Sophie: certmonger-0.59-1.fc16 i686

certmonger-0.59-1.fc16.i686.rpm

The CA submission internal API uses child processes to do the heavy
lifting.  Self-signing is handled internally, but interaction with
most CAs is done through external helpers.

An external CA helper has a few jobs:
* Invoked either with "SUBMIT" or "POLL" as the value of the
  $CERTMONGER_OPERATION environment value, with command-line arguments as
  specified in certmaster's configuration.  Some of the data from the request
  is also provided in the environment.
  * $CERTMONGER_REQ_SUBJECT   -> requested subject name
  * $CERTMONGER_REQ_EMAIL     -> email address subjectAltName values
  * $CERTMONGER_REQ_HOSTNAME  -> DNS name subjectAltName values
  * $CERTMONGER_REQ_PRINCIPAL -> Kerberos principal name subjectAltName values
  * $CERTMONGER_CA_PROFILE    -> requested enrollment profile/template/certtype
  * $CERTMONGER_CERTIFICATE   -> previously-issued certificate, if there is one
* If in "submit" mode, $CERTMONGER_CSR has as its value a PEM-formatted CSR.
  * Submit request to CA.
    * Issued         -> output PEM-formatted cert on stdout, exit with status 0.
    * Wait a bit     -> output CA cookie value on stdout, exit with status 1.
    * Rejected       -> output error message on stdout, exit with status 2.
    * Connect error  -> output error message on stdout, exit with status 3.
    * Underconfigured-> output error message on stdout, exit with status 4.
    * Wait a bit more-> output recommended delay (seconds) and CA cookie value
                        on stdout, separated by newline, and exit with status 5.
* If in "poll" mode, $CERTMONGER_COOKIE has as its value a CA cookie value
  in addition to the PEM-formatted CSR in $CERTMONGER_CSR.
  * Poll CA for result of previously-started enrollment operation.
    * Issued         -> output PEM-formatted cert on stdout, exit with status 0.
    * Wait some more -> output CA cookie value on stdout, exit with status 1.
    * Rejected       -> output error message on stdout, exit with status 2.
    * Connect error  -> output error message on stdout, exit with status 3.
    * Underconfigured-> output error message on stdout, exit with status 4.
    * Wait some more -> output recommended delay (seconds) and CA cookie value
                        on stdout, separated by newline, and exit with status 5.
* Other operations may be defined later.
    * Operation not supported by this helper -> exit with status 6.

For testing purposes, a helper can be added by creating a file in the CAs
directory (usually /var/lib/certmonger/cas) with these contents:
  id=Test
  ca_type=EXTERNAL
  ca_is_default=0
  ca_external_helper=/usr/libexec/certmonger/test-submit-helper

Passing the "-c Test" flag to the "getcert request" command will then use the
helper to attempt enrollment.

This, with some built-in defaults that provide the same result when no
existing CAs file defines a CA named "IPA", is how the daemon knows about IPA.
The ipa-getcert client, meanwhile, just assumes that clients want to use the
CA nicknamed "IPA".