1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert rekey [options]
11
12

DESCRIPTION

14       Tells certmonger to generate a new key pair, generate a signing request
15       for the public key, and submit the signing request to a CA for signing,
16       in order to replace both a certificate and its private key.
17
18

SPECIFYING REQUESTS BY NICKNAME

20       -i NAME
21              The  new key pair will be generated and the new certificate will
22              be obtained for the tracking request which  has  this  nickname.
23              If  this  option  is  not  specified, and a tracking entry which
24              matches the key and certificate storage options which are speci‐
25              fied already exists, that entry will be used.  If not specified,
26              the location of the certificate should be specified with  either
27              a combination of the -d and -n options, or with the -f option.
28
29

SPECIFYING REQUESTS BY CERTIFICATE LOCATION

31       -d DIR The  certificate  is in the NSS database in the specified direc‐
32              tory.
33
34       -n NAME
35              The certificate in the NSS database named with -d has the speci‐
36              fied nickname.  Only valid with -d.
37
38       -t TOKEN
39              If  the NSS database has more than one token available, the cer‐
40              tificate is stored in this token.   This  argument  only  rarely
41              needs to be specified.  Only valid with -d.
42
43       -f FILE
44              The certificate is stored in the named file.
45
46

KEY GENERATION OPTIONS

48       -G TYPE
49              In case a new key pair needs to be generated, this option speci‐
50              fies the type of the keys to be generated.   If  not  specified,
51              the current key type will be used.
52
53       -g BITS
54              This  option  specifies the size of the new key to be generated.
55              If not specified, a key of the same size  as  the  existing  key
56              will be generated.
57
58              -c NAME
59

ENROLLMENT OPTIONS

61       -c NAME
62              Submit  the  new signing request to the specified CA rather than
63              the one which was previously associated with  this  certificate.
64              The  name  of  the CA should correspond to one listed by getcert
65              list-cas.
66
67       -T NAME
68              Request a certificate using  the  named  profile,  template,  or
69              certtype, from the specified CA.
70
71       --ms-template-spec SPEC
72              Include  a  V2  Certificate  Template  extension  in the signing
73              request.  This datum includes an Object Identifier, a major ver‐
74              sion  number  (positive  integer)  and an optional minor version
75              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
76
77       -X NAME
78              Request a certificate using the named issuer from the  specified
79              CA.
80
81       -I NAME
82              Assign the specified nickname to this task, replacing the previ‐
83              ous nickname.
84
85

SIGNING REQUEST OPTIONS

87       -N NAME
88              Change the subject name to include in the signing request.
89
90       -u keyUsage
91              Add an extensionRequest for the specified keyUsage to the  sign‐
92              ing  request.  The keyUsage value is expected to be one of these
93              names:
94
95              digitalSignature
96
97              nonRepudiation
98
99              keyEncipherment
100
101              dataEncipherment
102
103              keyAgreement
104
105              keyCertSign
106
107              cRLSign
108
109              encipherOnly
110
111              decipherOnly
112
113       -U EKU Change the extendedKeyUsage  value  specified  in  an  extended‐
114              KeyUsage extension part of the extensionRequest attribute in the
115              signing request.  The EKU value is  expected  to  be  an  object
116              identifier (OID).
117
118       -K NAME
119              Change  the  Kerberos principal name specified as part of a sub‐
120              jectAltName extension part of the extensionRequest attribute  in
121              the signing request.
122
123       -E EMAIL
124              Change  the  email address specified as part of a subjectAltName
125              extension part of the extensionRequest attribute in the  signing
126              request.
127
128       -D DNSNAME
129              Change the DNS name specified as part of a subjectAltName exten‐
130              sion part of  the  extensionRequest  attribute  in  the  signing
131              request.
132
133       -A ADDRESS
134              Change  the  IP  address  specified  as part of a subjectAltName
135              extension part of the extensionRequest attribute in the  signing
136              request.
137
138       -l FILE
139              Add  an optional ChallengePassword value, read from the file, to
140              the signing request.  A ChallengePassword is often required when
141              the CA is accessed using SCEP.
142
143       -L PIN Add  the  argument  value  to  the  signing  request  as a Chal‐
144              lengePassword attribute.  A ChallengePassword is often  required
145              when the CA is accessed using SCEP.
146
147

OTHER OPTIONS

149       -B COMMAND
150              When  ever the certificate or the CA's certificates are saved to
151              the specified locations, run the specified command as the client
152              user before saving the certificates.
153
154       -C COMMAND
155              When  ever the certificate or the CA's certificates are saved to
156              the specified locations, run the specified command as the client
157              user after saving the certificates.
158
159       -a DIR When ever the certificate is saved to the specified location, if
160              root certificates for the CA are available,  save  them  to  the
161              specified NSS database.
162
163       -F FILE
164              When ever the certificate is saved to the specified location, if
165              root certificates for the CA are available, and when  the  local
166              copies  of  the CA's root certificates are updated, save them to
167              the specified file.
168
169       -w     Wait for the new certificate to be issued and saved, or for  the
170              attempt to obtain one using the new key to fail.
171
172       -v     Be  verbose  about  errors.   Normally,  the details of an error
173              received from the daemon will be suppressed if  the  client  can
174              make a diagnostic suggestion.
175
176

BUGS

178       Please   file   tickets  for  any  that  you  find  at  https://fedora
179       hosted.org/certmonger/
180
181

SEE ALSO

183       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
184       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
185       refresh-ca(1)    getcert-refresh(1)    getcert-remove-ca(1)    getcert-
186       request(1)  getcert-start-tracking(1)  getcert-status(1)  getcert-stop-
187       tracking(1)   certmonger-certmaster-submit(8)    certmonger-dogtag-ipa-
188       renew-agent-submit(8)  certmonger-dogtag-submit(8)  certmonger-ipa-sub‐
189       mit(8)  certmonger-local-submit(8)  certmonger-scep-submit(8)  certmon‐
190       ger_selinux(8)
191
192
193
194certmonger Manual                31 July 2015                    certmonger(1)
Impressum