1CERTMONGER(1) General Commands Manual CERTMONGER(1)
2
6 getcert
7
10 getcert request [options]
11
14 Tells certmonger to use an existing key pair (or to generate one if one
15 is not already found in the specified location), to generate a signing
16 request using the key pair, and to submit them for signing to a CA.
17
20 -d DIR, --dbdir=DIR
21 Use an NSS database in the specified directory for storing this
22 certificate and key.
23 -n NAME, --nickname=NAME
25 Use the key with this nickname to generate the signing request.
26 If no such key is found, generate one. Give the enrolled cer‐
27 tificate this nickname, too. Only valid with -d.
28 -t TOKEN, --token=TOKEN
30 If the NSS database has more than one token available, use the
31 token with this name for storing and accessing the certificate
32 and key. This argument only rarely needs to be specified. Only
33 valid with -d.
34 -f FILE, --certfile=FILE
36 Store the issued certificate in this file. For safety's sake,
37 do not use the same file specified with the -k option.
38 -k FILE, --keyfile=FILE
40 Use the key stored in this file to generate the signing request.
41 If no such file is found, generate a new key pair and store them
42 in the file. Only valid with -f.
43
46 -p FILE, --pinfile=FILE
47 Encrypt private key files or databases using the PIN stored in
48 the named file as the passphrase.
49 -P PIN, --pin=PIN
51 Encrypt private key files or databases using the specified PIN
52 as the passphrase. Because command-line arguments to running
53 processes are trivially discoverable, use of this option is not
54 recommended except for testing.
55
58 -G TYPE, --key-type=TYPE
59 In case a new key pair needs to be generated, this option speci‐
60 fies the type of the keys to be generated. If not specified, a
61 reasonable default (currently RSA) will be used.
62 -g BITS, --key-size=BITS
64 In case a new key pair needs to be generated, this option speci‐
65 fies the size of the key. If not specified, a reasonable
66 default (currently 2048 bits) will be used.
67
70 -r, --renew
71 Attempt to obtain a new certificate from the CA when the expira‐
72 tion date of a certificate nears. This is the default setting.
73 -R, --no-renew
75 Don't attempt to obtain a new certificate from the CA when the
76 expiration date of a certificate nears. If this option is spec‐
77 ified, an expired certificate will simply stay expired.
78 -I NAME, --id=NAME
80 Assign the specified nickname to this task. If this option is
81 not specified, a name will be assigned automatically.
82
85 -c NAME, --ca=NAME
86 Enroll with the specified CA rather than a possible default.
87 The name of the CA should correspond to one listed by getcert
88 list-cas.
89 -T NAME, --profile=NAME
91 Request a certificate using the named profile, template, or
92 certtype, from the specified CA.
93 --ms-template-spec SPEC
95 Include a V2 Certificate Template extension in the signing
96 request. This datum includes an Object Identifier, a major ver‐
97 sion number (positive integer) and an optional minor version
98 number. The format is: <oid>:<majorVersion>[:<minorVersion>].
99 -X NAME, --issuer=NAME
101 Request a certificate using the named issuer from the specified
102 CA.
103
106 If none of -N, -U, -K, -E, and -D are specified, a default group of
107 settings will be used to request an SSL server certificate for the cur‐
108 rent host, with the host Kerberos service as an additional name.
109 The options -K, -E, -D and -A may be provided multiple times to set
111 multiple subjectAltName of the same type.
112 -N NAME, , --subject-name=NAME
115 Set the subject name to include in the signing request. The
116 default used is CN=hostname, where hostname is the local host‐
117 name.
118 -u keyUsage, --key-usage=keyUsage
120 Add an extensionRequest for the specified keyUsage to the sign‐
121 ing request. The keyUsage value is expected to be one of these
122 names:
123 digitalSignature
125 nonRepudiation
127 keyEncipherment
129 dataEncipherment
131 keyAgreement
133 keyCertSign
135 cRLSign
137 encipherOnly
139 decipherOnly
141 -U EKU, --extended-key-usage=EKU
143 Add an extensionRequest for the specified extendedKeyUsage to
144 the signing request. The EKU value is expected to be an object
145 identifier (OID), but some specific names are also recognized.
146 These are some names and their associated OID values:
147 id-kp-serverAuth 1.3.6.1.5.5.7.3.1
149 id-kp-clientAuth 1.3.6.1.5.5.7.3.2
151 id-kp-codeSigning 1.3.6.1.5.5.7.3.3
153 id-kp-emailProtection 1.3.6.1.5.5.7.3.4
155 id-kp-timeStamping 1.3.6.1.5.5.7.3.8
157 id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
159 id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
161 id-pkinit-KPKdc 1.3.6.1.5.2.3.5
163 id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
165 -K NAME, --principal=NAME
167 Add an extensionRequest for a subjectAltName, with the specified
168 Kerberos principal name as its value, to the signing request.
169 -E EMAIL, --email=EMAIL
171 Add an extensionRequest for a subjectAltName, with the specified
172 email address as its value, to the signing request.
173 -D DNSNAME, --dns=DNSNAME
175 Add an extensionRequest for a subjectAltName, with the specified
176 DNS name as its value, to the signing request.
177 -A ADDRESS, --ip-address=ADDRESS
179 Add an extensionRequest for a subjectAltName, with the specified
180 IP address as its value, to the signing request.
181 -l FILE, --challenge-password-file=FILE
183 Add an optional ChallengePassword value, read from the file, to
184 the signing request. A ChallengePassword is often required when
185 the CA is accessed using SCEP.
186 -L PIN, --challenge-password=PIN
188 Add the argument value to the signing request as a Chal‐
189 lengePassword attribute. A ChallengePassword is often required
190 when the CA is accessed using SCEP.
191
194 -B COMMAND, --before-command=COMMAND
195 When ever the certificate or the CA's certificates are saved to
196 the specified locations, run the specified command as the client
197 user before saving the certificates.
198 -C COMMAND, --after-command=COMMAND
200 When ever the certificate or the CA's certificates are saved to
201 the specified locations, run the specified command as the client
202 user after saving the certificates.
203 -a DIR, --ca-dbdir=DIR
205 When ever the certificate is saved to the specified location, if
206 root certificates for the CA are available, save them to the
207 specified NSS database.
208 -F FILE, --ca-file=FILE
210 When ever the certificate is saved to the specified location, if
211 root certificates for the CA are available, and when the local
212 copies of the CA's root certificates are updated, save them to
213 the specified file.
214 --for-ca
216 Request a CA certificate.
217 --not-for-ca
219 Request a non-CA certificate (the default).
220 --ca-path-length=LENGTH
222 Path length for CA certificate. Only valid with --for-ca.
223 -w, --wait
225 Wait for the certificate to be issued and saved, or for the
226 attempt to obtain one to fail.
227 --wait-timeout=TIMEOUT
229 Maximum time to wait for the certificate to be issued.
230 -v, --verbose
232 Be verbose about errors. Normally, the details of an error
233 received from the daemon will be suppressed if the client can
234 make a diagnostic suggestion.
235 -o OWNER, --key-owner=OWNER
237 After generation set the owner on the private key file or data‐
238 base to OWNER.
239 -m MODE, --key-perms=MODE
241 After generation set the file permissions on the private key
242 file or database to MODE.
243 -O OWNER, --cert-owner=OWNER
245 After generation set the owner on the certificate file or data‐
246 base to OWNER.
247 -M MODE, --cert-perms=MODE
249 After generation set the file permissions on the certificate
250 file or database to MODE.
251
253 -s, --session Connect to certmonger on the session bus rather than the
254 system bus.
255 -S, --system
257 Connect to certmonger on the system bus rather than the session
258 bus. This is the default.
259
261 Locations specified for key and certificate storage need to be accessi‐
262 ble to the certmonger daemon process. When run as a system daemon on a
263 system which uses a mandatory access control mechanism such as SELinux,
264 the system policy must ensure that the daemon is allowed to access the
265 locations where certificates and keys that it will manage will be
266 stored (these locations are typically labeled as cert_t or an equiva‐
267 lent). More SELinux-specific information can be found in the
268 selinux.txt documentation file for this package.
269
272 Please file tickets for any that you find at https://fedora‐
273 hosted.org/certmonger/
274
277 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
278 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1)
279 getcert-refresh-ca(1) getcert-refresh(1) getcert-rekey(1)
280 getcert-remove-ca(1) getcert-resubmit(1) getcert-start-tracking(1)
281 getcert-status(1) getcert-stop-tracking(1) certmonger-certmaster-sub‐
282 mit(8) certmonger-dogtag-ipa-renew-agent-submit(8) certmonger-dog‐
283 tag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) cert‐
284 monger-scep-submit(8) certmonger_selinux(8)
285certmonger Manual February 9, 2015 CERTMONGER(1)