1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR Use  an NSS database in the specified directory for storing this
21              certificate and key.
22
23       -n NAME
24              Use the key with this nickname to generate the signing  request.
25              If  no  such key is found, generate one.  Give the enrolled cer‐
26              tificate this nickname, too.  Only valid with -d.
27
28       -t TOKEN
29              If the NSS database has more than one token available,  use  the
30              token  with  this name for storing and accessing the certificate
31              and key.  This argument only rarely needs to be specified.  Only
32              valid with -d.
33
34       -f FILE
35              Store  the  issued certificate in this file.  For safety's sake,
36              do not use the same file specified with the -k option.
37
38       -k FILE
39              Use the key stored in this file to generate the signing request.
40              If no such file is found, generate a new key pair and store them
41              in the file.  Only valid with -f.
42
43

KEY ENCRYPTION OPTIONS

45       -p FILE
46              Encrypt private key files or databases using the PIN  stored  in
47              the named file as the passphrase.
48
49       -P PIN Encrypt  private  key files or databases using the specified PIN
50              as the passphrase.  Because command-line  arguments  to  running
51              processes  are trivially discoverable, use of this option is not
52              recommended except for testing.
53
54

KEY GENERATION OPTIONS

56       -G TYPE
57              In case a new key pair needs to be generated, this option speci‐
58              fies  the type of the keys to be generated.  If not specified, a
59              reasonable default (currently RSA) will be used.
60
61       -g BITS
62              In case a new key pair needs to be generated, this option speci‐
63              fies  the  size  of  the  key.   If  not specified, a reasonable
64              default (currently 2048 bits) will be used.
65
66

TRACKING OPTIONS

68       -r     Attempt to obtain a new certificate from the CA when the expira‐
69              tion date of a certificate nears.  This is the default setting.
70
71       -R     Don't  attempt  to obtain a new certificate from the CA when the
72              expiration date of a certificate nears.  If this option is spec‐
73              ified, an expired certificate will simply stay expired.
74
75       -I NAME
76              Assign  the  specified nickname to this task.  If this option is
77              not specified, a name will be assigned automatically.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll with the specified CA rather  than  a  possible  default.
83              The  name  of  the CA should correspond to one listed by getcert
84              list-cas.
85
86       -T NAME
87              Request a certificate using  the  named  profile,  template,  or
88              certtype, from the specified CA.
89
90       --ms-template-spec SPEC
91              Include  a  V2  Certificate  Template  extension  in the signing
92              request.  This datum includes an Object Identifier, a major ver‐
93              sion  number  (positive  integer)  and an optional minor version
94              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
95
96       -X NAME
97              Request a certificate using the named issuer from the  specified
98              CA.
99
100

SIGNING REQUEST OPTIONS

102       If  none  of  -N,  -U, -K, -E, and -D are specified, a default group of
103       settings will be used to request an SSL server certificate for the cur‐
104       rent host, with the host Kerberos service as an additional name.
105
106       The  options  -K,  -E,  -D and -A may be provided multiple times to set
107       multiple subjectAltName of the same type.
108
109
110       -N NAME
111              Set the subject name to include in  the  signing  request.   The
112              default  used  is CN=hostname, where hostname is the local host‐
113              name.
114
115       -u keyUsage
116              Add an extensionRequest for the specified keyUsage to the  sign‐
117              ing  request.  The keyUsage value is expected to be one of these
118              names:
119
120              digitalSignature
121
122              nonRepudiation
123
124              keyEncipherment
125
126              dataEncipherment
127
128              keyAgreement
129
130              keyCertSign
131
132              cRLSign
133
134              encipherOnly
135
136              decipherOnly
137
138       -U EKU Add an extensionRequest for the  specified  extendedKeyUsage  to
139              the  signing request.  The EKU value is expected to be an object
140              identifier (OID), but some specific names are  also  recognized.
141              These are some names and their associated OID values:
142
143              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
144
145              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
146
147              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
148
149              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
150
151              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
152
153              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
154
155              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
156
157              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
158
159              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
160
161       -K NAME
162              Add an extensionRequest for a subjectAltName, with the specified
163              Kerberos principal name as its value, to the signing request.
164
165       -E EMAIL
166              Add an extensionRequest for a subjectAltName, with the specified
167              email address as its value, to the signing request.
168
169       -D DNSNAME
170              Add an extensionRequest for a subjectAltName, with the specified
171              DNS name as its value, to the signing request.
172
173       -A ADDRESS
174              Add an extensionRequest for a subjectAltName, with the specified
175              IP address as its value, to the signing request.
176
177       -l FILE
178              Add  an optional ChallengePassword value, read from the file, to
179              the signing request.  A ChallengePassword is often required when
180              the CA is accessed using SCEP.
181
182       -L PIN Add  the  argument  value  to  the  signing  request  as a Chal‐
183              lengePassword attribute.  A ChallengePassword is often  required
184              when the CA is accessed using SCEP.
185
186

OTHER OPTIONS

188       -B COMMAND
189              When  ever the certificate or the CA's certificates are saved to
190              the specified locations, run the specified command as the client
191              user before saving the certificates.
192
193       -C COMMAND
194              When  ever the certificate or the CA's certificates are saved to
195              the specified locations, run the specified command as the client
196              user after saving the certificates.
197
198       -a DIR When ever the certificate is saved to the specified location, if
199              root certificates for the CA are available,  save  them  to  the
200              specified NSS database.
201
202       -F FILE
203              When ever the certificate is saved to the specified location, if
204              root certificates for the CA are available, and when  the  local
205              copies  of  the CA's root certificates are updated, save them to
206              the specified file.
207
208       -w     Wait for the certificate to be issued  and  saved,  or  for  the
209              attempt to obtain one to fail.
210
211       -v     Be  verbose  about  errors.   Normally,  the details of an error
212              received from the daemon will be suppressed if  the  client  can
213              make a diagnostic suggestion.
214
215

NOTES

217       Locations specified for key and certificate storage need to be accessi‐
218       ble to the certmonger daemon process.  When run as a system daemon on a
219       system which uses a mandatory access control mechanism such as SELinux,
220       the system policy must ensure that the daemon is allowed to access  the
221       locations  where  certificates  and  keys  that  it will manage will be
222       stored (these locations are typically labeled as cert_t or  an  equiva‐
223       lent).    More   SELinux-specific  information  can  be  found  in  the
224       selinux.txt documentation file for this package.
225
226

BUGS

228       Please  file  tickets  for  any  that  you  find   at   https://fedora
229       hosted.org/certmonger/
230
231

SEE ALSO

233       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
234       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
235       refresh-ca(1)  getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
236       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
237       getcert-stop-tracking(1)   certmonger-certmaster-submit(8)  certmonger-
238       dogtag-ipa-renew-agent-submit(8)  certmonger-dogtag-submit(8)  certmon‐
239       ger-ipa-submit(8)  certmonger-local-submit(8) certmonger-scep-submit(8)
240       certmonger_selinux(8)
241
242
243
244certmonger Manual               9 February 2015                  certmonger(1)
Impressum