Hello,

I have been trying to get Certmonger to work with Digicert's Managed PKI service but have been unsuccessful.

When running /usr/sbin/certmonger -S -p /run/certmonger.pid -d 3 -n in the foreground, I see the following error:

"No RA certificate (-r) given, and no default known.
Usage: scep-submit [-cCgpnv?] [-u|--url=URL] [-i|--ca-identifier=IDENTIFIER]
        [-c|--retrieve-ca-capabilities] [-C|--retrieve-ca-certificates]
        [-g|--get-initial-cert] [-p|--pki-message] [-r|--racert=FILENAME]
        [-R|--cacert=FILENAME] [-I|--other-certs=FILENAME] [-n|--non-renewal]
        [-v|--verbose] [-?|--help] [--usage] [options] [pkiMessage file]
"

I believe the underlying reason for this is that the SCEP endpoint for this service only returns just a single certificate when scep-submit -C is called. This certificate has the title "Symantec Managed PKI Online Test Drive Root", which makes me think it is a CA certificate.

Digicert provide their own "demo" SCEP client (based on JSCEP), which I have managed to use to enrol and download a certificate. Interestingly, this client does not require you to provide an RA certificate.

Is it possible to configure certmonger/scep-submit to work in this situation?

Installed version of certmonger is 0.79.9 and I'm running on Ubuntu 20.04.