getcert-resubmit(1)

1CERTMONGER(1)               General Commands Manual              CERTMONGER(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert resubmit [options]
11
12

DESCRIPTION

14       Tells certmonger to generate (or regenerate) a signing request and sub‐
15       mit (or resubmit) the signing request to a CA for signing.
16
17

SPECIFYING REQUESTS BY NICKNAME

19       -i NAME, --id=NAME
20              Resubmit a signing request for the tracking  request  which  has
21              this  nickname.  If this option is not specified, and a tracking
22              entry which matches the  key  and  certificate  storage  options
23              which are specified already exists, that entry will be used.  If
24              not specified, the location of the certificate should be  speci‐
25              fied with either a combination of the -d and -n options, or with
26              the -f option.
27
28

SPECIFYING REQUESTS BY CERTIFICATE LOCATION

30       -d DIR, --dbdir=DIR
31              The certificate is in the NSS database in the  specified  direc‐
32              tory.
33
34       -n NAME, --nickname=NAME
35              The certificate in the NSS database named with -d has the speci‐
36              fied nickname.  Only valid with -d.
37
38       -t TOKEN, --token=TOKEN
39              If the NSS database has more than one token available, the  cer‐
40              tificate  is  stored  in  this token.  This argument only rarely
41              needs to be specified.  Only valid with -d.
42
43       -f FILE, --certfile=FILE
44              The certificate is stored in the named file.
45
46

ENROLLMENT OPTIONS

48       -c NAME, --ca=NAME
49              Submit the new signing request to the specified CA  rather  than
50              the  one  which was previously associated with this certificate.
51              The name of the CA should correspond to one  listed  by  getcert
52              list-cas.
53
54       -T NAME, --profile=NAME
55              Request  a  certificate  using  the  named profile, template, or
56              certtype, from the specified CA.
57
58       --ms-template-spec SPEC
59              Include a V2 Certificate Template extension in the  signing  re‐
60              quest.   This  datum includes an Object Identifier, a major ver‐
61              sion number (positive integer) and  an  optional  minor  version
62              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
63
64       -X NAME, --issuer=NAME
65              Request  a certificate using the named issuer from the specified
66              CA.
67
68       -I NAME, --id=NAME
69              Assign the specified nickname to this task, replacing the previ‐
70              ous nickname.
71
72

SIGNING REQUEST OPTIONS

74       -N NAME, --subject-name=NAME
75              Change the subject name to include in the signing request.
76
77       -u keyUsage, --key-usage=keyUsage
78              Add  an extensionRequest for the specified keyUsage to the sign‐
79              ing request.  The keyUsage value is expected to be one of  these
80              names:
81
82              digitalSignature
83
84              nonRepudiation
85
86              keyEncipherment
87
88              dataEncipherment
89
90              keyAgreement
91
92              keyCertSign
93
94              cRLSign
95
96              encipherOnly
97
98              decipherOnly
99
100       -U EKU, --extended-key-usage=EKU
101              Change  the  extendedKeyUsage  value  specified  in an extended‐
102              KeyUsage extension part of the extensionRequest attribute in the
103              signing  request.   The  EKU  value  is expected to be an object
104              identifier (OID).
105
106       -K NAME, --principal=NAME
107              Change the Kerberos principal name specified as part of  a  sub‐
108              jectAltName  extension part of the extensionRequest attribute in
109              the signing request.
110
111       -E EMAIL, --email=EMAIL
112              Change the email address specified as part of  a  subjectAltName
113              extension  part of the extensionRequest attribute in the signing
114              request.
115
116       -D DNSNAME, --dns=DNSNAME
117              Change the DNS name specified as part of a subjectAltName exten‐
118              sion  part  of the extensionRequest attribute in the signing re‐
119              quest.
120
121       -A ADDRESS, --ip-address=ADDRESS
122              Change the IP address specified as part of a subjectAltName  ex‐
123              tension  part  of  the extensionRequest attribute in the signing
124              request.
125
126       -l FILE, --challenge-password-file=FILE
127              Add an optional ChallengePassword value, read from the file,  to
128              the signing request.  A ChallengePassword is often required when
129              the CA is accessed using SCEP.
130
131       -L PIN, --challenge-password=PIN
132              Add the argument  value  to  the  signing  request  as  a  Chal‐
133              lengePassword  attribute.  A ChallengePassword is often required
134              when the CA is accessed using SCEP.
135
136

OTHER OPTIONS

138       -B COMMAND, --before-command=COMMAND
139              When ever the certificate or the CA's certificates are saved  to
140              the specified locations, run the specified command as the client
141              user before saving the certificates.
142
143       -C COMMAND, --after-command=COMMAND
144              When ever the certificate or the CA's certificates are saved  to
145              the specified locations, run the specified command as the client
146              user after saving the certificates.
147
148       -a DIR, --ca-dbdir=DIR
149              When ever the certificate is saved to the specified location, if
150              root  certificates  for  the  CA are available, save them to the
151              specified NSS database.
152
153       -F FILE, --ca-file=FILE
154              When ever the certificate is saved to the specified location, if
155              root  certificates  for the CA are available, and when the local
156              copies of the CA's root certificates are updated, save  them  to
157              the specified file.
158
159       --for-ca
160              Request a CA certificate.
161
162       --not-for-ca
163              Request a non-CA certificate (the default).
164
165       --ca-path-length=LENGTH
166              Path length for CA certificate. Only valid with --for-ca.
167
168       -w, --wait
169              Wait  for  the  certificate to be reissued and saved, or for the
170              attempt to obtain one to fail.
171
172       --wait-timeout=TIMEOUT
173              Maximum time to wait for the certificate to be issued.
174
175       -v, --verbose
176              Be verbose about errors.  Normally, the details of an error  re‐
177              ceived from the daemon will be suppressed if the client can make
178              a diagnostic suggestion.
179
180       -o OWNER, --key-owner=OWNER
181              After generation set the owner on the private key file or  data‐
182              base to OWNER.
183
184       -m MODE, --key-perms=MODE
185              After  generation  set  the  file permissions on the private key
186              file or database to MODE.
187
188       -O OWNER, --cert-owner=OWNER
189              After generation set the owner on the certificate file or  data‐
190              base to OWNER.
191
192       -M MODE, --cert-perms=MODE
193              After  generation  set  the  file permissions on the certificate
194              file or database to MODE.
195
196

BUGS

198       Please  file  tickets  for  any  that  you  find   at   https://fedora‐
199       hosted.org/certmonger/
200
201