NULL) { +- racerts[c++] = cacert; ++ continue; + } +- if (cert1 != NULL) { +- racerts[c++] = cert1; ++ othercerts = talloc_array_ptrtype(ctx, othercerts, c + 3); ++ c = 0; ++ if (racert != NULL) { ++ othercerts[c++] = racert; + } +- if (cert2 != NULL) { +- racerts[c++] = cert2; ++ if (certleaf != NULL) { ++ othercerts[c++] = certleaf; + } +- if (racert != NULL) { +- racerts[c++] = racert; ++ while (certothers != NULL && *certothers != NULL) { ++ othercerts[c++] = *certothers++; + } +- racerts[c++] = NULL; ++ othercerts[c++] = NULL; ++ } ++ else { ++ root[0] = cacert; ++ root[1] = NULL; ++ othercerts = talloc_array_ptrtype(ctx, othercerts, 2); ++ othercerts[0] = racert ? racert : NULL; ++ othercerts[1] = NULL; + } + ERR_clear_error(); + i = cm_pkcs7_verify_signed((unsigned char *) results2, results_length2, +- cacerts, racerts, ++ root, othercerts, + NID_pkcs7_data, ctx, NULL, + &tx, &msgtype, &pkistatus, &failinfo, + &sender_nonce, &sender_nonce_length, +-- +2.21.1 + diff --git a/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch b/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch new file mode 100644 index 0000000..300bbfc --- /dev/null +++ b/SOURCES/0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch @@ -0,0 +1,173 @@ +From 37ebf87fb6fc93d445139310a1c89b98f3f514de Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Apr 2020 16:29:50 -0400 +Subject: [PATCH 37/39] Add new option to allow overriding the detected SCEP CA + chain + +The -R option was doing double-duty for the SCEP CA. + +1. It was required if the SCEP URL used TLS +2. It override the CA certificate downloaded from the SCEP server + +If the chains were different then validating the SCEP responses would +fail. + +https://bugzilla.redhat.com/show_bug.cgi?id=1808613 +--- + src/certmonger-scep-submit.8.in | 14 +++++++++----- + src/getcert-add-scep-ca.1.in | 12 ++++++++---- + src/getcert.c | 6 +++++- + src/scep.c | 13 ++++++------- + 4 files changed, 28 insertions(+), 17 deletions(-) + +diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in +index 95d674a..42ffcd6 100644 +--- a/src/certmonger-scep-submit.8.in ++++ b/src/certmonger-scep-submit.8.in +@@ -8,6 +8,7 @@ scep-submit -u SERVER-URL + [-r ra-cert-file] + [-R ca-cert-file] + [-I other-certs-file] ++[-N ca-cert-file] + [-i ca-identifier] + [-v] + [-n] +@@ -57,11 +58,14 @@ typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or + always required. + .TP + \fB\-R\fR CA-certificate-file +-The location of the SCEP server's CA certificate, which was used to +-issue the SCEP server's certificate, or the SCEP server's own +-certificate, if it is self-signed, in PEM form. If the URL specified +-with the \fB-u\fR option is an \fIhttps\fR URL, then this option is +-required. ++The location of the CA certificate which was used to issue the SCEP web ++server's certificate in PEM form. If the URL specified with the ++\fB-u\fR option is an \fIhttps\fR URL, then this option is required. ++.TP ++\fB\-N\fR ca-certificate-file ++The location of a PEM-formatted copy of the SCEP server's CA certificate. ++A discovered value is normally supplied by the certmonger daemon, but one can ++be specified for troubleshooting purposes. + .TP + \fB\-r\fR RA-certificate-file + The location of the SCEP server's RA certificate, which is expected to +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index 11ab4ce..bf07306 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -24,12 +24,16 @@ The location of the SCEP server's enrollment interface. This option must be + specified. + .TP + \fB\-R\fR ca-certificate-file +-The location of a PEM-formatted copy of the SCEP server's CA's certificate. +-A discovered value is supplied by the certmonger daemon for use in verifying +-the signature on data returned by the SCEP server, but it is not used for +-verifying HTTPS server certificates. ++The location of a PEM-formatted copy of the CA's certificate used to verify ++the TLS connection the SCEP server. ++ + This option must be specified if the URL is an \fIhttps\fR location. + .TP ++\fB\-N\fR ca-certificate-file ++The location of a PEM-formatted copy of the SCEP server's CA certificate. ++A discovered value is normally supplied by the certmonger daemon, but one can ++be specified for troubleshooting purposes. ++.TP + \fB\-r\fR ra-certificate-file + The location of a PEM-formatted copy of the SCEP server's RA's certificate. + A discovered value is normally supplied by the certmonger daemon, but one can +diff --git a/src/getcert.c b/src/getcert.c +index 3d78a73..493771f 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4496,6 +4496,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + enum cm_tdbus_type bus = CM_DBUS_DEFAULT_BUS; + char *caname = NULL, *url = NULL, *path = NULL, *id = NULL; + char *root = NULL, *racert = NULL, *certs = NULL, *nickname, *command; ++ char *signingca = NULL; + const char *err; + int c, prefer_non_renewal = 0, verbose = 0; + dbus_bool_t b; +@@ -4508,6 +4509,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, + {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, + {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, ++ {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, + {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, + {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, + {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, +@@ -4569,7 +4571,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + return 1; + } + command = talloc_asprintf(globals.tctx, +- "%s -u %s %s %s %s %s %s %s %s", ++ "%s -u %s %s %s %s %s %s %s %s %s %s", + shell_escape(globals.tctx, + CM_SCEP_HELPER_PATH), + shell_escape(globals.tctx, url), +@@ -4579,6 +4581,8 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + racert ? shell_escape(globals.tctx, racert) : "", + certs ? "-I" : "", + certs ? shell_escape(globals.tctx, certs) : "", ++ signingca ? "-N" : "", ++ signingca ? shell_escape(globals.tctx, signingca) : "", + prefer_non_renewal ? "-n" : ""); + for (c = 0; c < verbose; c++) { + command = talloc_strdup_append(command, " -v"); +diff --git a/src/scep.c b/src/scep.c +index b80278e..4294cda 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -206,7 +206,6 @@ main(int argc, const char **argv) + enum known_ops op = op_unset; + const char *id = NULL; + char *cainfo = NULL; +- char *poptarg; + char *message = NULL, *rekey_message = NULL; + const char *mode = NULL, *content_type = NULL, *content_type2 = NULL; + void *ctx; +@@ -235,8 +234,9 @@ main(int argc, const char **argv) + {"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL}, + {"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL}, + {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, +- {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying responses", "FILENAME"}, ++ {"cacert", 'R', POPT_ARG_STRING, NULL, 'R', "the CA certificate, used for verifying TLS connections", "FILENAME"}, + {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', "additional certificates", "FILENAME"}, ++ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', "the CA certificate which signed the RA certificate", "FILENAME"}, + {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, "prefer to not use the SCEP Renewal feature", NULL}, + {"verbose", 'v', POPT_ARG_NONE, NULL, 'v', NULL, NULL}, + POPT_AUTOHELP +@@ -329,9 +329,10 @@ main(int argc, const char **argv) + racert = cm_submit_u_from_file(poptGetOptArg(pctx)); + break; + case 'R': +- poptarg = poptGetOptArg(pctx); +- cainfo = strdup(poptarg); +- cacert = cm_submit_u_from_file(poptarg); ++ cainfo = poptGetOptArg(pctx); ++ break; ++ case 'N': ++ cacert = cm_submit_u_from_file(poptGetOptArg(pctx)); + break; + case 'I': + certs = cm_submit_u_from_file(poptGetOptArg(pctx)); +@@ -340,7 +341,6 @@ main(int argc, const char **argv) + } + if (c != -1) { + poptPrintUsage(pctx, stdout, 0); +- free(cainfo); + return CM_SUBMIT_STATUS_UNCONFIGURED; + } + +@@ -1189,7 +1189,6 @@ done: + if (pctx) { + poptFreeContext(pctx); + } +- free(cainfo); + free(id); + cm_submit_h_cleanup(hctx); + talloc_free(ctx); +-- +2.21.1 + diff --git a/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch b/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch new file mode 100644 index 0000000..70f75aa --- /dev/null +++ b/SOURCES/0038-Include-template-profile-issuer-and-MS-cert-template.patch @@ -0,0 +1,53 @@ +From 914164383085c6559f0f5fe608385c3024095f74 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Apr 2020 16:33:35 -0400 +Subject: [PATCH 38/39] Include template-profile, issuer and MS cert template + in output + +--- + src/getcert.c | 16 ++++++++++++++++ + tests/028-dbus/expected.out | 1 + + 2 files changed, 17 insertions(+) + +diff --git a/src/getcert.c b/src/getcert.c +index 493771f..42281af 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -3882,6 +3882,22 @@ list(const char *argv0, int argc, const char **argv) + printf("\t\t%s\n", as[j]); + } + } ++ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, ++ CM_DBUS_PROP_TEMPLATE_PROFILE, verbose, globals.tctx); ++ if (s1 != NULL && strlen(s1) > 0) { ++ printf(_("\tprofile: %s\n"), s1); ++ } ++ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, ++ CM_DBUS_PROP_TEMPLATE_MS_CERTIFICATE_TEMPLATE, ++ verbose, globals.tctx); ++ if (s1 != NULL && strlen(s1) > 0) { ++ printf(_("\tms v2 template: %s\n"), s1); ++ } ++ s1 = query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, ++ CM_DBUS_PROP_TEMPLATE_ISSUER, verbose, globals.tctx); ++ if (s1 != NULL && strlen(s1) > 0) { ++ printf(_("\tissuer template: %s\n"), s1); ++ } + printf(_("\tpre-save command: %s\n"), + query_prop_s(bus, requests[i], CM_DBUS_REQUEST_INTERFACE, + CM_DBUS_PROP_CERT_PRESAVE_COMMAND, verbose, globals.tctx)); +diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out +index 1d8bec4..a25eb34 100644 +--- a/tests/028-dbus/expected.out ++++ b/tests/028-dbus/expected.out +@@ -15,6 +15,7 @@ Request ID 'Buddy': + key usage: digitalSignature,dataEncipherment + eku: id-kp-serverAuth + certificate template/profile: SomeProfileName ++ profile: SomeProfileName + pre-save command: echo Pre + post-save command: echo Post + track: yes +-- +2.21.1 + diff --git a/SOURCES/0039-Fix-broken-N-option-configuration.patch b/SOURCES/0039-Fix-broken-N-option-configuration.patch new file mode 100644 index 0000000..3717bb6 --- /dev/null +++ b/SOURCES/0039-Fix-broken-N-option-configuration.patch @@ -0,0 +1,26 @@ +From 97ede42bda0cb8a983de30fc0608763ae6c2199f Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Apr 2020 16:34:53 -0400 +Subject: [PATCH 39/39] Fix broken -N option configuration + +There was an extra NULL value which caused it to not work. +--- + src/getcert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 42281af..5c8dc94 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4525,7 +4525,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv) + {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME}, + {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME}, + {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME}, +- {"signingca", 'N', POPT_ARG_STRING, NULL, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, ++ {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME}, + {"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL}, + {"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL}, + {"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL}, +-- +2.21.1 + diff --git a/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch b/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch new file mode 100644 index 0000000..37e80b3 --- /dev/null +++ b/SOURCES/0040-Address-an-include-issue-discovered-by-coverity.patch @@ -0,0 +1,52 @@ +From c9c326e1878a377ce4193aaa4b1b41cb711b5e48 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 30 Apr 2020 12:46:41 -0400 +Subject: [PATCH] Address an include issue discovered by coverity + +nspr.h isn't included so use PORT_ErrorToString() instead +of PR_ErrorToString(), and remain consistent with the +other PORT calls even though they directly translate +to their NSPR equivalents. + +Also remove a couple of unused variables in pkcs7.c +--- + src/pkcs7.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/pkcs7.c b/src/pkcs7.c +index f81174f..a569256 100644 +--- a/src/pkcs7.c ++++ b/src/pkcs7.c +@@ -57,6 +57,9 @@ + #define _(_text) (_text) + #endif + ++/* taken from nspr4.h */ ++#define PR_LANGUAGE_I_DEFAULT 0 /* i-default, the default language */ ++ + /* Return 0 if we think "issuer" could have issued "issued", which includes + * self-signing. */ + static int +@@ -289,7 +292,7 @@ log_pkcs7_errors(int level, char *msg) + } + nss_err = PORT_GetError(); + if (nss_err < 0) { +- cm_log(level, "%d: %s\n", nss_err, PR_ErrorToString(nss_err, 0)); ++ cm_log(level, "%d: %s\n", nss_err, PORT_ErrorToString(nss_err)); + } + } + +@@ -929,9 +932,8 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length, + PKCS7_SIGNER_INFO *si; + BIO *in, *out = NULL; + const unsigned char *u; +- char *s, buf[LINE_MAX], *p, *q; ++ char *s, *p, *q; + int ret = -1, i; +- long error; + + if (digest != NULL) { + *digest = NULL; +-- +2.21.1 + diff --git a/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch b/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch new file mode 100644 index 0000000..b445f6e --- /dev/null +++ b/SOURCES/0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch @@ -0,0 +1,237 @@ +From c9fce72e17b7afa389205d946e5ca7bef997be60 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 29 Apr 2020 13:26:14 -0400 +Subject: [PATCH] Ensure that files read in have a trailing new-line + +In SCEP when retrieving the CA chain the certificates passed in +on the command-line (RA agent and CA cert) area printed along with +the contents of what was retrieved remotely. + +If one of the filesystem certificates lacks a newline then the +output will be jumbled like: + +-----END CERTIFICATE----------BEGIN CERTIFICATE-----\n + +https://bugzilla.redhat.com/show_bug.cgi?id=1814976 +--- + src/submit-u.c | 11 +++++++ + tests/039-fromfile/expected.out | 4 +++ + tests/039-fromfile/run.sh | 55 +++++++++++++++++++++++++++++++++ + tests/Makefile.am | 10 ++++-- + tests/tools/Makefile.am | 6 +++- + tests/tools/fromfile.c | 52 +++++++++++++++++++++++++++++++ + 6 files changed, 134 insertions(+), 4 deletions(-) + create mode 100644 tests/039-fromfile/expected.out + create mode 100755 tests/039-fromfile/run.sh + create mode 100644 tests/tools/fromfile.c + +diff --git a/src/submit-u.c b/src/submit-u.c +index b0b45ba..dca23a7 100644 +--- a/src/submit-u.c ++++ b/src/submit-u.c +@@ -100,6 +100,17 @@ cm_submit_u_from_file(const char *filename) + } + if (csr == NULL) { + csr = strdup(""); ++ } else { ++ int length = strlen(csr); ++ if (csr[length-1] != '\n') { ++ length += 1; ++ csr = realloc(csr, length + 1); ++ if (csr == NULL) { ++ return NULL; ++ } ++ csr[length - 1] = '\n'; ++ csr[length] = '\0'; ++ } + } + return csr; + } +diff --git a/tests/039-fromfile/expected.out b/tests/039-fromfile/expected.out +new file mode 100644 +index 0000000..9191a57 +--- /dev/null ++++ b/tests/039-fromfile/expected.out +@@ -0,0 +1,4 @@ ++[trailing_nl] ++Ok ++[no_trailing_nl] ++Ok +diff --git a/tests/039-fromfile/run.sh b/tests/039-fromfile/run.sh +new file mode 100755 +index 0000000..8bae773 +--- /dev/null ++++ b/tests/039-fromfile/run.sh +@@ -0,0 +1,55 @@ ++#!/bin/bash -e ++ ++cd $tmpdir ++ ++cat > $tmpdir/trailing_nl <<- EOF ++-----BEGIN CERTIFICATE----- ++MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw ++UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk ++NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 ++OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo ++b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 ++NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy ++nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 ++OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs ++jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N ++peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE ++Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd ++GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS ++FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO ++BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j ++MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ ++hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 ++1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D ++AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 ++rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS ++8gM= ++-----END CERTIFICATE----- ++EOF ++cat > $tmpdir/no_trailing_nl <<- EOF ++-----BEGIN CERTIFICATE----- ++MIIDjjCCAnagAwIBAgIRAO1VmyXYM0f7pbXVdEGtRPMwDQYJKoZIhvcNAQELBQAw ++UDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRob3JpdHkxLDAqBgNVBAMMI2Vk ++NTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0NGYzMB4XDTE1MDQyODE3MDk0 ++OFoXDTE2MDQyODE3MDk0OFowUDEgMB4GA1UEAwwXTG9jYWwgU2lnbmluZyBBdXRo ++b3JpdHkxLDAqBgNVBAMMI2VkNTU5YjI1LWQ4MzM0N2ZiLWE1YjVkNTc0LTQxYWQ0 ++NGYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5c/LhlyBs0UUiDSy ++nrC+Q0WJkWZeQ/kqwniru+GlXgb3g+7VvyAfdZ45NiBdo/6xXyCLphK0g8oZLyi8 ++OwQQoUyVMn9gsGXbjlwSzjXKx3wdUM+lFpenx8iQS9aCfVQJ4tzFgM1pQBQ2AiHs ++jvU18xSFSZApjT5UIK35kyH22D8LhCGGYLaU3xFEfHvd0AOuXwm5Nsiu/HTsSV4N ++peUdFEmFzQwUEUdV2jKOPcXnOArV82vfpdp1nSCX3kruEb9G93VsmQ+9ebKXQRQE ++Ltd65e/EYtXvihuTtElLYuyYZlYJdbTZeLXB4YLvElgNkS9JK7RKHlCm0KYQmcmd ++GZSh8QIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQEBMB0GA1UdDgQWBBRLxeFy3+RS ++FloygyjlXa6YEv8ltzAfBgNVHSMEGDAWgBRLxeFy3+RSFloygyjlXa6YEv8ltzAO ++BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAH9A9ePIqZGF4VEo5D4j ++MuOJ1J4uTRxHoEGXCDRcuCn3RvT0civWEPpRNo1YVgAWFODpt/HSi3lCVtTb7FwJ ++hfHkxCpAuHmv3sfT8jcCwTTAXL1BLpCO6d0zz0RrFMNK+vGyZu/7LXhaYVu590Q5 ++1DMybHmln7i+Tw/eYb4Avk1FWGOEpNdf3ZjUazcDlkO4EwA6BnZUC8gFvz0OI73D ++AJsGq/UsJvMH30ga1rZ/9LiHEMSEys5amk98yMRvi/R1qI02kjANdZ0ID/7cJSw2 ++rVCCs61jgYppWv3JHVKYmm6+cVPAUcuRdsUzDpAQDdvGAaZJENE6suulRVEaBEdS ++8gM= ++EOF ++echo -n "-----END CERTIFICATE-----" >> $tmpdir/no_trailing_nl ++ ++$toolsdir/fromfile trailing_nl ++$toolsdir/fromfile no_trailing_nl +diff --git a/tests/Makefile.am b/tests/Makefile.am +index fe368dc..1552c48 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -127,7 +127,9 @@ CLEANFILES = \ + 037-rekey2/actual.out \ + 037-rekey2/actual.err \ + 038-ms-v2-template/actual.out \ +- 038-ms-v2-template/actual.err ++ 038-ms-v2-template/actual.err \ ++ 039-fromfile/actual.out \ ++ 039-fromfile/actual.err + EXTRA_DIST = \ + run-tests.sh functions certmonger.conf tools/cachain.sh \ + 001-keyiread/run.sh \ +@@ -349,7 +351,8 @@ EXTRA_DIST = \ + 037-rekey2/run.sh \ + 038-ms-v2-template/expected.out \ + 038-ms-v2-template/extract-extdata.py \ +- 038-ms-v2-template/run.sh ++ 038-ms-v2-template/run.sh \ ++ 039-fromfile/run.sh + + subdirs = \ + 001-keyiread \ +@@ -392,7 +395,8 @@ subdirs = \ + 035-json \ + 036-getcert \ + 037-rekey2 \ +- 038-ms-v2-template ++ 038-ms-v2-template \ ++ 039-fromfile + + if HAVE_DBM_NSSDB + subdirs += \ +diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am +index 39fa954..e0d2f08 100644 +--- a/tests/tools/Makefile.am ++++ b/tests/tools/Makefile.am +@@ -16,7 +16,7 @@ endif + noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \ + name2oid iterate prefs dates listnicks pem2base base2pem \ + dparse payload checksig base64 cadata citerate casave hooks \ +- libexecdir canon srv addcinfo ls json json-utf8 printenv ++ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile + noinst_LIBRARIES = libtools.a + if HAVE_OPENSSL + noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt +@@ -38,3 +38,7 @@ citerate_LDADD = $(top_srcdir)/src/store-gen.c $(LDADD) + + srv_SOURCES = srv.c + srv_LDADD = $(top_srcdir)/src/srvloc.c $(LDADD) ++ ++fromfile_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) ++fromfile_SOURCES = fromfile.c ++fromfile_LDADD = $(LDADD) $(UUID_LIBS) $(CURL_LIBS) +diff --git a/tests/tools/fromfile.c b/tests/tools/fromfile.c +new file mode 100644 +index 0000000..bb70507 +--- /dev/null ++++ b/tests/tools/fromfile.c +@@ -0,0 +1,52 @@ ++/* ++ * Copyright (C) 2020 Red Hat, Inc. ++ * ++ * This program is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include "../../src/config.h" ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "../../src/submit-u.h" ++#include "../../src/submit-u.c" ++ ++int ++main(int argc, char **argv) ++{ ++ int i, result = 0; ++ char *cert; ++ ++ for (i = 1; i < argc; i++) { ++ printf("[%s]\n", argv[i]); ++ cert = cm_submit_u_from_file(argv[i]); ++ if (cert == NULL) { ++ printf("OOM error\n"); ++ result = 1; ++ } ++ else if (cert[strlen(cert) - 1] != '\n') { ++ printf("Missing trailing newline\n"); ++ result = 1; ++ } else { ++ printf("Ok\n"); ++ } ++ free(cert); ++ } ++ return result; ++} +-- +2.18.4 + diff --git a/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch b/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch new file mode 100644 index 0000000..9feaf01 --- /dev/null +++ b/SOURCES/0042-Add-long-command-line-options-to-man-pages.patch @@ -0,0 +1,4160 @@ +From 2a6ede56ad8c29181fde7691904f226102d43e54 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 14 May 2020 14:15:17 -0400 +Subject: [PATCH 42/43] Add long command-line options to man pages + +The man pages almost universally only documented the short +options even though the long options were all defined in +the popt configuration. + +Also do a bit of minor bit of reformatting and added a lint +option. I'm not going to require mandoc as a requirement as +the linting is pretty minor at the moment but it's better than +nothing. + +https://bugzilla.redhat.com/show_bug.cgi?id=1782838 +--- + src/Makefile.am | 6 + + src/certmaster-getcert.1.in | 72 ++--- + src/certmonger-certmaster-submit.8.in | 59 ++-- + ...tmonger-dogtag-ipa-renew-agent-submit.8.in | 288 +++++++++++------- + src/certmonger-dogtag-submit.8.in | 252 ++++++++------- + src/certmonger-ipa-submit.8.in | 115 ++++--- + src/certmonger-local-submit.8.in | 62 ++-- + src/certmonger-scep-submit.8.in | 124 ++++---- + src/certmonger.8.in | 86 +++--- + src/certmonger.conf.5.in | 20 +- + src/getcert-add-ca.1.in | 48 +-- + src/getcert-add-scep-ca.1.in | 80 ++--- + src/getcert-list-cas.1.in | 44 +-- + src/getcert-list.1.in | 84 ++--- + src/getcert-modify-ca.1.in | 46 +-- + src/getcert-refresh-ca.1.in | 50 +-- + src/getcert-refresh.1.in | 52 ++-- + src/getcert-rekey.1.in | 107 ++++--- + src/getcert-remove-ca.1.in | 44 +-- + src/getcert-request.1.in | 157 ++++++---- + src/getcert-resubmit.1.in | 112 ++++--- + src/getcert-start-tracking.1.in | 134 ++++---- + src/getcert-status.1.in | 54 ++-- + src/getcert-stop-tracking.1.in | 65 ++-- + src/getcert.1.in | 54 ++-- + src/ipa-getcert.1.in | 74 ++--- + src/local-getcert.1.in | 76 ++--- + src/selfsign-getcert.1.in | 74 ++--- + 28 files changed, 1321 insertions(+), 1118 deletions(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index fe3b235..5343dbc 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -266,3 +266,9 @@ submit_h_CFLAGS = $(AM_CFLAGS) $(CURL_CFLAGS) $(XML_CFLAGS) -DCM_SUBMIT_H_MAIN + submit_h_SOURCES = submit-h.c submit-h.h log.c log.h tm.c tm.h + submit_h_LDADD = $(CURL_LIBS) $(XML_LIBS) $(TALLOC_LIBS) $(LTLIBICONV) \ + $(POPT_LIBS) ++ ++.PHONY: manlint ++manlint: $(man_MANS) ++ for page in $(MANS); do \ ++ mandoc -T lint $${page}; \ ++ done +diff --git a/src/certmaster-getcert.1.in b/src/certmaster-getcert.1.in +index ef1c14a..7a038f9 100644 +--- a/src/certmaster-getcert.1.in ++++ b/src/certmaster-getcert.1.in +@@ -1,20 +1,20 @@ +-.TH certmonger 1 "23 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 23, 2009" "certmonger Manual" + + .SH NAME +-certmaster-getcert ++certmaster\-getcert + + .SH SYNOPSIS +- certmaster-getcert request [options] +- certmaster-getcert resubmit [options] +- certmaster-getcert start-tracking [options] +- certmaster-getcert status [options] +- certmaster-getcert stop-tracking [options] +- certmaster-getcert list [options] +- certmaster-getcert list-cas [options] +- certmaster-getcert refresh-cas [options] ++ certmaster\-getcert request [options] ++ certmaster\-getcert resubmit [options] ++ certmaster\-getcert start\-tracking [options] ++ certmaster\-getcert status [options] ++ certmaster\-getcert stop\-tracking [options] ++ certmaster\-getcert list [options] ++ certmaster\-getcert list\-cas [options] ++ certmaster\-getcert refresh\-cas [options] + + .SH DESCRIPTION +-The \fIcertmaster-getcert\fR tool issues requests to a @CM_DBUS_NAME@ ++The \fIcertmaster\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ + service on behalf of the invoking user. It can ask the service to begin + enrollment, optionally generating a key pair to use, it can ask the + service to begin monitoring a certificate in a specified location for +@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can + list the set of certificates that the service is already monitoring, or + it can list the set of CAs that the service is capable of using. + +-If no command is given as the first command-line argument, +-\fIcertmaster-getcert\fR will print short usage information for each of ++If no command is given as the first command\-line argument, ++\fIcertmaster\-getcert\fR will print short usage information for each of + its functions. + +-The \fIcertmaster-getcert\fR tool behaves identically to the generic +-\fIgetcert\fR tool when it is used with the \fB-c ++The \fIcertmaster\-getcert\fR tool behaves identically to the generic ++\fIgetcert\fR tool when it is used with the \fB\-c + \fI@CM_CERTMASTER_CA_NAME@\fR option. + + There is no standard authenticated method for obtaining the root certificate + from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust +-information from them. While the \fB-F\fR and \fB-a\fR options will still ++information from them. While the \fB\-F\fR and \fB\-a\fR options will still + be recognized, they will effectively be ignored. + + .SH BUGS +@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-certmaster-submit.8.in b/src/certmonger-certmaster-submit.8.in +index aec8b83..e3e990f 100644 +--- a/src/certmonger-certmaster-submit.8.in ++++ b/src/certmonger-certmaster-submit.8.in +@@ -1,17 +1,17 @@ +-.TH certmonger 8 "7 June 2010" "certmonger Manual" ++.TH CERTMONGER 8 "June 7, 2010" "certmonger Manual" + + .SH NAME +-certmaster-submit ++certmaster\-submit + + .SH SYNOPSIS +-certmaster-submit [-h serverHost] [-c cafile] [-C capath] [csrfile] ++certmaster\-submit [\-h HOST] [\-c FILE] [\-C DIR] [\-v] [csrfile] + + .SH DESCRIPTION +-\fIcertmaster-submit\fR is the helper which \fIcertmonger\fR uses to make +-requests to certmaster-based CAs. It is not normally run interactively, ++\fIcertmaster\-submit\fR is the helper which \fIcertmonger\fR uses to make ++requests to certmaster\-based CAs. It is not normally run interactively, + but it can be for troubleshooting purposes. The signing request which is + to be submitted should either be in a file whose name is given as an argument, +-or fed into \fIcertmaster-submit\fR via stdin. ++or fed into \fIcertmaster\-submit\fR via stdin. + + There is no standard authenticated method for obtaining the root certificate + from certmaster CAs, so \fBcertmonger\fR does not support retrieving trust +@@ -19,21 +19,24 @@ information from them. + + .SH OPTIONS + .TP +-\fB\-h\fR serverHost ++\fB\-h\fR \fIHOST\fR, \fB\-\-server\-host\fR=\fIHOST\fR + Submit the request to the certmaster instance running on the named host. The + default is \fIlocalhost:51235\fR if a file named \fB/var/run/certmaster.pid\fR + is found on the local system, and is read from \fB/etc/certmaster/minion.conf\fR + if that file is not found. + .TP +-\fB\-c\fR cafile ++\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR + Submit the request over HTTPS instead of HTTP, and only trust the server + if its certificate was issued by the CA whose certificate is in the named file. + .TP +-\fB\-C\fR capath ++\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR + Submit the request over HTTPS instead of HTTP, and only trust the server + if its certificate was issued by a CA whose certificate is in a file in + the named directory. +- ++.TP ++\fB\-v\fR, \fB\-\-verbose\fR ++Be verbose about errors. Normally, the details of an error received from ++the daemon will be suppressed if the client can make a diagnostic suggestion. + .SH EXIT STATUS + .TP + 0 +@@ -73,22 +76,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +index 84c8b0d..33e0648 100644 +--- a/src/certmonger-dogtag-ipa-renew-agent-submit.8.in ++++ b/src/certmonger-dogtag-ipa-renew-agent-submit.8.in +@@ -1,44 +1,51 @@ +-.TH certmonger 8 "27 Oct 2015" "certmonger Manual" ++.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual" + + .SH NAME +-dogtag-ipa-renew-agent-submit ++dogtag\-ipa\-renew\-agent\-submit + + .SH SYNOPSIS +-dogtag-ipa-renew-agent-submit -E EE-URL -A AGENT-URL +-[-d dbdir] +-[-n nickname] +-[-i cainfo] +-[-C capath] +-[-c certfile] +-[-k keyfile] +-[-p pinfile] +-[-P pin] +-[-s serial (hex)] +-[-D serial (decimal)] +-[-S state] +-[-T profile] +-[-O param=value] +-[-N | -R] +-[-t] +-[-o option=value] +-[-v] ++dogtag\-ipa\-renew\-agent\-submit \-E EE\-URL \-A AGENT\-URL ++[\-d dbdir] ++[\-n nickname] ++[\-i cainfo] ++[\-C capath] ++[\-c certfile] ++[\-k keyfile] ++[\-p pinfile] ++[\-P pin] ++[\-s serial (hex)] ++[\-D serial (decimal)] ++[\-S state] ++[\-T profile] ++[\-O param=value] ++[\-N | \-R] ++[\-t] ++[\-o option=value] ++[\-a] ++[\-u uid] ++[\-U udn] ++[\-W pwd] ++[\-w pwdfile] ++[\-Y pin] ++[\-y pinfile] + [csrfile] + ++ + .SH DESCRIPTION +-\fIdogtag-ipa-renew-agent-submit\fR is the helper which \fIcertmonger\fR uses ++\fIdogtag\-ipa\-renew\-agent\-submit\fR is the helper which \fIcertmonger\fR uses + to make certificate renewal requests to Dogtag instances running on IPA + servers. It is not normally run interactively, but it can be for + troubleshooting purposes. + +-The preferred option is to request a renewal of an already-issued certificate, +-using its serial number, which can be read from a PEM-formatted certificate ++The preferred option is to request a renewal of an already\-issued certificate, ++using its serial number, which can be read from a PEM\-formatted certificate + provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the +-\fB-s\fR or \fB-D\fR option on the command line. If no serial number is ++\fB\-s\fR or \fB\-D\fR option on the command line. If no serial number is + provided, then the client will attempt to obtain a new certificate by + submitting a signing request to the CA. + + The signing request which is to be submitted should either be in a file whose +-name is given as an argument, or fed into \fIdogtag-ipa-renew-agent-submit\fR ++name is given as an argument, or fed into \fIdogtag\-ipa\-renew\-agent\-submit\fR + via stdin. + + \fBcertmonger\fR does not yet support retrieving trust information from Dogtag +@@ -46,8 +53,8 @@ CAs. + + .SH OPTIONS + .TP +-\fB\-E\fR EE-URL +-The top-level URL for the end-entity interface provided by the CA. In IPA ++\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR ++The top\-level URL for the end\-entity interface provided by the CA. In IPA + installations, this is typically + \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR. + If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in +@@ -58,8 +65,8 @@ and the value of \fBEEPORT\fR will be inferred based on the value of the + if \fIdogtag_version\fR is set to \fI10\fR or more, \fBEEPORT\fR will + be set to 8080. Otherwise it will be 9180. + .TP +-\fB\-A\fR AGENT-URL +-The top-level URL for the agent interface provided by the CA. In IPA ++\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR ++The top\-level URL for the agent interface provided by the CA. In IPA + installations, this is typically + \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR. + If no URL is specified, the \fIhost\fR named in the \fI[global]\fR section in +@@ -70,96 +77,159 @@ and the value of \fBAGENTPORT\fR will be inferred based on the value of the + if \fIdogtag_version\fR is set to \fI10\fR or more, \fBAGENTPORT\fR will + be set to 8443. Otherwise it will be 9443. + .TP +-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile +-The location of the key and certificate which the client should use to +-authenticate to the CA's agent interface. Exactly which values are +-meaningful depend on which cryptography library your copy of libcurl was +-linked with. +- +-If none of these options are specified, and none of the \fB-p\fR, \fB-P\fR, +-\fB-i\fR, nor \fB-C\fR options are specified, then this set of defaults is +-used: +- \fB-i\fR \fI/etc/ipa/ca.crt\fR +- \fB-d\fR \fI/etc/httpd/alias\fR +- \fB-n\fR \fIipaCert\fR +- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR +-.TP +-\fB\-p\fR pinfile +-The name of a file which contains a PIN/password which will be needed in +-order to make use of the agent credentials. +- +-If this option is not specified, and none of the \fB-d\fR, \fB-n\fR, \fB-c\fR, +-\fB-k\fR, \fB-P\fR, \fB-i\fR, nor \fB-C\fR options are specified, then this set +-of defaults is used: +- \fB-i\fR \fI/etc/ipa/ca.crt\fR +- \fB-d\fR \fI/etc/httpd/alias\fR +- \fB-n\fR \fIipaCert\fR +- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR +-.TP +-\fB\-i\fR cainfo \fB\-C\fR capath ++\fB\-i\fR \fIFILE\fB, \fB\-\-cafile\fR=\fIPATH\fR + The location of a file containing a copy of the CA's certificate, against which +-the CA server's certificate will be verified, or a directory containing, among +-other things, such a file. +- +-If these options are not specified, and none of the \fB-d\fR, \fB-n\fR, +-\fB-c\fR, \fB-k\fR, \fB-p\fR, nor \fB-P\fR options are specified, then this set +-of defaults is used: +- \fB-i\fR \fI/etc/ipa/ca.crt\fR +- \fB-d\fR \fI/etc/httpd/alias\fR +- \fB-n\fR \fIipaCert\fR +- \fB-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR +-.TP +-\fB-s\fR serial +-The serial number of an already-issued certificate for which the client should +-attempt to obtain a new certificate, in hexadecimal form, if one can not be ++the CA server's certificate will be verified. The default is ++\fB/etc/ipa/ca.crt\fR. ++.TP ++\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR ++The location of a directory containing a copy of the CA's certificate, ++against which the CA server's certificate will be verified. ++.TP ++\fB\-s\fR \fINUMBER\fR, \fB\-\-hex\-serial\fR=\fINUMBER\fB ++The serial number of an already\-issued certificate for which the client should ++attempt to obtain a new certificate, in hexidecimal form, if one can not be + read from the \fICERTMONGER_CERTIFICATE\fR environment variable. + .TP +-\fB-D\fR serial +-The serial number of an already-issued certificate for which the client should ++\fB\-D\fR \fINUMBER\fR, \fB\-\-serial\fR=\fINUMBER\fB ++The serial number of an already\-issued certificate for which the client should + attempt to obtain a new certificate, in decimal form, if one can not be + read from the \fICERTMONGER_CERTIFICATE\fR environment variable. + .TP +-\fB-S\fR state ++\fB\-S\fR \fISTATE\-VALUE\fR, \fB\-\-state\fR=\fISTATE\-VALUE\fR + A cookie value provided by a previous instance of this helper, if the helper +-is being asked to continue a multi-step enrollment process. If the ++is being asked to continue a multi\-step enrollment process. If the + \fICERTMONGER_COOKIE\fR environment variable is set, its value is used. + .TP +-\fB-T\fR profile/template ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + The name of the type of certificate which the client should request from the CA +-if it is not renewing a certificate (per the \fB-s\fR option above). If the ++if it is not renewing a certificate (per the \fB\-s\fR option above). If the + \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used. + Otherwise, the default value is \fBcaServerCert\fP. + .TP +-\fB-O\fR param=value ++\fB\-t\fR, \fB\-\-profile\-list\fR ++Instead of attempting to obtain a new certificate, query the server for a list ++of the enabled enrollment profiles. ++.TP ++\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-option\fR=\fIparam=value\fR + An additional parameter to pass to the server when approving the signing +-request using the agent's credentials. By default, any server-supplied default ++request using the agent's credentials. By default, any server\-supplied default + settings are applied. This option can be used either to override a +-server-supplied default setting, or to supply one which would otherwise have ++server\-supplied default setting, or to supply one which would otherwise have + not been used. + .TP +-\fB-N\fR +-Even if an already-issued certificate is available in the ++\fB\-N\fR, \fB\-\-force\-new\fR ++Even if an already\-issued certificate is available in the + \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been + provided, don't attempt to renew a certificate using its serial number. + Instead, attempt to obtain a new certificate using the signing request. + The default behavior is to request a renewal if possible. + .TP +-\fB-R\fR +-Negates the effect of the \fB-N\fR flag. +-.TP +-\fB-t\fR +-Instead of attempting to obtain a new certificate, query the server for a list +-of the enabled enrollment profiles. ++\fB\-R\fR, \fB\-\-force\-renew\fR ++Negates the effect of the \fB\-N\fR flag. + .TP +-\fB-o\fR param=value ++\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR + When initially submitting a request to the CA, add the specified parameter and + value along with any request parameters which would otherwise be sent. This + option is not typically used. + .TP +-\fB-v\fR ++\fB\-a\fR, \fB\-\-agent\-submit\fR ++Use agent credentials, specified using some combination of the \fB\-d\fR, ++\fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when ++initially submitting a request to the CA or retrieving the list of enabled ++enrollment profiles. ++This is typically required when the enrollment profile being used uses ++\fIAgentCertAuth\fR\-based ++authentication, ++and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL, ++or when the URL specified using the \fB\-E\fR flag is an HTTPS URL. ++.TP ++\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR ++When initially submitting a request to the CA, supply the specified value as a user name. ++This is typically required when the enrollment profile being used uses ++\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based ++authentication..TP ++\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR ++When initially submitting a request to the CA, supply the specified value as the DN ++(distinguished name) of the user's entry in a directory server which the CA is ++configured to use for checking the user's password. ++This is typically required when the enrollment profile being used uses ++\fIUdnPwdDirAuth\fR\-based ++authentication. ++.TP ++\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR ++When initially submitting a request to the CA, supply the specified value as the password ++for the user whose name is specified with the \fB\-u\fR option, or whose DN is ++specified with the \fB\-U\fR option. ++This is typically only required when the enrollment profile being used uses ++\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based ++authentication. ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value ++will not be encrypted. ++.TP ++\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR ++When initially submitting a request to the CA, read from the specified file a ++password to supply for the user whose name is specified with the \fB\-u\fR ++option, or whose DN is specified with the \fB\-U\fR option. ++This is typically only required when the enrollment profile being used uses ++\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based ++authentication. ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value ++will not be encrypted. ++.TP ++\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR ++When initially submitting a request to the CA, supply the specified value as the PIN ++for the user whose name is specified with the \fB\-u\fR option, or whose DN is ++specified with the \fB\-U\fR option. ++This is typically only required when the enrollment profile being used uses ++\fIUidPwdPinDirAuth\fR\-based ++authentication. ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value ++will not be encrypted. ++\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR ++When initially submitting a request to the CA, read from the specified file a ++PIN to supply for the user whose name is specified with the \fB\-u\fR ++option, or whose DN is specified with the \fB\-U\fR option. ++This is typically only required when the enrollment profile being used uses ++\fIUidPwdPinDirAuth\fR\-based ++authentication. If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value ++will not be encrypted. ++.TP ++\fB\-v\fR, \fB\-\-verbose\fR + Increases the logging level. Use twice for more logging. This option is mainly + useful for troubleshooting. +- ++.SH AGENT KEY AND CERTIFICATE OPTIONS ++Options that provide the location for the private key and public certificate ++which the client should use to authenticate to the CA's agent interface. ++The values to use depend on which cryptography library your copy of libcurl ++was linked with. ++.TP ++If none of these options are specified, and none of the \fB\-p\fR, \fB\-P\fR, \fB\-i\fR, nor \fB\-C\fR options are specified, then this set of defaults is used: ++ \fB\-i\fR \fI/etc/ipa/ca.crt\fR ++ \fB\-d\fR \fI/etc/httpd/alias\fR ++ \fB\-n\fR \fIipaCert\fR ++ \fB\-p\fR \fI/etc/httpd/alias/pwdfile.txt\fR ++.TP ++\fB\-d\fR \fIdbdir\fR, \fB\-\-dbdir\fR=\fIdbdir\fR ++Use an NSS database in the specified directory for this certificate ++and key. Only valid with \-n. ++.TP ++\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR ++Use the NSS key with this nickname. Only valid with \-d. ++.TP ++\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR ++The PEM file that contains the public certificate. Only valid with \-k. ++.TP ++\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR ++The PEM file that contains the private certificate. Only valid with \-c. ++.TP ++\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR ++The name of a file which contains a PIN/password which will be needed in ++order to make use of the agent credentials. ++.TP ++\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR ++The name of a file which contains a PIN/password which will be needed in ++order to make use of the agent credentials. + .SH EXIT STATUS + .TP + 0 +@@ -189,7 +259,7 @@ pair. + .TP + .I /etc/ipa/default.conf + is the IPA client configuration file. This file is consulted to determine +-the URL for the Dogtag server's end-entity and agent interfaces if they are ++the URL for the Dogtag server's end\-entity and agent interfaces if they are + not supplied as arguments. + + .SH BUGS +@@ -198,22 +268,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-dogtag-submit.8.in b/src/certmonger-dogtag-submit.8.in +index 19ecab7..e92de67 100644 +--- a/src/certmonger-dogtag-submit.8.in ++++ b/src/certmonger-dogtag-submit.8.in +@@ -1,196 +1,214 @@ +-.TH certmonger 8 "27 Oct 2015" "certmonger Manual" ++.TH CERTMONGER 8 "October 27, 2015" "certmonger Manual" + + .SH NAME +-dogtag-submit ++dogtag\-submit + + .SH SYNOPSIS +-dogtag-submit -E EE-URL -A AGENT-URL +-[-d dbdir] +-[-n nickname] +-[-i cainfo] +-[-C capath] +-[-c certfile] +-[-k keyfile] +-[-p pinfile] +-[-P pin] +-[-s serial (hex)] +-[-D serial (decimal)] +-[-S state] +-[-T profile] +-[-O param=value] +-[-N | -R] +-[-t] +-[-o option=value] +-[-a ] +-[-u username] +-[-U userdn] +-[-W userpassword] +-[-w userpasswordfile] +-[-Y userpin] +-[-y userpinfile] +-[-v] ++dogtag\-submit \-E EE\-URL \-A AGENT\-URL ++[\-d DIR] ++[\-n NAME] ++[\-i FILE] ++[\-C DIR] ++[\-c FILE] ++[\-k FILE] ++[\-p FILE] ++[\-P PIN] ++[\-s serial (hex)] ++[\-D serial (decimal)] ++[\-S state] ++[\-T profile] ++[\-O param=value] ++[\-N | \-R] ++[\-t] ++[\-o option=value] ++[\-a] ++[\-u username] ++[\-U userdn] ++[\-W PASSWORD] ++[\-w FILE] ++[\-Y PIN] ++[\-y FILE] ++[\-v] + [csrfile] + + .SH DESCRIPTION +-\fIdogtag-submit\fR is the helper which \fIcertmonger\fR can use to make ++\fIdogtag\-submit\fR is the helper which \fIcertmonger\fR can use to make + certificate enrollment and renewal requests to Dogtag servers. It is not + normally run interactively, but it can be for troubleshooting purposes. + +-The preferred option is to request a renewal of an already-issued certificate, +-using its serial number, which can be read from a PEM-formatted certificate ++The preferred option is to request a renewal of an already\-issued certificate, ++using its serial number, which can be read from a PEM\-formatted certificate + provided in the \fICERTMONGER_CERTIFICATE\fR environment variable, or via the +-\fB-s\fR or \fB-D\fR option on the command line. If no serial number is ++\fB\-s\fR or \fB\-D\fR option on the command line. If no serial number is + provided, then the client will attempt to obtain a new certificate by + submitting a signing request to the CA. + + The signing request which is to be submitted should either be in a file whose +-name is given as an argument, or fed into \fIdogtag-submit\fR via stdin. ++name is given as an argument, or fed into \fIdogtag\-submit\fR via stdin. + + \fBcertmonger\fR does not yet support retrieving trust information from Dogtag + CAs. + + .SH OPTIONS + .TP +-\fB\-E\fR EE-URL +-The top-level URL for the end-entity interface provided by the CA, through ++\fB\-E\fR \fIEE\-URL\fR, \fB\-\-ee\-url\fR=\fIEE\-URL\fR ++The top\-level URL for the end\-entity interface provided by the CA, through + which the initial enrollment request will be submitted. This is typically + \fIhttp://\fBSERVER\fP:\fBEEPORT\fP/ca/ee/ca\fR. + .TP +-\fB\-A\fR AGENT-URL +-The top-level URL for the agent interface provided by the CA, through which the ++\fB\-A\fR \fIAGENT\-URL\fR, \fB\-\-agent\-url\fR=\fIAGENT\-URL\fR ++The top\-level URL for the agent interface provided by the CA, through which the + request can be approved using agent credentials. This is typically + \fIhttps://\fBSERVER\fP:\fBAGENTPORT\fP/ca/agent/ca\fR. + .TP +-\fB\-d\fR dbdir \fB\-n\fR nickname \fB\-c\fR certfile \fB\-k\fR keyfile +-The location of the key and certificate which the client should use to +-authenticate to the CA's agent interface. Exactly which values are +-meaningful depend on which cryptography library your copy of libcurl was +-linked with. +-.TP +-\fB\-p\fR pinfile +-The name of a file which contains a PIN/password which will be needed in +-order to make use of the agent credentials. +-.TP +-\fB\-i\fR cainfo \fB\-C\fR capath ++\fB\-i\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR + The location of a file containing a copy of the CA's certificate, against which +-the CA server's certificate will be verified, or a directory containing, among +-other things, such a file. ++the CA server's certificate will be verified. + .TP +-\fB-s\fR serial +-The serial number of an already-issued certificate for which the client should +-attempt to obtain a new certificate, in hexadecimal form, if one can not be +-read from the \fICERTMONGER_CERTIFICATE\fR environment variable. ++\fB\-C\fR \fIDIR\fR, \fB\-\-capath\fR=\fIDIR\fR ++The location of a directory containing a copy of the CA's certificate(s), ++against which the CA server's certificate will be verified. + .TP +-\fB-D\fR serial +-The serial number of an already-issued certificate for which the client should ++\fB\-D\fR \fISERIAL\fR, \fB\-\-serial\fR=\fISERIAL\fR ++The serial number of an already\-issued certificate for which the client should + attempt to obtain a new certificate, in decimal form, if one can not be + read from the \fICERTMONGER_CERTIFICATE\fR environment variable. + .TP +-\fB-S\fR state ++\fB\-s\fR SERIAL, \fB\-\-hex\-serial\fB=\fISERIAL\fR ++The serial number of an already\-issued certificate for which the client should ++attempt to obtain a new certificate, in hexadecimal form, if one can not be ++read from the \fICERTMONGER_CERTIFICATE\fR environment variable. ++.TP ++\fB\-S\fR \fISTATE\fR, \fB\-\-state\fR=\fISTATE\fR + A cookie value provided by a previous instance of this helper, if the helper +-is being asked to continue a multi-step enrollment process. If the ++is being asked to continue a multi\-step enrollment process. If the + \fICERTMONGER_COOKIE\fR environment variable is set, its value is used. + .TP +-\fB-T\fR profile/template ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + The name of the type of certificate which the client should request from the CA +-if it is not renewing a certificate (per the \fB-s\fR option above). If the ++if it is not renewing a certificate (per the \fB\-s\fR option above). If the + \fICERTMONGER_CA_PROFILE\fR environment variable is set, its value is used. + Otherwise, the default value is \fBcaServerCert\fP. + .TP +-\fB-O\fR param=value ++\fB\-O\fR \fIparam=value\fR, \fB\-\-approval\-options\fR=\fIparam=value\fR + An additional parameter to pass to the server when approving the signing +-request using agent credentials. By default, any server-supplied default ++request using agent credentials. By default, any server\-supplied default + settings are applied. This option can be used either to override a +-server-supplied default setting, or to supply one which would otherwise have +-not been used. Requires the \fB-A\fR option. ++server\-supplied default setting, or to supply one which would otherwise have ++not been used. Requires the \fB\-A\fR option. + .TP +-\fB-N\fR +-Even if an already-issued certificate is available in the ++\fB\-N\fR, \fB\-\-force\-new\fR ++Even if an already\-issued certificate is available in the + \fICERTMONGER_CERTIFICATE\fR environment variable, or a serial number has been + provided, don't attempt to renew a certificate using its serial number. + Instead, attempt to obtain a new certificate using the signing request. + The default behavior is to request a renewal if possible. + .TP +-\fB-R\fR +-Negates the effect of the \fB-N\fR flag. ++\fB\-R\fR, \fB\-\-force\-renew\fR ++Negates the effect of the \fB\-N\fR flag. + .TP +-\fB-t\fR ++\fB\-t\fR, \fB\-\-profile\-list\fR + Instead of attempting to obtain a new certificate, query the server for a list + of the enabled enrollment profiles. + .TP +-\fB-o\fR param=value ++\fB\-o\fR \fIparam=value\fR, \fB\-\-submit\-option\fR=\fIparam=value\fR + When initially submitting a request to the CA, add the specified parameter and + value along with any request parameters which would otherwise be sent. + .TP +-\fB-a\fR ++\fB\-a\fR, \fB\-\-agent\-submit\fR + Use agent credentials, specified using some combination of the \fB\-d\fR, + \fB\-n\fR, \fB\-c\fR, and \fB\-k\fR flags, to authenticate to the CA when + initially submitting a request to the CA or retrieving the list of enabled + enrollment profiles. + This is typically required when the enrollment profile being used uses +-\fIAgentCertAuth\fR-based ++\fIAgentCertAuth\fR\-based + authentication, +-and requires that the URL specified using the \fB-E\fR flag be an HTTPS URL, +-or when the URL specified using the \fB-E\fR flag is an HTTPS URL. ++and requires that the URL specified using the \fB\-E\fR flag be an HTTPS URL, ++or when the URL specified using the \fB\-E\fR flag is an HTTPS URL. + .TP +-\fB-u username\fR ++\fB\-u username\fR, \fB\-\-uid\fR=\fIusername\fR + When initially submitting a request to the CA, supply the specified value as a user name. + This is typically required when the enrollment profile being used uses +-\fIUidPwdDirAuth\fR-based or \fINISAuth\fR-based ++\fIUidPwdDirAuth\fR\-based or \fINISAuth\fR\-based + authentication. + .TP +-\fB-U userdn\fR ++\fB\-U\fR \fIuserdn\fR, \fB\-\-upn\fR=\fIuserdn\fR + When initially submitting a request to the CA, supply the specified value as the DN + (distinguished name) of the user's entry in a directory server which the CA is + configured to use for checking the user's password. + This is typically required when the enrollment profile being used uses +-\fIUdnPwdDirAuth\fR-based ++\fIUdnPwdDirAuth\fR\-based + authentication. + .TP +-\fB-W userpassword\fR ++\fB\-W\fR \fIPASSWORD\fR, \fB\-\-userpwd\fR=\fIPASSWORD\fR + When initially submitting a request to the CA, supply the specified value as the password +-for the user whose name is specified with the \fB-u\fR option, or whose DN is +-specified with the \fB-U\fR option. ++for the user whose name is specified with the \fB\-u\fR option, or whose DN is ++specified with the \fB\-U\fR option. + This is typically only required when the enrollment profile being used uses +-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based ++\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based + authentication. +-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value + will not be encrypted. + .TP +-\fB-w userpasswordfile\fR ++\fB\-w\fR \fIFILE\fR, \fB\-\-userpwdfile\fR=\fIFILE\fR + When initially submitting a request to the CA, read from the specified file a +-password to supply for the user whose name is specified with the \fB-u\fR +-option, or whose DN is specified with the \fB-U\fR option. ++password to supply for the user whose name is specified with the \fB\-u\fR ++option, or whose DN is specified with the \fB\-U\fR option. + This is typically only required when the enrollment profile being used uses +-\fIUidPwdDirAuth\fR-based, \fIUserPwdDirAuth\fR-based, or \fINISAuth\fR-based ++\fIUidPwdDirAuth\fR\-based, \fIUserPwdDirAuth\fR\-based, or \fINISAuth\fR\-based + authentication. +-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value + will not be encrypted. + .TP +-\fB-Y userpin\fR ++\fB\-Y\fR \fIPIN\fR, \fB\-\-userpin\fR=\fIPIN\fR + When initially submitting a request to the CA, supply the specified value as the PIN +-for the user whose name is specified with the \fB-u\fR option, or whose DN is +-specified with the \fB-U\fR option. ++for the user whose name is specified with the \fB\-u\fR option, or whose DN is ++specified with the \fB\-U\fR option. + This is typically only required when the enrollment profile being used uses +-\fIUidPwdPinDirAuth\fR-based ++\fIUidPwdPinDirAuth\fR\-based + authentication. +-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value + will not be encrypted. + .TP +-\fB-y userpinfile\fR ++\fB\-y\fR \fIFILE\fR, \fB\-\-userpinfile\fR=\fIFILE\fR + When initially submitting a request to the CA, read from the specified file a +-PIN to supply for the user whose name is specified with the \fB-u\fR +-option, or whose DN is specified with the \fB-U\fR option. ++PIN to supply for the user whose name is specified with the \fB\-u\fR ++option, or whose DN is specified with the \fB\-U\fR option. + This is typically only required when the enrollment profile being used uses +-\fIUidPwdPinDirAuth\fR-based ++\fIUidPwdPinDirAuth\fR\-based + authentication. +-If the URL specified using the \fB-E\fR flag is not an HTTPS URL, this value ++If the URL specified using the \fB\-E\fR flag is not an HTTPS URL, this value + will not be encrypted. + .TP +-\fB-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Increases the logging level. Use twice for more logging. This option is mainly + useful for troubleshooting. +- ++.SH AGENT KEY AND CERTIFICATE OPTIONS ++Options that provide the location for the private key and public certificate ++which the client should use to authenticate to the CA's agent interface. ++The values to use depend on which cryptography library your copy of libcurl ++was linked with. ++.TP ++\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR ++Use an NSS database in the specified directory for this certificate ++and key. Only valid with \-n. ++.TP ++\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR ++Use the NSS key with this nickname. Only valid with \-d. ++.TP ++\fB\-c\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR ++The PEM file that contains the public certificate. Only valid with \-k. ++.TP ++\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR ++The PEM file that contains the private certificate. Only valid with \-c. ++.TP ++\fB\-p\fR \fIFILE\fR, \fB\-\-sslpinfile\fR=\fIFILE\fR ++The name of a file which contains a PIN/password which will be needed in ++order to make use of the agent credentials. ++.TP ++\fB\-P\fR \fIPIN\fR, \fB\-\-sslpin\fR=\fIPIN\fR ++The name of a file which contains a PIN/password which will be needed in ++order to make use of the agent credentials. + .SH EXIT STATUS + .TP + 0 +@@ -222,22 +240,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-ipa-submit.8.in b/src/certmonger-ipa-submit.8.in +index 7915142..0e1c90f 100644 +--- a/src/certmonger-ipa-submit.8.in ++++ b/src/certmonger-ipa-submit.8.in +@@ -1,21 +1,23 @@ +-.TH certmonger 8 "16 April 2015" "certmonger Manual" ++.TH CERTMONGER 8 "April 16, 2015" "certmonger Manual" + + .SH NAME +-ipa-submit ++ipa\-submit + + .SH SYNOPSIS +-ipa-submit [-h serverHost] [-H serverURL] [-c cafile] [-C capath] +-[[-K] | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest] [-T profile] [csrfile] ++ipa\-submit [\-h serverHost] [\-H serverURL] [\-d domain] [\-L ldapurl] [\-b basedn] ++[\-c cafile] [\-C capath] [[\-K] | [\-t keytab] [\-k submitterPrincipal]] ++[\-u UID] [\-W PASSWORD] [\-w FILE] [\-P principalOfRequest] [\-T profile] ++[\-X issuer] [csrfile] + + .SH DESCRIPTION +-\fIipa-submit\fR is the helper which \fIcertmonger\fR uses to make +-requests to IPA-based CAs. It is not normally run interactively, ++\fIipa\-submit\fR is the helper which \fIcertmonger\fR uses to make ++requests to IPA\-based CAs. It is not normally run interactively, + but it can be for troubleshooting purposes. The signing request which is + to be submitted should either be in a file whose name is given as an argument, +-or fed into \fIipa-submit\fR via stdin. ++or fed into \fIipa\-submit\fR via stdin. + + \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs. See +-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about ++\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about + specifying where those certificates should be stored on the local system. + Trusted certificates are retrieved from the \fBcaCertificate\fR attribute of + entries present at and below \fIcn=cacert,cn=ipa,cn=etc,\fR$BASE in the IPA +@@ -24,27 +26,27 @@ LDAP server's directory tree, where $BASE defaults to the value of the + + .SH OPTIONS + .TP +-\fB\-P\fR csrPrincipal ++\fB\-P\fR \fIPRINCIPAL\fR, \fB\-\-principal\-of\-request\fR=\fIPRINCIPAL\fR + Identifies the principal name of the service for which the certificate is being + issued. This setting is required by IPA and must always be specified. + .TP +-\fB\-X\fR issuer ++\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fB=\fINAME\fR + Requests that the certificate be processed by the specified certificate issuer. + By default, if this flag is not specified, and the \fBCERTMONGER_CA_ISSUER\fR + variable is set in the environment, then the value of the environment variable + will be used. This setting is optional, and if a server returns error 3005, + indicating that it does not understand multiple profiles, the request will be +-re-submitted without specifying an issuer name. ++re\-submitted without specifying an issuer name. + .TP +-\fB\-T\fR profile ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + Requests that the certificate be processed using the specified certificate profile. + By default, if this flag is not specified, and the \fBCERTMONGER_CA_PROFILE\fR + variable is set in the environment, then the value of the environment variable + will be used. This setting is optional, and if a server returns error 3005, + indicating that it does not understand multiple profiles, the request will be +-re-submitted without specifying a profile. ++re\-submitted without specifying a profile. + .TP +-\fB\-h\fR serverHost ++\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-host\fR=\fIHOSTNAME\fR + Submit the request to the IPA server running on the named host. The default is + to read the location of the host from \fB/etc/ipa/default.conf\fR. + If no server is configured, or the configured server cannot be reached, the +@@ -53,7 +55,7 @@ domain. If servers are found, they will be searched for entries pointing to + IPA masters running the "CA" service, and the client will attempt to contact + each of those in turn. + .TP +-\fB\-H\fR serverURL ++\fB\-H\fR \fIURL\fR, \fB\-\-xmlrpc\-url\fR=\fIURL\fR + Submit the request to the IPA server at the specified location. The default is + to read the location of the host from \fB/etc/ipa/default.conf\fR. + If no server is configured, or the configured server cannot be reached, the +@@ -62,49 +64,64 @@ domain. If servers are found, they will be searched for entries pointing to + IPA masters running the "CA" service, and the client will attempt to contact + each of those in turn. + .TP +-\fB\-c\fR cafile ++\fB\-L\fR \fIURL\fR, \fB\-\-ldap\-url\fR=\fIURL\fR ++Provide the IPA LDAP service location rather than using DNS discovery. ++The default is to read the location of the host from ++\fB/etc/ipa/default.conf\fR and use DNS discovery to find the set of ++_ldap._tcp.DOMAIN values and pick one for use. ++.TP ++\fB\-d\fR \fIDOMAIN\fR, \fB\-\-domain\fR=\fIDOMAIN\fR ++Use this domain when doing DNS discovery to locate LDAP servers for the IPA ++installation. The default is to read the location of the host from ++\fB/etc/ipa/default.conf\fR. ++.TP ++\fB\-b\fR \fIBASEDN\fR, \fB\-\-basedn\fR=\fIBASEDN\fR ++Use this basedn to search for an IPA installation in LDAP. The default is to ++read the location of the host from \fB/etc/ipa/default.conf\fR. ++.TP ++\fB\-c\fR \fIFILE\fR, \fB\-\-cafile\fR=\fIFILE\fR + The server's certificate was issued by the CA whose certificate is in the named + file. The default value is \fI/etc/ipa/ca.crt\fR. + .TP +-\fB\-C\fR capath ++\fB\-C\fR \fIPATH\fR, \fB\-\-capath\fR=\fIDIR\fR + Trust the server if its certificate was issued by a CA whose certificate is in + a file in the named directory. There is no default for this option, and it + is not expected to be necessary. + .TP +-\fB\-t\fR keytab ++\fB\-t\fR \fIKEYTAB\fR, \fB\-\-keytab\fR=\fIKEYTAB\fR + Authenticate to the IPA server using Kerberos with credentials derived from + keys stored in the named keytab. The default value can vary, but it is usually + \fI/etc/krb5.keytab\fR. +-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR ++This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR + options. + .TP +-\fB\-k\fR authPrincipal ++\fB\-k\fR \fIPRINCIPAL\fR, \fB\-\-submitter\-principal\fR=\fIPRINCIPAL\fR + Authenticate to the IPA server using Kerberos with credentials derived from + keys stored in the named keytab for this principal name. The default value is + the \fBhost\fR service for the local host in the local realm. +-This option conflicts with the \fB-K\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR ++This option conflicts with the \fB\-K\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR + options. + .TP +-\fB\-K\fR ++\fB\-K\fR, \fB\-\-use\-ccache\-creds\fR + Authenticate to the IPA server using Kerberos with credentials derived from the + default credential cache rather than a keytab. +-This option conflicts with the \fB-k\fR, \fB-u\fR, \fB-W\fR, and \fB-w\fR ++This option conflicts with the \fB\-k\fR, \fB\-u\fR, \fB\-W\fR, and \fB\-w\fR + options. + .TP +-\fB\-u\fR uid ++\fB\-u\fR \fIUSERNAME\fR, \fB\-\-uid\fR=\fIUSERNAME\fR + Authenticate to the IPA server using a user name and password, using the + specified value as the user name. +-This option conflicts with the \fB-k\fR, \fB-K\fR, and \fB-t\fR options. ++This option conflicts with the \fB\-k\fR, \fB\-K\fR, and \fB\-t\fR options. + .TP +-\fB\-W\fR pwd ++\fB\-W\fR \fIPASSWORD\fR, \fB\-\-pwd\fR=\fIPASSWORD\fR + Authenticate to the IPA server using a user name and password, using the + specified value as the password. +-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-w\fR options. ++This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-w\fR options. + .TP +-\fB\-w\fR pwdfile ++\fB\-w\fR \fIFILE\fR, \fB\-\-pwdfile\fR=\fIFILE\fR + Authenticate to the IPA server using a user name and password, reading the + password from the specified file. +-This option conflicts with the \fB-k\fR, \fB-K\fR, \fB-t\fR, and \fB-W\fR options. ++This option conflicts with the \fB\-k\fR, \fB\-K\fR, \fB\-t\fR, and \fB\-W\fR options. + + .SH EXIT STATUS + .TP +@@ -131,7 +148,7 @@ pair. + .TP + .I /etc/ipa/default.conf + is the IPA client configuration file. This file is consulted to determine +-the URL for the IPA server's XML-RPC interface. ++the URL for the IPA server's XML\-RPC interface. + + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ +@@ -139,23 +156,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-local-submit.8.in b/src/certmonger-local-submit.8.in +index 59ed245..b68ffc3 100644 +--- a/src/certmonger-local-submit.8.in ++++ b/src/certmonger-local-submit.8.in +@@ -1,35 +1,35 @@ +-.TH certmonger 8 "7 June 2014" "certmonger Manual" ++.TH CERTMONGER 8 "June 7, 2014" "certmonger Manual" + + .SH NAME +-local-submit ++local\-submit + + .SH SYNOPSIS +-local-submit [-d state-directory] [-v] [csrfile] ++local\-submit [\-d state\-directory] [\-v] [csrfile] + + .SH DESCRIPTION +-\fIlocal-submit\fR is the helper which \fIcertmonger\fR uses to implement ++\fIlocal\-submit\fR is the helper which \fIcertmonger\fR uses to implement + its local signer. It is not normally run interactively, but it can be for + troubleshooting purposes. The signing request which is to be submitted + should either be in a file whose name is given as an argument, or fed into +-\fIlocal-submit\fR via stdin. ++\fIlocal\-submit\fR via stdin. + +-The local signer is currently hard-coded to generate and use a +-@CM_DEFAULT_PUBKEY_SIZE@-bit RSA key and a name and initial serial number based ++The local signer is currently hard\-coded to generate and use a ++@CM_DEFAULT_PUBKEY_SIZE@\-bit RSA key and a name and initial serial number based + on a UUID, replacing that key and certificate at roughly the midpoint of their + useful lifetime. + +-\fBcertmonger\fR supports retrieving the list of current and previously-used +-local CA certificates. See \fBgetcert-request\fR(1) and +-\fBgetcert-resubmit\fR(1) for information about specifying where those ++\fBcertmonger\fR supports retrieving the list of current and previously\-used ++local CA certificates. See \fBgetcert\-request\fR(1) and ++\fBgetcert\-resubmit\fR(1) for information about specifying where those + certificates should be stored. + + .SH OPTIONS + .TP +-\fB\-d\fR state-directory ++\fB\-d\fR \fIDIR\fR, \fB\-\-ca\-data\-directory\fR=\fIDIR\fR + Identifies the directory which contains the local signer's private key, + certificates, and other data used by the local signer. + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Increases the verbosity of the tool's diagnostic logging. + + .SH EXIT STATUS +@@ -47,7 +47,7 @@ if critical configuration information is missing. An error message may be print + .TP + .I creds + is currently a PKCS#12 bundle containing the local signer's current signing key +-and current and previously-used signer certificates. It should not be modified ++and current and previously\-used signer certificates. It should not be modified + except by the local signer. A new key is currently generated when ever a new + signer certificate is needed. + .TP +@@ -61,22 +61,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger-scep-submit.8.in b/src/certmonger-scep-submit.8.in +index 42ffcd6..5b8b917 100644 +--- a/src/certmonger-scep-submit.8.in ++++ b/src/certmonger-scep-submit.8.in +@@ -1,98 +1,98 @@ +-.TH certmonger 8 "20 June 2015" "certmonger Manual" ++.TH CERTMONGER 8 "June 20, 2015" "certmonger Manual" + + .SH NAME +-scep-submit ++scep\-submit + + .SH SYNOPSIS +-scep-submit -u SERVER-URL +-[-r ra-cert-file] +-[-R ca-cert-file] +-[-I other-certs-file] +-[-N ca-cert-file] +-[-i ca-identifier] +-[-v] +-[-n] +-[-c|-C|-g|-p] +-[pkimessage-filename] ++scep\-submit \-u SERVER\-URL ++[\-r ra\-cert\-file] ++[\-R ca\-cert\-file] ++[\-I other\-certs\-file] ++[\-N ca\-cert\-file] ++[\-i ca\-identifier] ++[\-v] ++[\-n] ++[\-c|\-C|\-g|\-p] ++[pkimessage\-filename] + + .SH DESCRIPTION +-\fIscep-submit\fR is the helper which \fIcertmonger\fR can use to ++\fIscep\-submit\fR is the helper which \fIcertmonger\fR can use to + transmit certificate enrollment and renewal requests to servers using + SCEP. It is not normally run interactively, but it can be for + troubleshooting purposes. + +-The request which is to be submitted should be a PEM-encoded SCEP ++The request which is to be submitted should be a PEM\-encoded SCEP + pkiMessage either in a file whose name is given as an argument, or fed +-into \fIscep-submit\fR via stdin. ++into \fIscep\-submit\fR via stdin. + + .SH MODES + .TP +-\fB\-c\fR ++\fB\-c\fR, \fR\-\-retrieve\-ca\-capabilities\fR + \fIscep-submit\fR will issue a \fIGetCACaps\fR request to the server and + print the results. + .TP +-\fB\-C\fR +-\fIscep-submit\fR will issue \fIGetCACert\fR and \fIGetCAChain\fR +-requests to the server, parse the responses, and then print, in order, ++\fB\-C\fR, \fR\-\-retrieve\-ca\-certificates\fR ++\fIscep-submit\fR will issue a \fIGetCACert\fR ++request to the server, parse the response, and then print, in order, + the RA certificate, the CA certificate, and any additional certificates. + .TP +-\fB\-p\fR +-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server +-using the passed-in message as the message content. It will parse the ++\fB\-p\fR, \fB\-\-pki\-message\fR ++\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server ++using the passed\-in message as the message content. It will parse the + server's response, verify the signature, and if the response includes an + issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM + format. If the response indicates an error, it will print the error. + .TP +-\fB\-g\fR +-\fIscep-submit\fR will issue a \fIPKIOperation\fR request to the server +-using the passed-in message as the message content. It will parse the ++\fB\-g\fR, \fB\-\-get\-initial\-cert\fR ++\fIscep\-submit\fR will issue a \fIPKIOperation\fR request to the server ++using the passed\-in message as the message content. It will parse the + server's response, verify the signature, and if the response includes an + issued certificate, it will output the \fIpkcsPKIEnvelope\fR in PEM + format. If the response indicates an error, it will print the error. + .SH OPTIONS + .TP +-\fB\-u\fR SERVER-URL ++\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR + The location of the SCEP interface provided by the CA. This is +-typically \fIhttp://\fBSERVER\fP/cgi-bin/PKICLIENT.EXE\fR or ++typically \fIhttp://\fBSERVER\fP/cgi\-bin/PKICLIENT.EXE\fR or + \fIhttp://\fBSERVER\fP/certsrv/mscep/mscep.dll\fR. This option is + always required. + .TP +-\fB\-R\fR CA-certificate-file ++\fB\-R\fR \fIFILE\fR, \fB\-\-cacert\fR=\fIFILE\fR + The location of the CA certificate which was used to issue the SCEP web + server's certificate in PEM form. If the URL specified with the +-\fB-u\fR option is an \fIhttps\fR URL, then this option is required. ++\fB\-u\fR option is an \fIhttps\fR URL, then this option is required. + .TP +-\fB\-N\fR ca-certificate-file +-The location of a PEM-formatted copy of the SCEP server's CA certificate. ++\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR ++The location of a PEM\-formatted copy of the SCEP server's CA certificate. + A discovered value is normally supplied by the certmonger daemon, but one can + be specified for troubleshooting purposes. + .TP +-\fB\-r\fR RA-certificate-file ++\fB\-r\fR \fIFILE\fR, \fB\-\-racert\fR=\fIFILE\fR + The location of the SCEP server's RA certificate, which is expected to + be used for signing responses sent by the SCEP server back to the +-client. This option is required when either the \fB-g\fR flag or the +-\fB-p\fR flag is specified. ++client. This option is required when either the \fB\-g\fR flag or the ++\fB\-p\fR flag is specified. + .TP +-\fB\-I\fR other-certificates-file +-The location of a file containing other PEM-formatted certificates which ++\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR ++The location of a file containing other PEM\-formatted certificates which + may be needed in order to properly verify signed responses sent by the + SCEP server back to the client. This option may be necessary when +-either the \fB-g\fR flag or the \fB-p\fR flag is specified. ++either the \fB\-g\fR flag or the \fB\-p\fR flag is specified. + .TP +-\fB\-i\fR ca-identifier +-When called with the \fB-c\fR or \fB-C\fR flag, this option can be used to ++\fB\-i\fR \fINAME\fR, \fB\-\-ca\-identifier\fR=\fINAME\fR ++When called with the \fB\-c\fR or \fB\-C\fR flag, this option can be used to + specify the CA identifier which is passed to the server as part of the client's + request. The default is "0". + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate ++\fB\-n\fR, \fB\-\-non\-renewal\fR ++The SCEP Renewal feature allows a client with a previously\-issued certificate + to use that certificate and the associated private key to request a new + certificate for a different key pair, and can be used to support + \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to prefer to issue ++it. This option forces the \fIscep\-submit\fR helper to prefer to issue + requests which do not make use of this feature. + .TP +-\fB-v\fR ++\fB-v\fR, \fB\-\-verbose\fR + Increases the logging level. Use twice for more logging. This option + is mainly useful for troubleshooting. + +@@ -100,7 +100,7 @@ is mainly useful for troubleshooting. + .TP + 0 + if the certificate was issued. The pkcsPKIEnvelope will be printed in +-PEM-encoded form. ++PEM\-encoded form. + .TP + 1 + if the CA is still thinking. A cookie (state) value will be printed. +@@ -131,22 +131,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger.8.in b/src/certmonger.8.in +index 8c00d5a..a726e3b 100644 +--- a/src/certmonger.8.in ++++ b/src/certmonger.8.in +@@ -1,14 +1,14 @@ +-.TH certmonger 8 "14 June 2015" "certmonger Manual" ++.TH CERTMONGER 8 "June 14, 2015" "certmonger Manual" + + .SH NAME + certmonger + + .SH SYNOPSIS +-certmonger [-s|-S] [-L|-l] [-P SOCKET] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-c cmd] [-v] ++certmonger [\-s|\-S] [\-L|\-l] [\-P PATH] [\-b TIMEOUT|\-B] [\-n|\-f] [\-d LEVEL] [\-p FILE] [\-F] [\-c command] [\-v] + + .SH DESCRIPTION + The \fIcertmonger\fR daemon monitors certificates for impending +-expiration, and can optionally refresh soon-to-be-expired certificates ++expiration, and can optionally refresh soon\-to\-be\-expired certificates + with the help of a CA. If told to, it can drive the entire enrollment + process from key generation through enrollment and refresh. + +@@ -17,58 +17,58 @@ service, with which client tools such as \fBgetcert\fR(1) interact. + + .SH OPTIONS + .TP +--s ++\fB\-s\fR, \fB\-\-session\fR + Listen on the session bus rather than the system bus. + .TP +--S ++\fB\-S\fR, \fB\-\-system\fR + Listen on the system bus rather than the session bus. This is the default. + .TP +--l ++\fB\-l\fR, \fB\-\-listening\-socket\fR + Also listen on a private socket for connections from clients running under the + same UID. + .TP +--L ++\fB\-L\fR, \fB\-\-only\-listening\-socket\fR + Listen only on a private socket for connections from clients running under the + same UID, and skip connecting to a bus. + .TP +--P ++\fB\-P\fR \fIPATH\fR, \fB\-\-listening\-socket\-path\fR=\fIPATH\fR + Specify a location for the private listening socket. If the location beings + with a '/' character, it will be prefixed with 'unix:path=', otherwise it will + be prefixed with 'unix:'. If this option is not specified, the listening + socket, if one is created, will be placed in the abstract namespace. + .TP +--b TIMEOUT +-Behave as a bus-activated service: if there are no certificates to be monitored ++\fB\-b \fITIMEOUT\fR, \fR\-\-bus\-activation\-timeout\fB=\fITIMEOUT\fR ++Behave as a bus\-activated service: if there are no certificates to be monitored + or obtained, and no requests are received within TIMEOUT seconds, exit. Not +-compatible with the -c option. ++compatible with the \-c option. + .TP +--B +-Don't behave as a bus-activated service. This is the default. ++\fB\-B\fR, \fB\-\-no\-bus\-activation\-timeout\fR ++Don't behave as a bus\-activated service. This is the default. + .TP +--n ++\fB\-n\fR, \fB\-\-nofork\fR + Don't fork, and log messages to stderr rather than syslog. + .TP +--f ++\fB\-f\fR, \fB\-\-fork\fR + Do fork, and log messages to syslog rather than stderr. This is the default. + .TP +--d LEVEL +-Set debugging level. Higher values produce more debugging output. Implies -n. ++\fB\-d\fR \fILEVEL\fR, \fB\-\-debug\-level\fR=\fILEVEL\fR ++Set debugging level. Higher values produce more debugging output. Implies \-n. + .TP +--p FILE ++\fB\-p\fR \fIFILE\fR, \fBpidfile\fR=\fIFILE\fR + Store the daemon's process ID in the named file. + .TP +--F ++\fB\-F\fR, \fB\-\-fips\fR + Force NSS to be initialized in FIPS mode. The default behavior is to heed + the setting stored in \fI/proc/sys/crypto/fips_enabled\fR. + .TP +--c cmd ++\fB\-c\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR + After the service has initialized, run the specified command, then shut down +-the service after the command exits. If the -l or -L option was also ++the service after the command exits. If the \-l or \-L option was also + specified, the command will be run with the \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR + environment variable set to the listening socket's location. Not compatible +-with the -b option. ++with the \-b option. + .TP +--v ++\fB\-v\fR, \fB\-\-version\fR + Print version information and exit. + + .SH FILES +@@ -89,24 +89,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + + .SH SEE ALSO + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in +index 241f48b..80de748 100644 +--- a/src/certmonger.conf.5.in ++++ b/src/certmonger.conf.5.in +@@ -1,18 +1,18 @@ +-.TH certmonger.conf 5 "12 May 2015" "certmonger Manual" ++.TH CERTMONGER 5 "May 12, 2015" "certmonger Manual" + + .SH NAME +-certmonger.conf - configuration file for certmonger ++certmonger.conf \- configuration file for certmonger + + .SH DESCRIPTION + The \fIcertmonger.conf\fR file contains default settings used by certmonger. +-Its format is more or less that of a typical INI-style file. The only sections ++Its format is more or less that of a typical INI\-style file. The only sections + currently of note are named \fIdefaults\fR and \fIselfsign\fR. + + .SH DEFAULTS + Within the \fIdefaults\fR section, these variables and values are recognized: + + .IP notify_ttls +-This is the list of times, given in seconds, before a certificate's not-after ++This is the list of times, given in seconds, before a certificate's not\-after + validity date + (often referred to as its expiration time) when \fIcertmonger\fR should warn + that the certificate will soon no longer be valid. +@@ -20,7 +20,7 @@ If this value is not specified, \fIcertmonger\fR will attempt to use the value + of the \fIttls\fR setting. The default list of values is "@CM_DEFAULT_TTL_LIST@". + + .IP enroll_ttls +-This is the list of times, given in seconds, before a certificate's not-after ++This is the list of times, given in seconds, before a certificate's not\-after + validity date + (often referred to as its expiration time) when \fIcertmonger\fR should attempt + to automatically renew the certificate, if it is configured to do so. +@@ -43,7 +43,7 @@ an email address, or it can be a command to run. The default value is + + .IP key_type + This is the type of key pair which will be generated, used in certificate +-signing requests, and used when self-signing certificates. ++signing requests, and used when self\-signing certificates. + @NO_MAN_DSA@\fIRSA\fR is supported. + @MAN_DSA@\fIRSA\fR and \fIDSA\fR are supported. + @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported. +@@ -58,7 +58,7 @@ software. + + .IP digest + This is the digest algorithm which will be used when signing certificate +-signing requests and self-signed certificates. Recognized values include ++signing requests and self\-signed certificates. Recognized values include + \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP. The default is + \fIsha256\fP. It is not recommended that this value be changed except in cases + where the default is incompatible with other software. +@@ -95,14 +95,14 @@ There is effectively no default for this setting. + Within the \fIselfsign\fR section, these variables and values are recognized: + + .IP validity_period +-This is the validity period given to self-signed certificates. ++This is the validity period given to self\-signed certificates. + The value is specified as a combination of years (y), months (M), weeks (w), + days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is + specified, seconds are assumed. + The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. + + .IP populate_unique_id +-This controls whether or not self-signed certificates will have their ++This controls whether or not self\-signed certificates will have their + subjectUniqueID and issuerUniqueID fields populated. While RFC5280 prohibits + their use, they may be needed and/or used by older applications. The default + value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. +@@ -111,7 +111,7 @@ value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. + Within the \fIlocal\fR section, these variables and values are recognized: + + .IP validity_period +-This is the validity period given to the locally-signed CA's certificate when it ++This is the validity period given to the locally\-signed CA's certificate when it + is generated. + The value is specified as a combination of years (y), months (M), weeks (w), + days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is +diff --git a/src/getcert-add-ca.1.in b/src/getcert-add-ca.1.in +index 31b3b93..54f55f5 100644 +--- a/src/getcert-add-ca.1.in ++++ b/src/getcert-add-ca.1.in +@@ -1,10 +1,10 @@ +-.TH certmonger 1 "24 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert add-ca [options] ++getcert add\-ca [options] + + .SH DESCRIPTION + Adds a CA configuration to \fIcertmonger\fR, which can subsequently be +@@ -12,17 +12,17 @@ used to enroll certificates. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname to give to this CA configuration. This same value can later be + passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and +-\fIstart-tracking\fR commands using the \fB-c\fR flag. ++\fIstart\-tracking\fR commands using the \fB\-c\fR flag. + .TP +-\fB\-e\fR COMMAND ++\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR + The helper command to run for communicating with the CA. The helper will be + used to pass signing requests to the CA, relay the CA's responses back to the + \fIcertmonger\fR service, and to read information about the CA. + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. + +@@ -32,22 +32,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in +index bf07306..c2751ed 100644 +--- a/src/getcert-add-scep-ca.1.in ++++ b/src/getcert-add-scep-ca.1.in +@@ -1,64 +1,64 @@ +-.TH certmonger 1 "24 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert add-scep-ca [options] ++getcert add\-scep\-ca [options] + + .SH DESCRIPTION + Adds a CA configuration to \fIcertmonger\fR, which can subsequently be used to +-enroll certificates. The configuration will use the bundled \fIscep-submit\fR +-helper. The \fIadd-scep-ca\fR command is more or less a wrapper for the +-\fIadd-ca\fR command. ++enroll certificates. The configuration will use the bundled \fIscep\-submit\fR ++helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the ++\fIadd\-ca\fR command. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname to give to this CA configuration. This same value can later be + passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and +-\fIstart-tracking\fR commands using the \fB-c\fR flag. ++\fIstart\-tracking\fR commands using the \fB\-c\fR flag. + .TP +-\fB\-u\fR URL ++\fB\-u\fR \fIURL\fR, \fB\-\-url\fR=\fIURL\fR + The location of the SCEP server's enrollment interface. This option must be + specified. + .TP +-\fB\-R\fR ca-certificate-file +-The location of a PEM-formatted copy of the CA's certificate used to verify ++\fB\-R\fR \fIFILE\fR, \fB\-\-ca\-cacert\fR=\fIFILE\fR ++The location of a PEM\-formatted copy of the CA's certificate used to verify + the TLS connection the SCEP server. + + This option must be specified if the URL is an \fIhttps\fR location. + .TP +-\fB\-N\fR ca-certificate-file +-The location of a PEM-formatted copy of the SCEP server's CA certificate. ++\fB\-N\fR \fIFILE\fR, \fB\-\-signingca\fR=\fIFILE\fR ++The location of a PEM\-formatted copy of the SCEP server's CA certificate. + A discovered value is normally supplied by the certmonger daemon, but one can + be specified for troubleshooting purposes. + .TP +-\fB\-r\fR ra-certificate-file +-The location of a PEM-formatted copy of the SCEP server's RA's certificate. ++\fB\-r\fR \fIFILE\fR, \fB\-\-ra\-cert\fR=\fIFILE\fR ++The location of a PEM\-formatted copy of the SCEP server's RA's certificate. + A discovered value is normally supplied by the certmonger daemon, but one can + be specified for troubleshooting purposes. + .TP +-\fB\-I\fR other-certificates-file +-The location of a file containing other PEM-formatted certificates which may be ++\fB\-I\fR \fIFILE\fR, \fB\-\-other\-certs\fR=\fIFILE\fR ++The location of a file containing other PEM\-formatted certificates which may be + needed in order to properly verify signed responses sent by the SCEP server + back to the client. A discovered set is normally supplied by the certmonger + daemon, but can be specified for troubleshooting purposes. + .TP +-\fB\-i\fR identifier ++\fB\-i\fR \fIID\fR, \fB\-\-id\fR=\fIID\fR + A CA identifier value which will passed to the server when the +-\fIscep-submit\fR helper is used to retrieve copies of the server's ++\fIscep\-submit\fR helper is used to retrieve copies of the server's + certificates. + .TP +-\fB\-n\fR +-The SCEP Renewal feature allows a client with a previously-issued certificate ++\fB\-n\fR, \fB\-\-non\-renewal\fR ++The SCEP Renewal feature allows a client with a previously\-issued certificate + to use that certificate and the associated private key to request a new + certificate for a different key pair, and can be used to support + \fIcertmonger\fR's rekeying feature if the SCEP server advertises support for +-it. This option forces the \fIscep-submit\fR helper to issue requests without ++it. This option forces the \fIscep\-submit\fR helper to issue requests without + making use of this feature. + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. + +@@ -68,22 +68,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-list-cas.1.in b/src/getcert-list-cas.1.in +index 7f250e5..ff4e14f 100644 +--- a/src/getcert-list-cas.1.in ++++ b/src/getcert-list-cas.1.in +@@ -1,17 +1,17 @@ +-.TH certmonger 1 "3 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert list-cas [options] ++getcert list\-cas [options] + + .SH DESCRIPTION + Queries \fIcertmonger\fR for a list of known CAs. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + List only information about the CA which has the specified nickname. + + .SH BUGS +@@ -20,23 +20,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-list.1.in b/src/getcert-list.1.in +index eded28a..9bf4826 100644 +--- a/src/getcert-list.1.in ++++ b/src/getcert-list.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "28 June 2016" "certmonger Manual" ++.TH CERTMONGER 1 "June 28, 2016" "certmonger Manual" + + .SH NAME + getcert +@@ -12,35 +12,35 @@ monitoring or attempting to obtain. + + .SH ENROLLMENT OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + List only entries which use the specified CA. The name of the CA should +-correspond to one listed by \fIgetcert list-cas\fR. ++correspond to one listed by \fIgetcert list\-cas\fR. + + .SH LISTING OPTIONS + .TP +-\fB\-r\fR ++\fB\-r\fR, \fB\-\-requests\-only\fR + List only entries which are either currently being enrolled or refreshed. + .TP +-\fB\-t\fR ++\fB\-t\fR, \fB\-\-tracking\-only\fR + List only entries which are not currently being enrolled or refreshed. + .TP +-\fB\-u\fR|\fB--utc\fR ++\fB\-u\fR, \fB\-\-utc\fR + Display timestamps in UTC instead of local time. + + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fBDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR + List only entries which use an NSS database in the specified directory + for storing the certificate. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR + List only tracking requests which use an NSS database and the specified + nickname for storing the certificate. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + List only tracking requests which specify that the certificate should be + stored in the specified file. + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + List only tracking requests which use this request nickname. + + .SH STATES +@@ -53,11 +53,11 @@ The service is currently generating a new key pair. + .TP + NEED_KEY_GEN_PERMS + The service encountered a filesystem permission error while attempting +-to save the newly-generated key pair. ++to save the newly\-generated key pair. + .TP + NEED_KEY_GEN_PIN + The service is missing the PIN which is required to access an NSS +-database in order to save the newly-generated key pair, or it has an ++database in order to save the newly\-generated key pair, or it has an + incorrect PIN for a database. + .TP + NEED_KEY_GEN_TOKEN +@@ -75,7 +75,7 @@ The service is currently reading information about the key pair. + .TP + NEED_KEYINFO_READ_PIN + The service is missing the PIN which is required to access an NSS +-database in order to read information about the newly-generated key pair, or ++database in order to read information about the newly\-generated key pair, or + it has an incorrect PIN for a database, or has an incorrect password for + accessing a key stored in encrypted PEM format. + .TP +@@ -161,8 +161,8 @@ The CA approved the signing request, and the service is about to save the + issued certificate to the location where it has been told to save it. + .TP + PRE_SAVE_CERT +-The service is running a configured pre-saving command before saving the +-newly-issued certificate to the location where it has been told to save ++The service is running a configured pre\-saving command before saving the ++newly\-issued certificate to the location where it has been told to save + it. + .TP + START_SAVING_CERT +@@ -175,16 +175,16 @@ where it has been told to save it. + .TP + NEED_CERTSAVE_PERMS + The service encountered a filesystem permission error while attempting +-to save the newly-issued certificate to the location where it has been ++to save the newly\-issued certificate to the location where it has been + told to save it. + .TP + NEED_CERTSAVE_TOKEN +-The service is unable to find the token in which the newly-issued ++The service is unable to find the token in which the newly\-issued + certificate is to be stored. + .TP + NEED_CERTSAVE_PIN + The service is missing the PIN which is required to access an NSS +-database in order to save the newly-issued certificate to the location ++database in order to save the newly\-issued certificate to the location + where it has been told to save it. + .TP + NEED_TO_SAVE_CA_CERTS +@@ -231,22 +231,22 @@ issuer's certificate to the locations where it has been told to save + them. + .TP + POST_SAVED_CERT +-The service is running a configured post-saving command after saving the +-newly-issued certificate to the location where it has been told to save ++The service is running a configured post\-saving command after saving the ++newly\-issued certificate to the location where it has been told to save + them. + .TP + MONITORING + The service is monitoring the certificate and waiting for its +-not-valid-after date to approach. This is expected to be the status ++not\-valid\-after date to approach. This is expected to be the status + most often seen. + .TP + NEED_TO_NOTIFY_VALIDITY + The service is about to notify the system administrator that the +-certificate's not-valid-after date is approaching. ++certificate's not\-valid\-after date is approaching. + .TP + NOTIFYING_VALIDITY + The service is notifying the system administrator that the certificate's +-not-valid-after date is approaching. ++not\-valid\-after date is approaching. + .TP + NEED_TO_NOTIFY_REJECTION + The service is about to notify the system administrator that the +@@ -350,23 +350,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-modify-ca.1.in b/src/getcert-modify-ca.1.in +index 36677c5..90bc621 100644 +--- a/src/getcert-modify-ca.1.in ++++ b/src/getcert-modify-ca.1.in +@@ -1,23 +1,23 @@ +-.TH certmonger 1 "24 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert modify-ca [options] ++getcert modify\-ca [options] + + .SH DESCRIPTION + Modifies the helper command in a \fIcertmonger\fR CA configuration. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname of the CA configuration to modify. + .TP +-\fB\-e\fR COMMAND ++\fB\-e\fR \fICOMMAND\fR, \fB\-\-command\fR=\fICOMMAND\fR + The new helper command to run for communicating with the CA. + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. + +@@ -27,22 +27,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-refresh-ca.1.in b/src/getcert-refresh-ca.1.in +index 2662adc..86318e7 100644 +--- a/src/getcert-refresh-ca.1.in ++++ b/src/getcert-refresh-ca.1.in +@@ -1,21 +1,21 @@ +-.TH certmonger 1 "29 May 2014" "certmonger Manual" ++.TH CERTMONGER 1 "May 29, 2014" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert refresh-ca [options] ++getcert refresh\-ca [options] + + .SH DESCRIPTION + Forces \fIcertmonger\fR to refresh information specific to a CA, such as +-locally-stored copies of its certificates. ++locally\-stored copies of its certificates. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + Refresh information about the CA which has the specified nickname. + .TP +-\fB\-a\fR ++\fB\-a\fR, \fB\-\-all\fR + Refresh information about all known CAs. + + .SH BUGS +@@ -24,24 +24,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-refresh.1.in b/src/getcert-refresh.1.in +index 660c2ec..79028c1 100644 +--- a/src/getcert-refresh.1.in ++++ b/src/getcert-refresh.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "21 July 2014" "certmonger Manual" ++.TH CERTMONGER 1 "July 24, 2014" "certmonger Manual" + + .SH NAME + getcert +@@ -13,7 +13,7 @@ waiting for the CA. + + .SH SPECIFYING REQUESTS BY NICKNAME + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Check on the status of the signing request which has this nickname. + If this option is not specified, and a tracking entry which matches the + certificate storage options which are specified already exists, that entry +@@ -23,24 +23,24 @@ with the \fB\-f\fR option. + + .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \rIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR + The certificate is in the NSS database in the specified directory. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR + The certificate in the NSS database named with \fB\-d\fR has the specified + nickname. Only valid with \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, the certificate + is stored in this token. This argument only rarely needs to be specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + The certificate is stored in the named file. + + .SH OPTIONS + .TP +-\fB\-a\fR ++\fB\-a\fR, \fB\-\-all\fR + Refresh information about all requests for which the service will need to + attempt to contact the CA again. + +@@ -50,23 +50,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-rekey.1.in b/src/getcert-rekey.1.in +index 39ba761..fd848e7 100644 +--- a/src/getcert-rekey.1.in ++++ b/src/getcert-rekey.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "31 July 2015" "certmonger Manual" ++.TH CERTMONGER 1 "July 31, 2015" "certmonger Manual" + + .SH NAME + getcert +@@ -13,7 +13,7 @@ order to replace both a certificate and its private key. + + .SH SPECIFYING REQUESTS BY NICKNAME + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + The new key pair will be generated and the new certificate will be obtained for + the tracking request which has this nickname. If this option is not specified, + and a tracking entry which matches the key and certificate storage options +@@ -23,62 +23,61 @@ of the \fB\-d\fR and \fB\-n\fR options, or with the \fB\-f\fR option. + + .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fB\-\-dbdir\fR=\fIDIR\fR + The certificate is in the NSS database in the specified directory. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fB\-\-nickname\fR=\fINAME\fR + The certificate in the NSS database named with \fB\-d\fR has the specified + nickname. Only valid with \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, the certificate + is stored in this token. This argument only rarely needs to be specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + The certificate is stored in the named file. + + .SH KEY GENERATION OPTIONS + .TP +-\fB\-G\fR TYPE ++\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR + In case a new key pair needs to be generated, this option specifies the + type of the keys to be generated. If not specified, the current key type + will be used. + .TP +-\fB\-g\fR BITS ++\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR + This option specifies the size of the new key to be generated. If not + specified, a key of the same size as the existing key will be generated. + +-\fB\-c\fR NAME + .SH ENROLLMENT OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + Submit the new signing request to the specified CA rather than the one which + was previously associated with this certificate. The name of +-the CA should correspond to one listed by \fIgetcert list-cas\fR. ++the CA should correspond to one listed by \fIgetcert list\-cas\fR. + .TP +-\fB\-T\fR NAME ++\fB\-T\fR \fINAME, \fB\-\-profile\fR=\fINAME\fR + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP +-\fB\-\-ms-template-spec\fR SPEC ++\fB\-\-ms\-template\-spec\fR \fISPEC\fR + Include a V2 Certificate Template extension in the signing request. + This datum includes an Object Identifier, a major version number + (positive integer) and an optional minor version number. The format + is: \fB:[:]\fR. + .TP +-\fB\-X\fR NAME ++\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR + Request a certificate using the named issuer from the specified CA. + .TP +-\fB\-I\fR NAME ++\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR + Assign the specified nickname to this task, replacing the previous nickname. + + .SH SIGNING REQUEST OPTIONS + .TP +-\fB\-N\fR NAME ++\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR + Change the subject name to include in the signing request. + .TP +-\fB\-u\fR keyUsage ++\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR + Add an extensionRequest for the specified keyUsage to the + signing request. The keyUsage value is expected to be one of these names: + +@@ -100,62 +99,74 @@ encipherOnly + + decipherOnly + .TP +-\fB\-U\fR EKU ++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR + Change the extendedKeyUsage value specified in an extendedKeyUsage + extension part of the extensionRequest attribute in the signing + request. The EKU value is expected to be an object identifier (OID). + .TP +-\fB\-K\fR NAME ++\fB\-K\fR \fINAME\fB, \fB\-\-ca\fR=\fINAME\fR + Change the Kerberos principal name specified as part of a subjectAltName + extension part of the extensionRequest attribute in the signing request. + .TP +-\fB\-E\fR EMAIL ++\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR + Change the email address specified as part of a subjectAltName + extension part of the extensionRequest attribute in the signing request. + .TP +-\fB\-D\fR DNSNAME ++\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR + Change the DNS name specified as part of a subjectAltName extension part of the + extensionRequest attribute in the signing request. + .TP +-\fB\-A\fR ADDRESS ++\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR + Change the IP address specified as part of a subjectAltName extension part of + the extensionRequest attribute in the signing request. + .TP +-\fB\-l\fR FILE ++\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fINAME\fR + Add an optional ChallengePassword value, read from the file, to the signing + request. A ChallengePassword is often required when the CA is accessed using + SCEP. + .TP +-\fB\-L\fR PIN ++\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR + Add the argument value to the signing request as a ChallengePassword attribute. + A ChallengePassword is often required when the CA is accessed using SCEP. + + .SH OTHER OPTIONS + .TP +-\fB\-B\fR COMMAND ++\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user before + saving the certificates. + .TP +-\fB\-C\fR COMMAND ++\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user after + saving the certificates. + .TP +-\fB\-a\fR DIR ++\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, save them to the specified NSS database. + .TP +-\fB\-F\fR FILE ++\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, and when the local copies of the + CA's root certificates are updated, save them to the specified file. + .TP +-\fB\-w\fR ++\fB\-\-for\-ca\fR ++Request a CA certificate. ++.TP ++\fB\-\-not\-for\-ca\fR ++Request a non\-CA certificate (the default). ++.TP ++\fB\-\-ca\-path\-length\fR=\fILENGTH\fR ++Path length for CA certificate. Only valid with \-\-for\-ca. ++.TP ++\fB\-w\fR, \fB\-\-wait\fR + Wait for the new certificate to be issued and saved, or for the attempt to obtain + one using the new key to fail. + .TP +-\fB\-v\fR ++\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR ++Maximum time to wait for the certificate to be issued. ++.TP ++\fB\-v\fR \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. + +@@ -165,22 +176,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-remove-ca.1.in b/src/getcert-remove-ca.1.in +index 4b29db7..1839f84 100644 +--- a/src/getcert-remove-ca.1.in ++++ b/src/getcert-remove-ca.1.in +@@ -1,10 +1,10 @@ +-.TH certmonger 1 "24 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 24, 2015" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert remove-ca [options] ++getcert remove\-ca [options] + + .SH DESCRIPTION + Remove a CA configuration from \fIcertmonger\fR. Enrollment requests which +@@ -12,10 +12,10 @@ reference the CA will behave as though they have no assigned CA. + + .SH OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + The nickname of the CA configuration to remove. + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. + +@@ -25,22 +25,22 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in +index ba43016..89bc080 100644 +--- a/src/getcert-request.1.in ++++ b/src/getcert-request.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "9 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" + + .SH NAME + getcert +@@ -14,87 +14,87 @@ CA. + + .SH KEY AND CERTIFICATE STORAGE OPTIONS + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR + Use an NSS database in the specified directory for storing this + certificate and key. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR + Use the key with this nickname to generate the signing request. If no + such key is found, generate one. Give the enrolled certificate this + nickname, too. + Only valid with \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, use the token + with this name for storing and accessing the certificate and key. This + argument only rarely needs to be specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + Store the issued certificate in this file. For safety's sake, do not + use the same file specified with the \fB\-k\fR option. + .TP +-\fB\-k\fR FILE ++\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR + Use the key stored in this file to generate the signing request. If no + such file is found, generate a new key pair and store them in the file. + Only valid with \fB\-f\fR. + + .SH KEY ENCRYPTION OPTIONS + .TP +-\fB\-p\fR FILE ++\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR + Encrypt private key files or databases using the PIN stored in the named + file as the passphrase. + .TP +-\fB\-P\fR PIN ++\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR + Encrypt private key files or databases using the specified PIN as the +-passphrase. Because command-line arguments to running processes are ++passphrase. Because command\-line arguments to running processes are + trivially discoverable, use of this option is not recommended except + for testing. + + .SH KEY GENERATION OPTIONS + .TP +-\fB\-G\fR TYPE ++\fB\-G\fR \fITYPE\fR, \fB\-\-key\-type\fR=\fITYPE\fR + In case a new key pair needs to be generated, this option specifies the + type of the keys to be generated. If not specified, a reasonable default + (currently \fIRSA\fR) will be used. + .TP +-\fB\-g\fR BITS ++\fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR + In case a new key pair needs to be generated, this option specifies the + size of the key. If not specified, a reasonable default (currently + @CM_DEFAULT_PUBKEY_SIZE@ bits) will be used. + + .SH TRACKING OPTIONS + .TP +-\fB\-r\fR ++\fB\-r\fR, \fB\-\-renew\fR + Attempt to obtain a new certificate from the CA when the expiration date of a + certificate nears. This is the default setting. + .TP +-\fB\-R\fR ++\fB\-R\fR, \fB\-\-no\-renew\fR + Don't attempt to obtain a new certificate from the CA when the expiration date + of a certificate nears. If this option is specified, an expired certificate + will simply stay expired. + .TP +-\fB\-I\fR NAME ++\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Assign the specified nickname to this task. If this option is not specified, + a name will be assigned automatically. + + .SH ENROLLMENT OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + Enroll with the specified CA rather than a possible default. The name of +-the CA should correspond to one listed by \fIgetcert list-cas\fR. ++the CA should correspond to one listed by \fIgetcert list\-cas\fR. + .TP +-\fB\-T\fR NAME ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP +-\fB\-\-ms-template-spec\fR SPEC ++\fB\-\-ms\-template\-spec\fR \fISPEC\fR + Include a V2 Certificate Template extension in the signing request. + This datum includes an Object Identifier, a major version number + (positive integer) and an optional minor version number. The format + is: \fB:[:]\fR. + .TP +-\fB\-X\fR NAME ++\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR + Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS +@@ -108,11 +108,11 @@ The options \fB\-K\fR, \fB\-E\fR, \fB\-D\fR and \fB\-A\fR may be provided + multiple times to set multiple subjectAltName of the same type. + + .TP +-\fB\-N\fR NAME ++\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR + Set the subject name to include in the signing request. The default + used is CN=\fIhostname\fR, where \fIhostname\fR is the local hostname. + .TP +-\fB\-u\fR keyUsage ++\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR + Add an extensionRequest for the specified keyUsage to the + signing request. The keyUsage value is expected to be one of these names: + +@@ -134,84 +134,113 @@ encipherOnly + + decipherOnly + .TP +-\fB\-U\fR EKU ++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR + Add an extensionRequest for the specified extendedKeyUsage to the + signing request. The EKU value is expected to be an object identifier + (OID), but some specific names are also recognized. These are some + names and their associated OID values: + +-id-kp-serverAuth 1.3.6.1.5.5.7.3.1 ++id\-kp\-serverAuth 1.3.6.1.5.5.7.3.1 + +-id-kp-clientAuth 1.3.6.1.5.5.7.3.2 ++id\-kp\-clientAuth 1.3.6.1.5.5.7.3.2 + +-id-kp-codeSigning 1.3.6.1.5.5.7.3.3 ++id\-kp\-codeSigning 1.3.6.1.5.5.7.3.3 + +-id-kp-emailProtection 1.3.6.1.5.5.7.3.4 ++id\-kp\-emailProtection 1.3.6.1.5.5.7.3.4 + +-id-kp-timeStamping 1.3.6.1.5.5.7.3.8 ++id\-kp\-timeStamping 1.3.6.1.5.5.7.3.8 + +-id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9 ++id\-kp\-OCSPSigning 1.3.6.1.5.5.7.3.9 + +-id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4 ++id\-pkinit\-KPClientAuth 1.3.6.1.5.2.3.4 + +-id-pkinit-KPKdc 1.3.6.1.5.2.3.5 ++id\-pkinit\-KPKdc 1.3.6.1.5.2.3.5 + +-id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2 ++id\-ms\-kp\-sc\-logon 1.3.6.1.4.1.311.20.2.2 + .TP +-\fB\-K\fR NAME ++\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR + Add an extensionRequest for a subjectAltName, with the specified Kerberos + principal name as its value, to the signing request. + .TP +-\fB\-E\fR EMAIL ++\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR + Add an extensionRequest for a subjectAltName, with the specified email + address as its value, to the signing request. + .TP +-\fB\-D\fR DNSNAME ++\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR + Add an extensionRequest for a subjectAltName, with the specified DNS name + as its value, to the signing request. + .TP +-\fB\-A\fR ADDRESS ++\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR + Add an extensionRequest for a subjectAltName, with the specified IP address + as its value, to the signing request. + .TP +-\fB\-l\fR FILE ++\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR + Add an optional ChallengePassword value, read from the file, to the signing + request. A ChallengePassword is often required when the CA is accessed using + SCEP. + .TP +-\fB\-L\fR PIN ++\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR + Add the argument value to the signing request as a ChallengePassword attribute. + A ChallengePassword is often required when the CA is accessed using SCEP. + + .SH OTHER OPTIONS + .TP +-\fB\-B\fR COMMAND ++\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user before + saving the certificates. + .TP +-\fB\-C\fR COMMAND ++\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user after + saving the certificates. + .TP +-\fB\-a\fR DIR ++\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, save them to the specified NSS database. + .TP +-\fB\-F\fR FILE ++\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, and when the local copies of the + CA's root certificates are updated, save them to the specified file. + .TP +-\fB\-w\fR ++\fB\-\-for\-ca\fR ++Request a CA certificate. ++.TP ++\fB\-\-not\-for\-ca\fR ++Request a non\-CA certificate (the default). ++.TP ++\fB\-\-ca\-path\-length\fR=\fILENGTH\fR ++Path length for CA certificate. Only valid with \-\-for\-ca. ++.TP ++\fB\-w\fR, \fB\-\-wait\fR + Wait for the certificate to be issued and saved, or for the attempt to obtain + one to fail. + .TP +-\fB\-v\fR ++\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR ++Maximum time to wait for the certificate to be issued. ++.TP ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +- ++\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR ++After generation set the owner on the private key file or database to OWNER. ++.TP ++\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the private key file or database to MODE. ++.TP ++\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR ++After generation set the owner on the certificate file or database to OWNER. ++.TP ++\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the certificate file or database to MODE. ++.SH BUS OPTIONS ++\fB\-s\fR, \fB\-\-session\fR ++Connect to certmonger on the session bus rather than the system bus. ++.TP ++\fB\-S\fR, \fB\-\-system\fR ++Connect to certmonger on the system bus rather than the session bus. This ++is the default. + .SH NOTES + Locations specified for key and certificate storage need to be + accessible to the \fIcertmonger\fR daemon process. When run as a system +@@ -219,7 +248,7 @@ daemon on a system which uses a mandatory access control mechanism such + as SELinux, the system policy must ensure that the daemon is allowed to + access the locations where certificates and keys that it will manage + will be stored (these locations are typically labeled as \fIcert_t\fR or +-an equivalent). More SELinux-specific information can be found in the ++an equivalent). More SELinux\-specific information can be found in the + \fIselinux.txt\fR documentation file for this package. + + .SH BUGS +@@ -228,23 +257,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-resubmit.1.in b/src/getcert-resubmit.1.in +index f9e6bb1..aefea51 100644 +--- a/src/getcert-resubmit.1.in ++++ b/src/getcert-resubmit.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "9 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" + + .SH NAME + getcert +@@ -12,7 +12,7 @@ submit (or resubmit) the signing request to a CA for signing. + + .SH SPECIFYING REQUESTS BY NICKNAME + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Resubmit a signing request for the tracking request which has this nickname. + If this option is not specified, and a tracking entry which matches the key + and certificate storage options which are specified already exists, that entry +@@ -22,50 +22,50 @@ with the \fB\-f\fR option. + + .SH SPECIFYING REQUESTS BY CERTIFICATE LOCATION + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR + The certificate is in the NSS database in the specified directory. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR + The certificate in the NSS database named with \fB\-d\fR has the specified + nickname. Only valid with \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, the certificate + is stored in this token. This argument only rarely needs to be specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + The certificate is stored in the named file. + + .SH ENROLLMENT OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + Submit the new signing request to the specified CA rather than the one which + was previously associated with this certificate. The name of +-the CA should correspond to one listed by \fIgetcert list-cas\fR. ++the CA should correspond to one listed by \fIgetcert list\-cas\fR. + .TP +-\fB\-T\fR NAME ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP +-\fB\-\-ms-template-spec\fR SPEC ++\fB\-\-ms\-template\-spec\fR \fISPEC\fR + Include a V2 Certificate Template extension in the signing request. + This datum includes an Object Identifier, a major version number + (positive integer) and an optional minor version number. The format + is: \fB:[:]\fR. + .TP +-\fB\-X\fR NAME ++\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR + Request a certificate using the named issuer from the specified CA. + .TP +-\fB\-I\fR NAME ++\fB\-I\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Assign the specified nickname to this task, replacing the previous nickname. + + .SH SIGNING REQUEST OPTIONS + .TP +-\fB\-N\fR NAME ++\fB\-N\fR \fINAME\fR, \fB\-\-subject\-name\fR=\fINAME\fR + Change the subject name to include in the signing request. + .TP +-\fB\-u\fR keyUsage ++\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR + Add an extensionRequest for the specified keyUsage to the + signing request. The keyUsage value is expected to be one of these names: + +@@ -87,64 +87,84 @@ encipherOnly + + decipherOnly + .TP +-\fB\-U\fR EKU +++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR + Change the extendedKeyUsage value specified in an extendedKeyUsage + extension part of the extensionRequest attribute in the signing + request. The EKU value is expected to be an object identifier (OID). + .TP +-\fB\-K\fR NAME ++\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR + Change the Kerberos principal name specified as part of a subjectAltName + extension part of the extensionRequest attribute in the signing request. + .TP +-\fB\-E\fR EMAIL ++\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR + Change the email address specified as part of a subjectAltName + extension part of the extensionRequest attribute in the signing request. + .TP +-\fB\-D\fR DNSNAME ++\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR + Change the DNS name specified as part of a subjectAltName extension part of the + extensionRequest attribute in the signing request. + .TP +-\fB\-A\fR ADDRESS ++\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR + Change the IP address specified as part of a subjectAltName extension part of + the extensionRequest attribute in the signing request. + .TP +-\fB\-l\fR FILE ++\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR + Add an optional ChallengePassword value, read from the file, to the signing + request. A ChallengePassword is often required when the CA is accessed using + SCEP. + .TP +-\fB\-L\fR PIN ++\fB\-L\fR \fIPIN\fR, \fB\-\-challenge\-password\fR=\fIPIN\fR + Add the argument value to the signing request as a ChallengePassword attribute. + A ChallengePassword is often required when the CA is accessed using SCEP. + + .SH OTHER OPTIONS + .TP +-\fB\-B\fR COMMAND ++\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user before + saving the certificates. + .TP +-\fB\-C\fR COMMAND ++\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user after + saving the certificates. + .TP +-\fB\-a\fR DIR ++\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, save them to the specified NSS database. + .TP +-\fB\-F\fR FILE ++\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, and when the local copies of the + CA's root certificates are updated, save them to the specified file. + .TP +-\fB\-w\fR ++\fB\-\-for\-ca\fR ++Request a CA certificate. ++.TP ++\fB\-\-not\-for\-ca\fR ++Request a non\-CA certificate (the default). ++.TP ++\fB\-\-ca\-path\-length\fR=\fILENGTH\fR ++Path length for CA certificate. Only valid with \-\-for\-ca. ++.TP ++\fB\-w\fR, \fB\-\-wait\fR + Wait for the certificate to be reissued and saved, or for the attempt to obtain + one to fail. + .TP +-\fB\-v\fR ++\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR ++Maximum time to wait for the certificate to be issued. ++.TP ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. ++\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR ++After generation set the owner on the private key file or database to OWNER. ++\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the private key file or database to MODE. ++\fB\-O\fR \fIOWNER\fR, \fB\-\-cert\-owner\fR=\fIOWNER\fR ++After generation set the owner on the certificate file or database to OWNER. ++\fB\-M\fR \fIMODE\fR, \fB\-\-cert\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the certificate file or database to MODE. + + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ +@@ -152,23 +172,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-start-tracking.1.in b/src/getcert-start-tracking.1.in +index f60e4a7..fff16f5 100644 +--- a/src/getcert-start-tracking.1.in ++++ b/src/getcert-start-tracking.1.in +@@ -1,13 +1,13 @@ +-.TH certmonger 1 "9 February 2015" "certmonger Manual" ++.TH CERTMONGER 1 "February 9, 2015" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert start-tracking [options] ++getcert start\-tracking [options] + + .SH DESCRIPTION +-Tells \fIcertmonger\fR to monitor an already-issued certificate. ++Tells \fIcertmonger\fR to monitor an already\-issued certificate. + Optionally, when the certificate nears expiration, use an existing key + pair (or to generate one if one is not already found in the specified + location), to generate a signing request using the key pair and to +@@ -15,7 +15,7 @@ submit them for signing to a CA. + + .SH SPECIFYING EXISTING REQUESTS + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Modify the request which has this nickname. If this option is not specified, + and a tracking entry which matches the key and certificate storage options + which are specified already exists, that entry will be modified. Otherwise, a +@@ -23,27 +23,27 @@ new tracking entry will be added. + + .SH KEY AND CERTIFICATE STORAGE OPTIONS + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR + Use an NSS database in the specified directory for reading this + certificate and, if possible, the corresponding key. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR + Use the certificate with this nickname, and if a private key with the + same nickname or which corresponds to the certificate is available, to + use it, too. + Only valid with \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, use the token + with this name for accessing the certificate and key. This argument + only rarely needs to be specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + Read the certificate from this file. For safety's sake, do not use the + same file specified with the \fB\-k\fR option. + .TP +-\fB\-k\fR FILE ++\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR + Use the key stored in this file to generate a signing request for + refreshing the certificate. If no such file is found when needed, + generate a new key pair and store them in the file. +@@ -51,58 +51,58 @@ Only valid with \fB\-f\fR. + + .SH KEY ENCRYPTION OPTIONS + .TP +-\fB\-p\fR FILE ++\fB\-p\fR \fIFILE\fR, \fB\-\-pinfile\fR=\fIFILE\fR + The private key files or databases are encrypted using the PIN stored in the + named file as the passphrase. + .TP +-\fB\-P\fR PIN ++\fB\-P\fR \fIPIN\fR, \fB\-\-pin\fR=\fIPIN\fR + The private key files or databases are encrypted using the specified PIN as the +-passphrase. Because command-line arguments to running processes are trivially ++passphrase. Because command\-line arguments to running processes are trivially + discoverable, use of this option is not recommended except for testing. + + .SH TRACKING OPTIONS + .TP +-\fB\-I\fR NAME ++\fB\-I\fR \fINAME\fR, \fB\-\-new\-id\fR=\fINAME\fR + Assign the specified nickname to this task. If this option is not specified, + a name will be assigned automatically. + .TP +-\fB\-r\fR ++\fB\-r\fR, \fB\-\-renew\fR + Attempt to obtain a new certificate from the CA when the expiration date of a + certificate nears. This is the default setting. + .TP +-\fB\-R\fR ++\fB\-R\fR, \fB\-\-no\-renew\fR + Don't attempt to obtain a new certificate from the CA when the expiration date + of a certificate nears. If this option is specified, an expired certificate + will simply stay expired. + + .SH ENROLLMENT OPTIONS + .TP +-\fB\-c\fR NAME ++\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR + Enroll with the specified CA rather than a possible default. The name of +-the CA should correspond to one listed by \fIgetcert list-cas\fR. Only ++the CA should correspond to one listed by \fIgetcert list\-cas\fR. Only + useful in combination with \fB\-r\fR. + .TP +-\fB\-T\fR NAME ++\fB\-T\fR \fINAME\fR, \fB\-\-profile\fR=\fINAME\fR + Request a certificate using the named profile, template, or certtype, + from the specified CA. + .TP +-\fB\-\-ms-template-spec\fR SPEC ++\fB\-\-ms\-template\-spec\fR \fISPEC\fR + Include a V2 Certificate Template extension in the signing request. + This datum includes an Object Identifier, a major version number + (positive integer) and an optional minor version number. The format + is: \fB:[:]\fR. + .TP +-\fB\-X\fR NAME ++\fB\-X\fR \fINAME\fR, \fB\-\-issuer\fR=\fINAME\fR + Request a certificate using the named issuer from the specified CA. + + .SH SIGNING REQUEST OPTIONS + If and when \fIcertmonger\fR attempts to obtain a new certificate to replace + the one being monitored, the values to be added to the signing request will be + taken from the current certificate, unless preferred values are set using one +-or more of \fB-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR. ++or more of \fB\-u\R, \fB\-U\fR, \fB\-K\fR, \fB\-E\fR, and \fB\-D\fR. + + .TP +-\fB\-u\fR keyUsage ++\fB\-u\fR \fIkeyUsage\fR, \fB\-\-key\-usage\fR=\fIkeyUsage\fR + Add an extensionRequest for the specified keyUsage to the + signing request. The keyUsage value is expected to be one of these names: + +@@ -124,64 +124,86 @@ encipherOnly + + decipherOnly + .TP +-\fB\-U\fR EKU ++\fB\-U\fR \fIEKU\fR, \fB\-\-extended\-key\-usage\fR=\fIEKU\fR + Add an extensionRequest for the specified extendedKeyUsage to the + signing request. The EKU value is expected to be an object identifier + (OID). + .TP +-\fB\-K\fR NAME ++\fB\-K\fR \fINAME\fR, \fB\-\-principal\fR=\fINAME\fR + Add an extensionRequest for a subjectAltName, with the specified Kerberos + principal name as its value, to the signing request. + .TP +-\fB\-E\fR EMAIL ++\fB\-E\fR \fIEMAIL\fR, \fB\-\-email\fR=\fIEMAIL\fR + Add an extensionRequest for a subjectAltName, with the specified email + address as its value, to the signing request. + .TP +-\fB\-D\fR DNSNAME ++\fB\-D\fR \fIDNSNAME\fR, \fB\-\-dns\fR=\fIDNSNAME\fR + Add an extensionRequest for a subjectAltName, with the specified DNS name + as its value, to the signing request. +-\fB\-A\fR ADDRESS ++\fB\-A\fR \fIADDRESS\fR, \fB\-\-ip\-address\fR=\fIADDRESS\fR + Add an extensionRequest for a subjectAltName, with the specified IP address + as its value, to the signing request. + .TP +-\fB\-l\fR FILE ++\fB\-l\fR \fIFILE\fR, \fB\-\-challenge\-password\-file\fR=\fIFILE\fR + Add an optional ChallengePassword value, read from the file, to the signing + request. A ChallengePassword is often required when the CA is accessed using + SCEP. + .TP +-\fB\-L\fR PIN ++\fB\-L\fR \fIPASSWORD\fR, \fB\-\-challenge\-password\fR=\fIPASSWORD\fR + Add the argument value to the signing request as a ChallengePassword attribute. + A ChallengePassword is often required when the CA is accessed using SCEP. + + .SH OTHER OPTIONS + .TP +-\fB\-B\fR COMMAND ++\fB\-B\fR \fICOMMAND\fR, \fB\-\-before\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user before + saving the certificates. + .TP +-\fB\-C\fR COMMAND ++\fB\-C\fR \fICOMMAND\fR, \fB\-\-after\-command\fR=\fICOMMAND\fR + When ever the certificate or the CA's certificates are saved to the + specified locations, run the specified command as the client user after + saving the certificates. + .TP +-\fB\-a\fR DIR ++\fB\-a\fR \fIDIR\fR, \fB\-\-ca\-dbdir\fR=\fIDIR\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, save them to the specified NSS database. + .TP +-\fB\-F\fR FILE ++\fB\-F\fR \fIFILE\fR, \fB\-\-ca\-file\fR=\fIFILE\fR + When ever the certificate is saved to the specified location, if root + certificates for the CA are available, and when the local copies of the + CA's root certificates are updated, save them to the specified file. + .TP +-\fB\-w\fR ++\fB\-w\fR, \fB\-\-wait\fR + Wait for the certificate to become valid or to be reissued and saved, or for + the attempt to obtain a new one to fail. + .TP +-\fB\-v\fR ++\fB\-\-wait\-timeout\fR=\fITIMEOUT\fR ++Maximum time to wait for the certificate to be issued. ++.TP ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +- ++.TP ++\fB\-o\fR \fIOWNER\fR, \fB\-\-key\-owner\fR=\fIOWNER\fR ++After generation set the owner on the private key file or database to OWNER. ++.TP ++\fB\-m\fR \fIMODE\fR, \fB\-\-key\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the private key file or database to MODE. ++.TP ++\fB\-O\fR \fIOWNER\fR, \fR\-\-cert\-owner\fR=\fIOWNER\fR ++After generation set the owner on the certificate file or database to OWNER. ++.TP ++\fB\-M\fR \fIMODE\fR, \fR\-\-cert\-perms\fR=\fIMODE\fR ++After generation set the file permissions on the certificate file or database to MODE. ++.SH BUS OPTIONS ++.TP ++\fB\-s\fR, \fB\-\-session\fR ++Connect to certmonger on the session bus rather than the system bus. ++.TP ++\fB\-S\fR, \fB\-\-system\fR ++Connect to certmonger on the system bus rather than the session bus. This ++is the default. + .SH NOTES + Locations specified for key and certificate storage need to be + accessible to the \fIcertmonger\fR daemon process. When run as a system +@@ -189,7 +211,7 @@ daemon on a system which uses a mandatory access control mechanism such + as SELinux, the system policy must ensure that the daemon is allowed to + access the locations where certificates and keys that it will manage + will be stored (these locations are typically labeled as \fIcert_t\fR or +-an equivalent). More SELinux-specific information can be found in the ++an equivalent). More SELinux\-specific information can be found in the + \fIselinux.txt\fR documentation file for this package. + + .SH BUGS +@@ -198,23 +220,23 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-status.1.in b/src/getcert-status.1.in +index 071d393..da2fbc6 100644 +--- a/src/getcert-status.1.in ++++ b/src/getcert-status.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "13 June 2014" "certmonger Manual" ++.TH CERTMONGER 1 "June 13, 2014" "certmonger Manual" + + .SH NAME + getcert +@@ -12,18 +12,18 @@ request and sets an exit status to reflect that status. + + .SH SELECTION OPTIONS + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR + Check that status of a certificate in the named NSS database. Must be +-specified with the \fB-n\fR option. ++specified with the \fB\-n\fR option. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR + Check that status of a certificate in with the specified nickname. Must be +-specified with the \fB-d\fR option. ++specified with the \fB\-d\fR option. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + Check that status of a certificate stored in the specified PEM file. + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + Check that status of a certificate with the specified request nickname. + + .SH EXIT STATUS +@@ -53,24 +53,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert-stop-tracking.1.in b/src/getcert-stop-tracking.1.in +index a8657f3..96345d1 100644 +--- a/src/getcert-stop-tracking.1.in ++++ b/src/getcert-stop-tracking.1.in +@@ -1,10 +1,10 @@ +-.TH certmonger 1 "3 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" + + .SH NAME + getcert + + .SH SYNOPSIS +-getcert stop-tracking [options] ++getcert stop\-tracking [options] + + .SH DESCRIPTION + Tells \fIcertmonger\fR to stop monitoring or attempting to obtain or +@@ -12,7 +12,7 @@ refresh a certificate. + + .SH TRACKING OPTIONS + .TP +-\fB\-i\fR NAME ++\fB\-i\fR \fINAME\fR, \fB\-\-id\fR=\fINAME\fR + The certificate was tracked using the request with the specified nickname. + If this option is not specified, some combination of \fB\-d\fR and + \fB\-n\fR or \fB\-f\fR can be used to specify which certificate should +@@ -20,55 +20,62 @@ henceforth be forgotten. + + .SH KEY AND CERTIFICATE STORAGE OPTIONS + .TP +-\fB\-d\fR DIR ++\fB\-d\fR \fIDIR\fR, \fR\-\-dbdir\fR=\fIDIR\fR + The certificate is the one stored in the specified NSS database. + .TP +-\fB\-n\fR NAME ++\fB\-n\fR \fINAME\fR, \fR\-\-nickname\fR=\fINAME\fR + The certificate is the one which has this nickname. Only valid with + \fB\-d\fR. + .TP +-\fB\-t\fR TOKEN ++\fB\-t\fR \fITOKEN\fR, \fB\-\-token\fR=\fITOKEN\fR + If the NSS database has more than one token available, the certificate + is stored in this token. This argument only rarely needs to be + specified. + Only valid with \fB\-d\fR. + .TP +-\fB\-f\fR FILE ++\fB\-f\fR \fIFILE\fR, \fB\-\-certfile\fR=\fIFILE\fR + The certificate is or was to be stored in this file. + .TP +-\fB\-k\fR FILE ++\fB\-k\fR \fIFILE\fR, \fB\-\-keyfile\fR=\fIFILE\fR + The private key is or was to be stored in this file. + Only valid with \fB\-f\fR. + + .SH OTHER OPTIONS + .TP +-\fB\-v\fR ++\fB\-v\fR, \fB\-\-verbose\fR + Be verbose about errors. Normally, the details of an error received from + the daemon will be suppressed if the client can make a diagnostic suggestion. +- ++.SH BUS OPTIONS ++.TP ++\fB\-s\fR, \fB\-\-session\fR ++Connect to certmonger on the session bus rather than the system bus. ++.TP ++\fB\-S\fR, \fB\-\-system\fR ++Connect to certmonger on the system bus rather than the session bus. This ++is the default. + .SH BUGS + Please file tickets for any that you find at https://fedorahosted.org/certmonger/ + + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/getcert.1.in b/src/getcert.1.in +index 7380f49..8669c76 100644 +--- a/src/getcert.1.in ++++ b/src/getcert.1.in +@@ -1,4 +1,4 @@ +-.TH certmonger 1 "3 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" + + .SH NAME + getcert +@@ -6,12 +6,12 @@ getcert + .SH SYNOPSIS + getcert request [options] + getcert resubmit [options] +- getcert start-tracking [options] ++ getcert start\-tracking [options] + getcert status [options] +- getcert stop-tracking [options] ++ getcert stop\-tracking [options] + getcert list [options] +- getcert list-cas [options] +- getcert refresh-cas [options] ++ getcert list\-cas [options] ++ getcert refresh\-cas [options] + + .SH DESCRIPTION + The \fIgetcert\fR tool issues requests to a @CM_DBUS_NAME@ service on +@@ -22,7 +22,7 @@ expiration, and optionally to refresh it when expiration nears, it can + list the set of certificates that the service is already monitoring, or + it can list the set of CAs that the service is capable of using. + +-If no command is given as the first command-line argument, \fIgetcert\fR ++If no command is given as the first command\-line argument, \fIgetcert\fR + will print short usage information for each of its functions. + + If \fIgetcert\fR is invoked by a user with UID 0, and there is no system bus +@@ -32,7 +32,7 @@ available, \fIgetcert\fR will attempt to launch a temporary copy of the + .SH COMMON ARGUMENTS + If \fI@CERTMONGER_PVT_ADDRESS_ENV@\fR is set in the environment, \fIgetcert\fR + contacts the service directly at the specified location. +-All commands can take either the \fB-s\fR or \fB-S\fR arguments, which instruct ++All commands can take either the \fB\-s\fR or \fB\-S\fR arguments, which instruct + \fIgetcert\fR to contact the @CM_DBUS_NAME@ service on the session or system + bus, if no value is set. By default, \fIgetcert\fR consults the @CM_DBUS_NAME@ + service attached to the system bus. +@@ -42,24 +42,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + + .SH SEE ALSO + \fBcertmonger\fR(8) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/ipa-getcert.1.in b/src/ipa-getcert.1.in +index a1d36d5..f1b3682 100644 +--- a/src/ipa-getcert.1.in ++++ b/src/ipa-getcert.1.in +@@ -1,20 +1,20 @@ +-.TH certmonger 1 "3 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" + + .SH NAME +-ipa-getcert ++ipa\-getcert + + .SH SYNOPSIS +- ipa-getcert request [options] +- ipa-getcert resubmit [options] +- ipa-getcert start-tracking [options] +- ipa-getcert status [options] +- ipa-getcert stop-tracking [options] +- ipa-getcert list [options] +- ipa-getcert list-cas [options] +- ipa-getcert refresh-cas [options] ++ ipa\-getcert request [options] ++ ipa\-getcert resubmit [options] ++ ipa\-getcert start\-tracking [options] ++ ipa\-getcert status [options] ++ ipa\-getcert stop\-tracking [options] ++ ipa\-getcert list [options] ++ ipa\-getcert list\-cas [options] ++ ipa\-getcert refresh\-cas [options] + + .SH DESCRIPTION +-The \fIipa-getcert\fR tool issues requests to a @CM_DBUS_NAME@ ++The \fIipa\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ + service on behalf of the invoking user. It can ask the service to begin + enrollment, optionally generating a key pair to use, it can ask the + service to begin monitoring a certificate in a specified location for +@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can + list the set of certificates that the service is already monitoring, or + it can list the set of CAs that the service is capable of using. + +-If no command is given as the first command-line argument, +-\fIipa-getcert\fR will print short usage information for each of ++If no command is given as the first command\-line argument, ++\fIipa\-getcert\fR will print short usage information for each of + its functions. + +-The \fIipa-getcert\fR tool behaves identically to the generic +-\fIgetcert\fR tool when it is used with the \fB-c ++The \fIipa\-getcert\fR tool behaves identically to the generic ++\fIgetcert\fR tool when it is used with the \fB\-c + \fI@CM_IPA_CA_NAME@\fR option. + + \fBcertmonger\fR supports retrieving trusted certificates from IPA CAs. See +-\fBgetcert-request\fR(1) and \fBgetcert-resubmit\fR(1) for information about +-using the \fB-F\fR and \fB-a\fR options to specify where those certificates ++\fBgetcert\-request\fR(1) and \fBgetcert\-resubmit\fR(1) for information about ++using the \fB\-F\fR and \fB\-a\fR options to specify where those certificates + should be stored. + + .SH BUGS +@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/local-getcert.1.in b/src/local-getcert.1.in +index 526e31f..48a265b 100644 +--- a/src/local-getcert.1.in ++++ b/src/local-getcert.1.in +@@ -1,20 +1,20 @@ +-.TH certmonger 1 "7 June 2014" "certmonger Manual" ++.TH CERTMONGER 1 "June 7, 2014" "certmonger Manual" + + .SH NAME +-local-getcert ++local\-getcert + + .SH SYNOPSIS +- local-getcert request [options] +- local-getcert resubmit [options] +- local-getcert start-tracking [options] +- local-getcert status [options] +- local-getcert stop-tracking [options] +- local-getcert list [options] +- local-getcert list-cas [options] +- local-getcert refresh-cas [options] ++ local\-getcert request [options] ++ local\-getcert resubmit [options] ++ local\-getcert start\-tracking [options] ++ local\-getcert status [options] ++ local\-getcert stop\-tracking [options] ++ local\-getcert list [options] ++ local\-getcert list\-cas [options] ++ local\-getcert refresh\-cas [options] + + .SH DESCRIPTION +-The \fIlocal-getcert\fR tool issues requests to a @CM_DBUS_NAME@ ++The \fIlocal\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ + service on behalf of the invoking user. It can ask the service to begin + enrollment, optionally generating a key pair to use, it can ask the + service to begin monitoring a certificate in a specified location for +@@ -22,17 +22,17 @@ expiration, and optionally to refresh it when expiration nears, it can + list the set of certificates that the service is already monitoring, or + it can list the set of CAs that the service is capable of using. + +-If no command is given as the first command-line argument, +-\fIlocal-getcert\fR will print short usage information for each of ++If no command is given as the first command\-line argument, ++\fIlocal\-getcert\fR will print short usage information for each of + its functions. + +-The \fIlocal-getcert\fR tool behaves identically to the generic +-\fIgetcert\fR tool when it is used with the \fB-c ++The \fIlocal\-getcert\fR tool behaves identically to the generic ++\fIgetcert\fR tool when it is used with the \fB\-c + \fIlocal\fR option. + +-\fBcertmonger\fR supports retrieving the list of current and previously-used +-local CA certificates. See \fBgetcert-request\fR(1) and +-\fBgetcert-resubmit\fR(1) for information about using the \fB-F\fR and \fB-a\fR ++\fBcertmonger\fR supports retrieving the list of current and previously\-used ++local CA certificates. See \fBgetcert\-request\fR(1) and ++\fBgetcert\-resubmit\fR(1) for information about using the \fB\-F\fR and \fB\-a\fR + options to specify where those certificates should be stored. + + .SH BUGS +@@ -41,24 +41,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +diff --git a/src/selfsign-getcert.1.in b/src/selfsign-getcert.1.in +index 88389e8..d15c398 100644 +--- a/src/selfsign-getcert.1.in ++++ b/src/selfsign-getcert.1.in +@@ -1,20 +1,20 @@ +-.TH certmonger 1 "3 November 2009" "certmonger Manual" ++.TH CERTMONGER 1 "November 3, 2009" "certmonger Manual" + + .SH NAME +-selfsign-getcert ++selfsign\-getcert + + .SH SYNOPSIS +- selfsign-getcert request [options] +- selfsign-getcert resubmit [options] +- selfsign-getcert start-tracking [options] +- selfsign-getcert status [options] +- selfsign-getcert stop-tracking [options] +- selfsign-getcert list [options] +- selfsign-getcert list-cas [options] +- selfsign-getcert refresh-cas [options] ++ selfsign\-getcert request [options] ++ selfsign\-getcert resubmit [options] ++ selfsign\-getcert start\-tracking [options] ++ selfsign\-getcert status [options] ++ selfsign\-getcert stop\-tracking [options] ++ selfsign\-getcert list [options] ++ selfsign\-getcert list\-cas [options] ++ selfsign\-getcert refresh\-cas [options] + + .SH DESCRIPTION +-The \fIselfsign-getcert\fR tool issues requests to a @CM_DBUS_NAME@ ++The \fIselfsign\-getcert\fR tool issues requests to a @CM_DBUS_NAME@ + service on behalf of the invoking user. It can ask the service to begin + enrollment, optionally generating a key pair to use, it can ask the + service to begin monitoring a certificate in a specified location for +@@ -22,16 +22,16 @@ expiration, and optionally to refresh it when expiration nears, it can + list the set of certificates that the service is already monitoring, or + it can list the set of CAs that the service is capable of using. + +-If no command is given as the first command-line argument, +-\fIselfsign-getcert\fR will print short usage information for each of ++If no command is given as the first command\-line argument, ++\fIselfsign\-getcert\fR will print short usage information for each of + its functions. + +-The \fIselfsign-getcert\fR tool behaves identically to the generic +-\fIgetcert\fR tool when it is used with the \fB-c ++The \fIselfsign\-getcert\fR tool behaves identically to the generic ++\fIgetcert\fR tool when it is used with the \fB\-c + \fI@CM_SELF_SIGN_CA_NAME@\fR option. + +-\fBcertmonger\fR's self-signer doesn't use root certificates. While the +-\fB-F\fR and \fB-a\fR options will still be recognized, they will effectively ++\fBcertmonger\fR's self\-signer doesn't use root certificates. While the ++\fB\-F\fR and \fB\-a\fR options will still be recognized, they will effectively + be ignored. + + .SH BUGS +@@ -40,24 +40,24 @@ Please file tickets for any that you find at https://fedorahosted.org/certmonger + .SH SEE ALSO + \fBcertmonger\fR(8) + \fBgetcert\fR(1) +-\fBgetcert-add-ca\fR(1) +-\fBgetcert-add-scep-ca\fR(1) +-\fBgetcert-list-cas\fR(1) +-\fBgetcert-list\fR(1) +-\fBgetcert-modify-ca\fR(1) +-\fBgetcert-refresh-ca\fR(1) +-\fBgetcert-refresh\fR(1) +-\fBgetcert-rekey\fR(1) +-\fBgetcert-remove-ca\fR(1) +-\fBgetcert-request\fR(1) +-\fBgetcert-resubmit\fR(1) +-\fBgetcert-start-tracking\fR(1) +-\fBgetcert-status\fR(1) +-\fBgetcert-stop-tracking\fR(1) +-\fBcertmonger-certmaster-submit\fR(8) +-\fBcertmonger-dogtag-ipa-renew-agent-submit\fR(8) +-\fBcertmonger-dogtag-submit\fR(8) +-\fBcertmonger-ipa-submit\fR(8) +-\fBcertmonger-local-submit\fR(8) +-\fBcertmonger-scep-submit\fR(8) ++\fBgetcert\-add\-ca\fR(1) ++\fBgetcert\-add\-scep\-ca\fR(1) ++\fBgetcert\-list\-cas\fR(1) ++\fBgetcert\-list\fR(1) ++\fBgetcert\-modify\-ca\fR(1) ++\fBgetcert\-refresh\-ca\fR(1) ++\fBgetcert\-refresh\fR(1) ++\fBgetcert\-rekey\fR(1) ++\fBgetcert\-remove\-ca\fR(1) ++\fBgetcert\-request\fR(1) ++\fBgetcert\-resubmit\fR(1) ++\fBgetcert\-start\-tracking\fR(1) ++\fBgetcert\-status\fR(1) ++\fBgetcert\-stop\-tracking\fR(1) ++\fBcertmonger\-certmaster\-submit\fR(8) ++\fBcertmonger\-dogtag\-ipa\-renew\-agent\-submit\fR(8) ++\fBcertmonger\-dogtag\-submit\fR(8) ++\fBcertmonger\-ipa\-submit\fR(8) ++\fBcertmonger\-local\-submit\fR(8) ++\fBcertmonger\-scep\-submit\fR(8) + \fBcertmonger_selinux\fR(8) +-- +2.21.1 + diff --git a/SOURCES/0043-Add-long-options-to-command-line-help.patch b/SOURCES/0043-Add-long-options-to-command-line-help.patch new file mode 100644 index 0000000..6e52b5c --- /dev/null +++ b/SOURCES/0043-Add-long-options-to-command-line-help.patch @@ -0,0 +1,757 @@ +From f5b4420f01272f14416558286c66511b1e35816d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 14 May 2020 14:37:31 -0400 +Subject: [PATCH 43/43] Add long options to command-line help + +The command-line help mostly consisted of only the short options. +Add the long-option and clean up some of the output. + +https://bugzilla.redhat.com/show_bug.cgi?id=1782838 +--- + src/getcert.c | 536 ++++++++++++++++++++++++++++++++------------------ + src/scep.c | 2 +- + 2 files changed, 345 insertions(+), 193 deletions(-) + +diff --git a/src/getcert.c b/src/getcert.c +index 5c8dc94..84e0bf3 100644 +--- a/src/getcert.c ++++ b/src/getcert.c +@@ -4864,50 +4864,90 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Required arguments:\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), ++ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), ++ N_(" (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -k FILE PEM file for private key\n"), +- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), ++ N_(" -k FILE, --keyfile=FILE\n"), ++ N_(" PEM file for private key\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" PEM file for certificate (only valid with -k)\n"), + N_("* If keys are to be encrypted:\n"), +- N_(" -p FILE file which holds the encryption PIN\n"), +- N_(" -P PIN PIN value\n"), ++ N_(" -p FILE, --pinfile=FILE\n"), ++ N_(" file which holds the encryption PIN\n"), ++ N_(" -P PIN, --pin=PIN PIN value\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Certificate handling settings:\n"), +- N_(" -I NAME nickname to assign to the request\n"), +- N_(" -G TYPE type of key to be generated if one is not already in place\n"), +- N_(" -g SIZE size of key to be generated if one is not already in place\n"), +- N_(" -r attempt to renew the certificate when expiration nears (default)\n"), +- N_(" -R don't attempt to renew the certificate when expiration nears\n"), ++ N_(" -I NAME, --new-id=NAME\n"), ++ N_(" new nickname to give to tracking request\n"), ++ N_(" -G TYPE, --key-type=TYPE\n"), ++ N_(" type of key to be generated if one is not already\n"), ++ N_(" in place\n"), ++ N_(" -g BITS, --key-size=BITS\n"), ++ N_(" size of key to be generated if one is not already\n"), ++ N_(" in place\n"), ++ N_(" -r, --renew attempt to renew the certificate when\n"), ++ N_(" expiration nears (default)\n"), ++ N_(" -R, --no-renew don't attempt to renew the certificate when\n"), ++ N_(" expiration nears\n"), + #ifndef FORCE_CA +- N_(" -c CA use the specified CA rather than the default\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif +- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -T PROFILE, --profile=NAME\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), +- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), +- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), ++ N_(" include V2 template specifier in CSR\n"), ++ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), ++ N_(" -X ISSUER, --issuer=ISSUER\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named issuer\n"), + N_("* Parameters for the signing request:\n"), +- N_(" -N NAME set requested subject name (default: CN=)\n"), +- N_(" -U EXTUSAGE set requested extended key usage OID\n"), +- N_(" -u KEYUSAGE set requested key usage value\n"), +- N_(" -K NAME set requested principal name\n"), +- N_(" -D DNSNAME set requested DNS name\n"), +- N_(" -E EMAIL set requested email address\n"), +- N_(" -A ADDRESS set requested IP address\n"), +- N_(" -l FILE file which holds an optional challenge password\n"), +- N_(" -L PASSWORD an optional challenge password value\n"), ++ N_(" -N NAME, --subject-name=NAME\n"), ++ N_(" set requested subject name (default: CN=)\n"), ++ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), ++ N_(" override requested extended key usage OID\n"), ++ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), ++ N_(" set requested key usage value\n"), ++ N_(" -K NAME, --principal=NAME\n"), ++ N_(" override requested principal name\n"), ++ N_(" -D DNSNAME, --dns=DNSNAME\n"), ++ N_(" override requested DNS name\n"), ++ N_(" -E EMAIL, --email=EMAIL\n"), ++ N_(" override requested email address\n"), ++ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), ++ N_(" override requested IP address\n"), ++ N_(" -l FILE, --challenge-password-file=FILE\n"), ++ N_(" file which holds an optional challenge password\n"), ++ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), ++ N_(" an optional challenge password value\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -B command to run before saving the certificate\n"), +- N_(" -C command to run after saving the certificate\n"), +- N_(" -F file in which to store the CA's certificates\n"), +- N_(" -a NSS database in which to store the CA's certificates\n"), +- N_(" -w try to wait for the certificate to be issued\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -B COMMAND, --before-command=COMMAND\n"), ++ N_(" command to run before saving the certificate\n"), ++ N_(" -C COMMAND, --after-command=COMMAND\n"), ++ N_(" command to run after saving the certificate\n"), ++ N_(" -F FILE, --ca-file=FILE\n"), ++ N_(" file in which to store the CA's certificates\n"), ++ N_(" -a DIR, --ca-dbdir=DIR\n"), ++ N_(" NSS database in which to store the CA's certificates\n"), ++ N_(" -w, --wait try to wait for the certificate to be issued\n"), ++ N_(" --wait-timeout TIMEOUT\n"), ++ N_(" Maximum time to wait for the certificateto be issued\n"), ++ N_(" -v, --verbose report all details of errors\n"), ++ N_(" -o OWNER, --key-owner=OWNER\n"), ++ N_(" owner information for private key\n"), ++ N_(" -m MODE, --key-perms=MODE\n"), ++ N_(" file permissions for private key\n"), ++ N_(" -O OWNER, --cert-owner=OWNER\n"), ++ N_(" owner information for certificate\n"), ++ N_(" -M MODE, --cert-perms=MODE\n"), ++ N_(" file permissions for certificate\n"), + NULL, + }; + const char *start_tracking_help[] = { +@@ -4915,49 +4955,84 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Required arguments:\n"), + N_("* If modifying an existing request:\n"), +- N_(" -i NAME nickname of an existing tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname of an existing tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), ++ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), ++ N_(" (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -k FILE PEM file for private key\n"), +- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), ++ N_(" -k FILE, --keyfile=FILE\n"), ++ N_(" PEM file for private key\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" PEM file for certificate (only valid with -k)\n"), + N_("* If keys are encrypted:\n"), +- N_(" -p FILE file which holds the encryption PIN\n"), +- N_(" -P PIN PIN value\n"), ++ N_(" -p FILE, --pinfile=FILE\n"), ++ N_(" file which holds the encryption PIN\n"), ++ N_(" -P PIN, --pin=PIN PIN value\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Certificate handling settings:\n"), +- N_(" -I NAME nickname to give to tracking request\n"), +- N_(" -r attempt to renew the certificate when expiration nears (default)\n"), +- N_(" -R don't attempt to renew the certificate when expiration nears\n"), ++ N_(" -I NAME, --new-id=NAME\n"), ++ N_(" nickname to give to tracking request\n"), ++ N_(" -r, --renew attempt to renew the certificate when\n"), ++ N_(" expiration nears (default)\n"), ++ N_(" -R, --no-renew don't attempt to renew the certificate when\n"), ++ N_(" expiration nears\n"), + #ifndef FORCE_CA +- N_(" -c CA use the specified CA rather than the default\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif +- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -T PROFILE, --profile=NAME\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), +- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), +- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), ++ N_(" include V2 template specifier in CSR\n"), ++ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), ++ N_(" -X ISSUER, --issuer=ISSUER\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named issuer\n"), + N_("* Parameters for the signing request at renewal time:\n"), +- N_(" -U EXTUSAGE override requested extended key usage OID\n"), +- N_(" -u KEYUSAGE set requested key usage value\n"), +- N_(" -K NAME override requested principal name\n"), +- N_(" -D DNSNAME override requested DNS name\n"), +- N_(" -E EMAIL override requested email address\n"), +- N_(" -A ADDRESS override requested IP address\n"), +- N_(" -l FILE file which holds an optional challenge password\n"), +- N_(" -L PASSWORD an optional challenge password value\n"), ++ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), ++ N_(" override requested extended key usage OID\n"), ++ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), ++ N_(" set requested key usage value\n"), ++ N_(" -K NAME, --principal=NAME\n"), ++ N_(" override requested principal name\n"), ++ N_(" -D DNSNAME, --dns=DNSNAME\n"), ++ N_(" override requested DNS name\n"), ++ N_(" -E EMAIL, --email=EMAIL\n"), ++ N_(" override requested email address\n"), ++ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), ++ N_(" override requested IP address\n"), ++ N_(" -l FILE, --challenge-password-file=FILE\n"), ++ N_(" file which holds an optional challenge password\n"), ++ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), ++ N_(" an optional challenge password value\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -B command to run before saving the certificate\n"), +- N_(" -C command to run after saving the certificate\n"), +- N_(" -F file in which to store the CA's certificates\n"), +- N_(" -a NSS database in which to store the CA's certificates\n"), +- N_(" -w try to wait for the certificate to be issued\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -B COMMAND, --before-command=COMMAND\n"), ++ N_(" command to run before saving the certificate\n"), ++ N_(" -C COMMAND, --after-command=COMMAND\n"), ++ N_(" command to run after saving the certificate\n"), ++ N_(" -F FILE, --ca-file=FILE\n"), ++ N_(" file in which to store the CA's certificates\n"), ++ N_(" -a DIR, --ca-dbdir=DIR\n"), ++ N_(" NSS database in which to store the CA's certificates\n"), ++ N_(" -w, --wait try to wait for the certificate to be issued\n"), ++ N_(" --wait-timeout TIMEOUT\n"), ++ N_(" Maximum time to wait for the certificateto be issued\n"), ++ N_(" -v, --verbose report all details of errors\n"), ++ N_(" -o OWNER, --key-owner=OWNER\n"), ++ N_(" owner information for private key\n"), ++ N_(" -m MODE, --key-perms=MODE\n"), ++ N_(" file permissions for private key\n"), ++ N_(" -O OWNER, --cert-owner=OWNER\n"), ++ N_(" owner information for certificate\n"), ++ N_(" -M MODE, --cert-perms=MODE\n"), ++ N_(" file permissions for certificate\n"), + NULL, + }; + const char *stop_tracking_help[] = { +@@ -4965,21 +5040,24 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Required arguments:\n"), + N_("* By request identifier:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -k FILE PEM file for private key\n"), +- N_(" -f FILE PEM file for certificate (only valid with -k)\n"), ++ N_(" -k FILE, --keyfile=FILE\n"), ++ N_(" PEM file for private key\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" PEM file for certificate (only valid with -k)\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), ++ "\n", + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *resubmit_help[] = { +@@ -4987,49 +5065,81 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Required arguments:\n"), + N_("* By request identifier:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), ++ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), ++ N_(" (only valid with -d)\n"), + N_("* If using files for storage:\n"), + N_(" -f FILE PEM file for certificate\n"), + "\n", + N_("* If keys are encrypted:\n"), +- N_(" -p FILE file which holds the encryption PIN\n"), +- N_(" -P PIN PIN value\n"), ++ N_(" -p FILE, --pinfile=FILE\n"), ++ N_(" file which holds the encryption PIN\n"), ++ N_(" -P PIN, --pin=PIN PIN value\n"), + "\n", + N_("* New parameter values for the signing request:\n"), +- N_(" -N NAME set requested subject name (default: CN=)\n"), +- N_(" -U EXTUSAGE set requested extended key usage OID\n"), +- N_(" -u KEYUSAGE set requested key usage value\n"), +- N_(" -K NAME set requested principal name\n"), +- N_(" -D DNSNAME set requested DNS name\n"), +- N_(" -E EMAIL set requested email address\n"), +- N_(" -A ADDRESS set requested IP address\n"), +- N_(" -l FILE file which holds an optional challenge password\n"), +- N_(" -L PASSWORD an optional challenge password value\n"), ++ N_(" -N NAME, --subject-name=NAME\n"), ++ N_(" set requested subject name (default: CN=)\n"), ++ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), ++ N_(" override requested extended key usage OID\n"), ++ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), ++ N_(" set requested key usage value\n"), ++ N_(" -K NAME, --principal=NAME\n"), ++ N_(" override requested principal name\n"), ++ N_(" -D DNSNAME, --dns=DNSNAME\n"), ++ N_(" override requested DNS name\n"), ++ N_(" -E EMAIL, --email=EMAIL\n"), ++ N_(" override requested email address\n"), ++ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), ++ N_(" override requested IP address\n"), ++ N_(" -l FILE, --challenge-password-file=FILE\n"), ++ N_(" file which holds an optional challenge password\n"), ++ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), ++ N_(" an optional challenge password value\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Certificate handling settings:\n"), +- N_(" -I NAME new nickname to give to tracking request\n"), ++ N_(" -I NAME, --new-id=NAME\n"), ++ N_(" nickname to give to tracking request\n"), + #ifndef FORCE_CA +- N_(" -c CA use the specified CA rather than the current one\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif +- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -T PROFILE, --profile=NAME\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), +- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), +- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), ++ N_(" include V2 template specifier in CSR\n"), ++ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), ++ N_(" -X ISSUER, --issuer=ISSUER\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named issuer\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -B command to run before saving the certificate\n"), +- N_(" -C command to run after saving the certificate\n"), +- N_(" -F file in which to store the CA's certificates\n"), +- N_(" -a NSS database in which to store the CA's certificates\n"), +- N_(" -w try to wait for the certificate to be issued\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -B COMMAND, --before-command=COMMAND\n"), ++ N_(" command to run before saving the certificate\n"), ++ N_(" -C COMMAND, --after-command=COMMAND\n"), ++ N_(" command to run after saving the certificate\n"), ++ N_(" -F FILE, --ca-file=FILE\n"), ++ N_(" file in which to store the CA's certificates\n"), ++ N_(" -a DIR, --ca-dbdir=DIR\n"), ++ N_(" NSS database in which to store the CA's certificates\n"), ++ N_(" -w, --wait try to wait for the certificate to be issued\n"), ++ N_(" --wait-timeout TIMEOUT\n"), ++ N_(" Maximum time to wait for the certificateto be issued\n"), ++ N_(" -v, --verbose report all details of errors\n"), ++ N_(" -o OWNER, --key-owner=OWNER\n"), ++ N_(" owner information for private key\n"), ++ N_(" -m MODE, --key-perms=MODE\n"), ++ N_(" file permissions for private key\n"), ++ N_(" -O OWNER, --cert-owner=OWNER\n"), ++ N_(" owner information for certificate\n"), ++ N_(" -M MODE, --cert-perms=MODE\n"), ++ N_(" file permissions for certificate\n"), + NULL, + }; + const char *rekey_help[] = { +@@ -5037,51 +5147,80 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Required arguments:\n"), + N_("* By request identifier:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), ++ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), ++ N_(" (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -f FILE PEM file for certificate\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" PEM file for certificate\n"), + "\n", + N_("* If keys are encrypted:\n"), +- N_(" -p FILE file which holds the encryption PIN\n"), +- N_(" -P PIN PIN value\n"), ++ N_(" -p FILE, --pinfile=FILE\n"), ++ N_(" file which holds the encryption PIN\n"), ++ N_(" -P PIN, --pin=PIN PIN value\n"), + "\n", + N_("* New parameter values for the signing request:\n"), +- N_(" -N NAME set requested subject name (default: CN=)\n"), +- N_(" -U EXTUSAGE set requested extended key usage OID\n"), +- N_(" -u KEYUSAGE set requested key usage value\n"), +- N_(" -K NAME set requested principal name\n"), +- N_(" -D DNSNAME set requested DNS name\n"), +- N_(" -E EMAIL set requested email address\n"), +- N_(" -A ADDRESS set requested IP address\n"), +- N_(" -l FILE file which holds an optional challenge password\n"), +- N_(" -L PASSWORD an optional challenge password value\n"), ++ N_(" -N NAME, --subject-name=NAME\n"), ++ N_(" set requested subject name (default: CN=)\n"), ++ N_(" -U EXTUSAGE, --extended-key-usage=EXTUSAGE\n"), ++ N_(" override requested extended key usage OID\n"), ++ N_(" -u KEYUSAGE, --key-usage=KEYUSAGE\n"), ++ N_(" set requested key usage value\n"), ++ N_(" -K NAME, --principal=NAME\n"), ++ N_(" override requested principal name\n"), ++ N_(" -D DNSNAME, --dns=DNSNAME\n"), ++ N_(" override requested DNS name\n"), ++ N_(" -E EMAIL, --email=EMAIL\n"), ++ N_(" override requested email address\n"), ++ N_(" -A ADDRESS, --ip-address=ADDRESS\n"), ++ N_(" override requested IP address\n"), ++ N_(" -l FILE, --challenge-password-file=FILE\n"), ++ N_(" file which holds an optional challenge password\n"), ++ N_(" -L PASSWORD, --challenge-password=PASSWORD\n"), ++ N_(" an optional challenge password value\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Certificate handling settings:\n"), +- N_(" -I NAME new nickname to give to tracking request\n"), ++ N_(" -I NAME, --new-id=NAME\n"), ++ N_(" new nickname to give to tracking request\n"), + #ifndef FORCE_CA +- N_(" -c CA use the specified CA rather than the current one\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif +- N_(" -T PROFILE ask the CA to process the request using the named profile or template\n"), ++ N_(" -T PROFILE, --profile=NAME\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named profile or template\n"), + N_(" --ms-template-spec SPEC\n"), +- N_(" include V2 template specifier in CSR (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), +- N_(" -X ISSUER ask the CA to process the request using the named issuer\n"), +- N_(" -G TYPE type of new key to be generated\n"), +- N_(" -g SIZE size of new key to be generated\n"), ++ N_(" include V2 template specifier in CSR\n"), ++ N_(" (format: OID:MAJOR-VERSION[:MINOR-VERSION])\n"), ++ N_(" -X ISSUER, --issuer=ISSUER\n"), ++ N_(" ask the CA to process the request using the\n"), ++ N_(" named issuer\n"), ++ N_(" -G TYPE, --key-type=TYPE\n"), ++ N_(" type of key to be generated if one is not already\n"), ++ N_(" in place\n"), ++ N_(" -g BITS, --key-size=BITS\n"), ++ N_(" size of key to be generated if one is not already\n"), ++ N_(" in place\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -B command to run before saving the certificate\n"), +- N_(" -C command to run after saving the certificate\n"), +- N_(" -F file in which to store the CA's certificates\n"), +- N_(" -a NSS database in which to store the CA's certificates\n"), +- N_(" -w try to wait for the certificate to be issued\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -B COMMAND, --before-command=COMMAND\n"), ++ N_(" command to run before saving the certificate\n"), ++ N_(" -C COMMAND, --after-command=COMMAND\n"), ++ N_(" command to run after saving the certificate\n"), ++ N_(" -F FILE, --ca-file=FILE\n"), ++ N_(" file in which to store the CA's certificates\n"), ++ N_(" -a DIR, --ca-dbdir=DIR\n"), ++ N_(" NSS database in which to store the CA's certificates\n"), ++ N_(" -w, --wait try to wait for the certificate to be issued\n"), ++ N_(" --wait-timeout TIMEOUT\n"), ++ N_(" Maximum time to wait for the certificateto be issued\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *list_help[] = { +@@ -5090,46 +5229,52 @@ help(const char *twopartcmd, const char *category) + N_("Optional arguments:\n"), + N_("* General options:\n"), + #ifndef FORCE_CA +- N_(" -c CA list only requests and certs associated with this CA\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif +- N_(" -r list only information about outstanding requests\n"), +- N_(" -t list only information about tracked certificates\n"), +- N_(" -u display times in UTC instead of local time\n"), ++ N_(" -r, --requests-only list only information about outstanding requests\n"), ++ N_(" -t, --tracking-only list only information about tracked certificates\n"), ++ N_(" -u, --utc display times in UTC instead of local time\n"), + N_("* If selecting a specific request:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR only list requests and certs which use this NSS database\n"), +- N_(" -n NAME only list requests and certs which use this nickname\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -f FILE only list requests and certs stored in this PEM file\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" only list requests and certs stored in this PEM file\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *refresh_help[] = { + N_("Usage: %s refresh [options]\n"), + "\n", + N_("* General options:\n"), +- N_(" -a refresh information about all outstanding requests\n"), ++ N_(" -a, --all refresh information about all outstanding requests\n"), + "\n", + N_("Required arguments:\n"), + N_("* By request identifier:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* If using an NSS database for storage:\n"), +- N_(" -d DIR NSS database for key and cert\n"), +- N_(" -n NAME nickname for NSS-based storage (only valid with -d)\n"), +- N_(" -t NAME optional token name for NSS-based storage (only valid with -d)\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), ++ N_(" -t NAME, --token=NAME optional token name for NSS-based storage\n"), ++ N_(" (only valid with -d)\n"), + N_("* If using files for storage:\n"), +- N_(" -f FILE PEM file for certificate\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" PEM file for certificate\n"), + "\n", + N_("Optional arguments:\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), ++ N_("* Other options:\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *status_help[] = { +@@ -5137,17 +5282,19 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Optional arguments:\n"), + N_("* Selecting a specific request:\n"), +- N_(" -i NAME nickname for tracking request\n"), ++ N_(" -i NAME, --id=NAME nickname for tracking request\n"), + N_("* When using an NSS database for storage:\n"), +- N_(" -d DIR return status for the request in this NSS database\n"), +- N_(" -n NAME return status for cert which uses this nickname\n"), ++ N_(" -d DIR, --dbdir=DIR NSS database for key and cert\n"), ++ N_(" -n NAME, --nickname NAME\n"), ++ N_(" nickname for NSS-based storage (only valid with -d)\n"), + N_("* When using files for storage:\n"), +- N_(" -f FILE return status for cert stored in this PEM file\n"), ++ N_(" -f FILE, --certfile=FILE\n"), ++ N_(" return status for cert stored in this PEM file\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *list_cas_help[] = { +@@ -5156,13 +5303,13 @@ help(const char *twopartcmd, const char *category) + N_("Optional arguments:\n"), + #ifndef FORCE_CA + N_("* General options:\n"), +- N_(" -c CA list only information about the CA with this name\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + #endif + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *refresh_ca_help[] = { +@@ -5171,14 +5318,14 @@ help(const char *twopartcmd, const char *category) + N_("Optional arguments:\n"), + #ifndef FORCE_CA + N_("* General options:\n"), +- N_(" -c CA refresh information about the CA with this name\n"), +- N_(" -a refresh information about all known CAs\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), ++ N_(" -a, --all refresh information about all known CAs\n"), + #endif + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + #ifndef FORCE_CA +@@ -5187,13 +5334,13 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Optional arguments:\n"), + N_("* General options:\n"), +- N_(" -c CA nickname to give to the new CA configuration\n"), +- N_(" -e CMD helper command to run to communicate with CA\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), ++ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *add_scep_ca_help[] = { +@@ -5201,18 +5348,23 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Optional arguments:\n"), + N_("* General options:\n"), +- N_(" -c CA nickname to give to the new CA configuration\n"), +- N_(" -u URL location of SCEP server\n"), +- N_(" -i ID CA identifier\n"), +- N_(" -R FILE file containing CA's certificate\n"), +- N_(" -r FILE file containing RA's certificate\n"), +- N_(" -I FILE file containing certificates in RA's certifying chain\n"), +- N_(" -n prefer not to use the SCEP Renewal feature\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), ++ N_(" -u URL, --URL URL location of SCEP server\n"), ++ N_(" -i ID, --id ID CA identifier\n"), ++ N_(" -R FILE, --cacert=FILE\n"), ++ N_(" file containing web server's certificate\n"), ++ N_(" -r FILE, --racert=FILE\n"), ++ N_(" file containing RA's certificate\n"), ++ N_(" -N FILE, --signingca=FILE\n"), ++ N_(" file containing CA's certificate\n"), ++ N_(" -I FILE, --other-certs=FILE\n"), ++ N_(" file containing certificates in RA's certifying chain\n"), ++ N_(" -n, --non-renewal prefer not to use the SCEP Renewal feature\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *modify_ca_help[] = { +@@ -5220,13 +5372,13 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Optional arguments:\n"), + N_("* General options:\n"), +- N_(" -c CA nickname of the CA configuration\n"), +- N_(" -e CMD updated helper command to run to communicate with CA\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), ++ N_(" -e CMD, --command CMD helper command to run to communicate with CA\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + const char *remove_ca_help[] = { +@@ -5234,12 +5386,12 @@ help(const char *twopartcmd, const char *category) + "\n", + N_("Optional arguments:\n"), + N_("* General options:\n"), +- N_(" -c CA nickname of CA configuration to remove\n"), ++ N_(" -c CA, --ca=NAME use the specified CA rather than the default\n"), + N_("* Bus options:\n"), +- N_(" -S connect to the certmonger service on the system bus\n"), +- N_(" -s connect to the certmonger service on the session bus\n"), ++ N_(" -S, --system connect to the certmonger service on the system bus\n"), ++ N_(" -s, --session connect to the certmonger service on the session bus\n"), + N_("* Other options:\n"), +- N_(" -v report all details of errors\n"), ++ N_(" -v, --verbose report all details of errors\n"), + NULL, + }; + #endif +diff --git a/src/scep.c b/src/scep.c +index 4294cda..4dde1ce 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -230,7 +230,7 @@ main(int argc, const char **argv) + {"url", 'u', POPT_ARG_STRING, &url, 0, "service location", "URL"}, + {"ca-identifier", 'i', POPT_ARG_STRING, &id, 0, "name to use when querying for capabilities", "IDENTIFIER"}, + {"retrieve-ca-capabilities", 'c', POPT_ARG_NONE, NULL, 'c', "make a GetCACaps request", NULL}, +- {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert/GetCAChain requests", NULL}, ++ {"retrieve-ca-certificates", 'C', POPT_ARG_NONE, NULL, 'C', "make GetCACert request", NULL}, + {"get-initial-cert", 'g', POPT_ARG_NONE, NULL, 'g', "send a PKIOperation pkiMessage", NULL}, + {"pki-message", 'p', POPT_ARG_NONE, NULL, 'p', "send a PKIOperation pkiMessage", NULL}, + {"racert", 'r', POPT_ARG_STRING, NULL, 'r', "the RA certificate, used for encrypting requests", "FILENAME"}, +-- +2.21.1 + diff --git a/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch b/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch new file mode 100644 index 0000000..9f2b833 --- /dev/null +++ b/SOURCES/0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch @@ -0,0 +1,25 @@ +From 5e45029b429aa383db295facea18a6a72e1a2357 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 30 Jul 2020 10:41:00 -0400 +Subject: [PATCH] Link certmonger to dbus so it stops and restarts with it + +This will ensure that certmonger will run if dbus is restarted. +--- + systemd/certmonger.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/systemd/certmonger.service.in b/systemd/certmonger.service.in +index 6381d845..9d942513 100644 +--- a/systemd/certmonger.service.in ++++ b/systemd/certmonger.service.in +@@ -1,6 +1,7 @@ + [Unit] + Description=Certificate monitoring and PKI enrollment + After=syslog.target network.target dbus.service ++PartOf=dbus.service + + [Service] + Type=dbus +-- +2.25.4 + diff --git a/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch b/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch new file mode 100644 index 0000000..6d2634c --- /dev/null +++ b/SOURCES/0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch @@ -0,0 +1,62 @@ +From b63be96fd30d0a9fb2538e41509e8813620d5107 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 22 May 2020 12:58:44 -0400 +Subject: [PATCH] Include &message=CA-IDENT with GetCACaps and GetCACert + requests + +The guttman spec is quite unclear on this and in the GetCACaps +section doesn't mention &message at all. It only appears in the +generic GET requests section 4.1 + +The nourse spec is clearer and requires &message=CA-IDENT on +GetCACaps requests. + +AD 2012 R2 servers also require message on GetCACert requests. + +This reverts much of 60a4db5796b0575ca2cc9f1af4ecb3fdc6359242 + +https://bugzilla.redhat.com/show_bug.cgi?id=1839181 +https://pagure.io/certmonger/issue/103 +--- + src/scep.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/scep.c b/src/scep.c +index 4dde1ce..11ebd6f 100644 +--- a/src/scep.c ++++ b/src/scep.c +@@ -370,11 +370,11 @@ main(int argc, const char **argv) + break; + case op_get_ca_caps: + /* Only step: read capabilities for the daemon. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + break; + case op_get_ca_certs: + /* First step: get the root certificate. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CERT "&message=%s", id); + break; + case op_get_cert_initial: + if ((racert == NULL) || (strlen(racert) == 0)) { +@@ -393,7 +393,7 @@ main(int argc, const char **argv) + goto done; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } + break; + case op_pkcsreq: +@@ -413,7 +413,7 @@ main(int argc, const char **argv) + goto done; + } + /* First step: read capabilities for our use. */ +- params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS); ++ params = talloc_asprintf(ctx, "operation=" OP_GET_CA_CAPS "&message=%s", id); + } + break; + } +-- +2.25.4 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index f71691d..f233461 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -9,7 +9,7 @@ Name: certmonger Version: 0.79.7 -Release: 6%{?dist} +Release: 15%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -97,6 +97,19 @@ Patch29: 0029-Remove-NOMODDB-flag-flag-from-context-init-look-for-.patch Patch30: 0030-Update-tests-to-include-the-security-module-DB-in-ex.patch Patch31: 0031-Try-to-pull-the-entire-CA-chain-from-IPA.patch Patch32: 0032-Fix-use-after-free-issue.patch +Patch33: 0033-Improve-logging-in-SCEP-helper.patch +Patch34: 0034-Add-verbose-option-to-SCEP-CA-if-requested-in-add-sc.patch +Patch35: 0035-Cleanup-the-SCEP-helper-curl-and-talloc-contexts-whe.patch +Patch36: 0036-Re-order-the-way-the-SCEP-signing-and-CA-certs-are-c.patch +Patch37: 0037-Add-new-option-to-allow-overriding-the-detected-SCEP.patch +Patch38: 0038-Include-template-profile-issuer-and-MS-cert-template.patch +Patch39: 0039-Fix-broken-N-option-configuration.patch +Patch40: 0040-Address-an-include-issue-discovered-by-coverity.patch +Patch41: 0041-Ensure-that-files-read-in-have-a-trailing-new-line.patch +Patch42: 0042-Add-long-command-line-options-to-man-pages.patch +Patch43: 0043-Add-long-options-to-command-line-help.patch +Patch44: 0044-Link-certmonger-to-dbus-so-it-stops-and-restarts-wit.patch +Patch45: 0045-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch %description @@ -122,6 +135,19 @@ system enrolled with a certificate authority (CA) and keeping it enrolled. %patch30 -p1 %patch31 -p1 %patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch39 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch43 -p1 +%patch44 -p1 +%patch45 -p1 %build autoreconf -i -f @@ -135,8 +161,8 @@ autoreconf -i -f %if %{tmpfiles} --enable-tmpfiles \ %endif - --with-homedir=/var/run/certmonger \ - --with-tmpdir=/var/run/certmonger --enable-pie --enable-now + --with-homedir=/run/certmonger \ + --with-tmpdir=/run/certmonger --enable-pie --enable-now # For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just # tell us about libxmlrpc_client, but we need more. Work around. make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" @@ -145,7 +171,7 @@ make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc" rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/lib/certmonger/{cas,requests} -install -m755 -d $RPM_BUILD_ROOT/var/run/certmonger +install -m755 -d $RPM_BUILD_ROOT/run/certmonger %{find_lang} %{name} %check @@ -230,7 +256,7 @@ exit 0 %{_datadir}/dbus-1/services/* %dir %{_sysconfdir}/certmonger %config(noreplace) %{_sysconfdir}/certmonger/certmonger.conf -%dir /var/run/certmonger +%dir /run/certmonger %{_bindir}/* %{_sbindir}/certmonger %{_mandir}/man*/* @@ -248,6 +274,41 @@ exit 0 %endif %changelog +* Thu Jul 30 2020 Rob Crittenden - 0.79.7-15 +- Replace the previous fix for dbus restarting with PartOf in the + certmonger systemd service file to link the two (#1687698) + +* Tue Jun 2 2020 Rob Crittenden - 0.79.7-14 +- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009) + +* Mon May 18 2020 Rob Crittenden - 0.79.7-13 +- Exit gracefully if dbus is restarted (#1687698) + +* Thu May 14 2020 Rob Crittenden - 0.79.7-12 +- Add long command-line options to man pages and help output (#1782838) + +* Mon May 4 2020 Rob Crittenden - 0.79.7-11 +- Fix test failure in 039-fromfile + +* Mon May 4 2020 Rob Crittenden - 0.79.7-10 +- Ensure that files read in have a trailing new-line (#1829490) + +* Thu Apr 30 2020 Rob Crittenden - 0.79.7-9 +- Call the secport equivalent of PR_ErrorToString +- Remove a couple of unused varaibles found by coverity + +* Mon Apr 13 2020 Rob Crittenden - 0.79.7-8 +- Move systemd tmpfiles from /var/run to /run (#1804928) +- Improve logging in the SCEP helper (#1807691) +- Fix sort order of certificates passed into PKCS7_verify (#1808052) +- Add -N option to SCEP helper to separate web server chain from + SCEP issuer chain (#1808613) +- Add template profile, MS v2 template and issuer to getcert list + output (#1734451) + +* Tue Dec 17 2019 Rob Crittenden - 0.79.7-7 +- Update gating requirements + * Mon Dec 16 2019 Rob Crittenden - 0.79.7-6 - Rebuild