1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR Use  an NSS database in the specified directory for storing this
21              certificate and key.
22
23       -n NAME
24              Use the key with this nickname to generate the signing  request.
25              If  no  such key is found, generate one.  Give the enrolled cer‐
26              tificate this nickname, too.  Only valid with -d.
27
28       -t TOKEN
29              If the NSS database has more than one token available,  use  the
30              token  with  this name for storing and accessing the certificate
31              and key.  This argument only rarely needs to be specified.  Only
32              valid with -d.
33
34       -f FILE
35              Store  the  issued certificate in this file.  For safety's sake,
36              do not use the same file specified with the -k option.
37
38       -k FILE
39              Use the key stored in this file to generate the signing request.
40              If no such file is found, generate a new key pair and store them
41              in the file.  Only valid with -f.
42
43

KEY ENCRYPTION OPTIONS

45       -p FILE
46              Encrypt private key files or databases using the PIN  stored  in
47              the named file as the passphrase.
48
49       -P PIN Encrypt  private  key files or databases using the specified PIN
50              as the passphrase.  Because command-line  arguments  to  running
51              processes  are trivially discoverable, use of this option is not
52              recommended except for testing.
53
54

KEY GENERATION OPTIONS

56       -G TYPE
57              In case a new key pair needs to be generated, this option speci‐
58              fies  the type of the keys to be generated.  If not specified, a
59              reasonable default (currently RSA) will be used.
60
61       -g BITS
62              In case a new key pair needs to be generated, this option speci‐
63              fies  the  size  of  the  key.   If  not specified, a reasonable
64              default (currently 2048 bits) will be used.
65
66

TRACKING OPTIONS

68       -r     Attempt to obtain a new certificate from the CA when the expira‐
69              tion date of a certificate nears.  This is the default setting.
70
71       -R     Don't  attempt  to obtain a new certificate from the CA when the
72              expiration date of a certificate nears.  If this option is spec‐
73              ified, an expired certificate will simply stay expired.
74
75       -I NAME
76              Assign  the  specified nickname to this task.  If this option is
77              not specified, a name will be assigned automatically.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll with the specified CA rather  than  a  possible  default.
83              The  name  of  the CA should correspond to one listed by getcert
84              list-cas.
85
86       -T NAME
87              Request a certificate using  the  named  profile,  template,  or
88              certtype, from the specified CA.
89
90       --ms-template-spec SPEC
91              Include  a  V2  Certificate  Template  extension  in the signing
92              request.  This datum includes an Object Identifier, a major ver‐
93              sion  number  (positive  integer)  and an optional minor version
94              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
95
96       -X NAME
97              Request a certificate using the named issuer from the  specified
98              CA.
99
100

SIGNING REQUEST OPTIONS

102       If  none  of  -N,  -U, -K, -E, and -D are specified, a default group of
103       settings will be used to request an SSL server certificate for the cur‐
104       rent host, with the host Kerberos service as an additional name.
105
106       The  options  -K,  -E,  -D and -A may be provided multiple times to set
107       multiple subjectAltName of the same type.
108
109
110       -N NAME
111              Set the subject name to include in  the  signing  request.   The
112              default  used  is CN=hostname, where hostname is the local host‐
113              name.
114
115       -u keyUsage
116              Add an extensionRequest for the specified keyUsage to the  sign‐
117              ing  request.  The keyUsage value is expected to be one of these
118              names:
119
120              digitalSignature
121
122              nonRepudiation
123
124              keyEncipherment
125
126              dataEncipherment
127
128              keyAgreement
129
130              keyCertSign
131
132              cRLSign
133
134              encipherOnly
135
136              decipherOnly
137
138       -U EKU Add an extensionRequest for the  specified  extendedKeyUsage  to
139              the  signing request.  The EKU value is expected to be an object
140              identifier (OID), but some specific names are  also  recognized.
141              These are some names and their associated OID values:
142
143              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
144
145              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
146
147              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
148
149              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
150
151              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
152
153              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
154
155              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
156
157              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
158
159              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
160
161       -K NAME
162              Add an extensionRequest for a subjectAltName, with the specified
163              Kerberos principal name as its value, to the signing request.
164
165       -E EMAIL
166              Add an extensionRequest for a subjectAltName, with the specified
167              email address as its value, to the signing request.
168
169       -D DNSNAME
170              Add an extensionRequest for a subjectAltName, with the specified
171              DNS name as its value, to the signing request.
172
173       -A ADDRESS
174              Add an extensionRequest for a subjectAltName, with the specified
175              IP address as its value, to the signing request.
176
177       -l FILE
178              Add  an optional ChallengePassword value, read from the file, to
179              the signing request.  A ChallengePassword is often required when
180              the CA is accessed using SCEP.
181
182       -L PIN Add  the  argument  value  to  the  signing  request  as a Chal‐
183              lengePassword attribute.  A ChallengePassword is often  required
184              when the CA is accessed using SCEP.
185
186

OTHER OPTIONS

188       -B COMMAND
189              When  ever the certificate or the CA's certificates are saved to
190              the specified locations, run the specified command as the client
191              user before saving the certificates.
192
193       -C COMMAND
194              When  ever the certificate or the CA's certificates are saved to
195              the specified locations, run the specified command as the client
196              user after saving the certificates.
197
198       -a DIR When ever the certificate is saved to the specified location, if
199              root certificates for the CA are available,  save  them  to  the
200              specified NSS database.
201
202       -F FILE
203              When ever the certificate is saved to the specified location, if
204              root certificates for the CA are available, and when  the  local
205              copies  of  the CA's root certificates are updated, save them to
206              the specified file.
207
208       -w     Wait for the certificate to be issued  and  saved,  or  for  the
209              attempt to obtain one to fail.
210
211       -v     Be  verbose  about  errors.   Normally,  the details of an error
212              received from the daemon will be suppressed if  the  client  can
213              make a diagnostic suggestion.  -o OWNER, --key-owner=OWNER After
214              generation set the owner on the private key file or database  to
215              OWNER.   -m MODE, --key-perms=MODE After generation set the file
216              permissions on the private key file or  database  to  MODE.   -O
217              OWNER,  --cert-owner=OWNER After generation set the owner on the
218              certificate  file  or  database  to  OWNER.   -M  MODE,  --cert-
219              perms=MODE After generation set the file permissions on the cer‐
220              tificate file or database to MODE.
221
222

NOTES

224       Locations specified for key and certificate storage need to be accessi‐
225       ble to the certmonger daemon process.  When run as a system daemon on a
226       system which uses a mandatory access control mechanism such as SELinux,
227       the  system policy must ensure that the daemon is allowed to access the
228       locations where certificates and keys  that  it  will  manage  will  be
229       stored  (these  locations are typically labeled as cert_t or an equiva‐
230       lent).   More  SELinux-specific  information  can  be  found   in   the
231       selinux.txt documentation file for this package.
232
233

BUGS

235       Please   file   tickets  for  any  that  you  find  at  https://fedora
236       hosted.org/certmonger/
237
238

SEE ALSO

240       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
241       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
242       refresh-ca(1) getcert-refresh(1) getcert-rekey(1)  getcert-remove-ca(1)
243       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
244       getcert-stop-tracking(1)  certmonger-certmaster-submit(8)   certmonger-
245       dogtag-ipa-renew-agent-submit(8)  certmonger-dogtag-submit(8)  certmon‐
246       ger-ipa-submit(8) certmonger-local-submit(8)  certmonger-scep-submit(8)
247       certmonger_selinux(8)
248
249
250
251certmonger Manual               9 February 2015                  certmonger(1)
Impressum