1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR Use  an NSS database in the specified directory for storing this
21              certificate and key.
22
23       -n NAME
24              Use the key with this nickname to generate the signing  request.
25              If  no  such key is found, generate one.  Give the enrolled cer‐
26              tificate this nickname, too.  Only valid with -d.
27
28       -t TOKEN
29              If the NSS database has more than one token available,  use  the
30              token  with  this name for storing and accessing the certificate
31              and key.  This argument only rarely needs to be specified.  Only
32              valid with -d.
33
34       -f FILE
35              Store  the  issued certificate in this file.  For safety's sake,
36              do not use the same file specified with the -k option.
37
38       -k FILE
39              Use the key stored in this file to generate the signing request.
40              If no such file is found, generate a new key pair and store them
41              in the file.  Only valid with -f.
42
43

KEY ENCRYPTION OPTIONS

45       -p FILE
46              Encrypt private key files or databases using the PIN  stored  in
47              the named file as the passphrase.
48
49       -P PIN Encrypt  private  key files or databases using the specified PIN
50              as the passphrase.  Because command-line  arguments  to  running
51              processes  are trivially discoverable, use of this option is not
52              recommended except for testing.
53
54

KEY GENERATION OPTIONS

56       -g BITS
57              In case a new key pair needs to be generated, this option speci‐
58              fies  the  size  of  the  key.   If  not specified, a reasonable
59              default (currently 2048 bits) will be used.
60
61

TRACKING OPTIONS

63       -r     Attempt to obtain a new certificate from the CA when the expira‐
64              tion date of a certificate nears.  This is the default setting.
65
66       -R     Don't  attempt  to obtain a new certificate from the CA when the
67              expiration date of a certificate nears.  If this option is spec‐
68              ified, an expired certificate will simply stay expired.
69
70       -I NAME
71              Assign  the  specified nickname to this task.  If this option is
72              not specified, a name will  be  assigned  automatically.   Valid
73              nicknames   contain  only  characters  from  the  set  "[A-Z][a-
74              z][0-9]_".
75
76

ENROLLMENT OPTIONS

78       -c NAME
79              Enroll with the specified CA rather  than  a  possible  default.
80              The  name  of  the CA should correspond to one listed by getcert
81              list-cas.
82
83

SIGNING REQUEST OPTIONS

85       If none of -N, -U, -K, -E, and -D are specified,  a  default  group  of
86       settings will be used to request an SSL server certificate for the cur‐
87       rent host, with the host Kerberos service as an additional name.
88
89
90       -N NAME
91              Set the subject name to include in  the  signing  request.   The
92              default  used  is CN=hostname, where hostname is the local host‐
93              name.
94
95       -U EKU Add an extensionRequest for the  specified  extendedKeyUsage  to
96              the  signing request.  The EKU value is expected to be an object
97              identifier (OID), but some specific names are  also  recognized.
98              These are some names and their associated OID values:
99
100              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
101
102              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
103
104              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
105
106              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
107
108              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
109
110              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
111
112              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
113
114              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
115
116              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
117
118       -K NAME
119              Add an extensionRequest for a subjectAltName, with the specified
120              Kerberos principal name as its value, to the signing request.
121
122       -E EMAIL
123              Add an extensionRequest for a subjectAltName, with the specified
124              email address as its value, to the signing request.
125
126       -D DNSNAME
127              Add an extensionRequest for a subjectAltName, with the specified
128              DNS name as its value, to the signing request.
129
130

OTHER OPTIONS

132       -v     Be verbose about errors.  Normally,  the  details  of  an  error
133              received  from  the  daemon will be suppressed if the client can
134              make a diagnostic suggestion.
135
136

BUGS

138       Please  file  tickets  for  any  that  you  find   at   https://fedora
139       hosted.org/certmonger/
140
141

SEE ALSO

143       certmonger(8)  getcert(1)  getcert-list(1) getcert-list-cas(1) getcert-
144       resubmit(1) getcert-start-tracking(1) getcert-stop-tracking(1) certmon‐
145       ger-certmaster-submit(8) certmonger-ipa-submit(8)
146
147
148
149certmonger Manual               3 November 2009                  certmonger(1)
Impressum