getcert-start-tracking(1)

1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert start-tracking [options]
11
12

DESCRIPTION

14       Tells certmonger to monitor an already-issued certificate.  Optionally,
15       when the certificate nears expiration, use an existing key pair (or  to
16       generate one if one is not already found in the specified location), to
17       generate a signing request using the key pair and to  submit  them  for
18       signing to a CA.
19
20

SPECIFYING EXISTING REQUESTS

22       -i NAME
23              Modify  the  request which has this nickname.  If this option is
24              not specified, and a tracking entry which matches  the  key  and
25              certificate  storage options which are specified already exists,
26              that entry will be modified.  Otherwise, a  new  tracking  entry
27              will be added.
28
29

KEY AND CERTIFICATE STORAGE OPTIONS

31       -d DIR Use  an NSS database in the specified directory for reading this
32              certificate and, if possible, the corresponding key.
33
34       -n NAME
35              Use the certificate with this nickname, and  if  a  private  key
36              with  the  same nickname or which corresponds to the certificate
37              is available, to use it, too.  Only valid with -d.
38
39       -t TOKEN
40              If the NSS database has more than one token available,  use  the
41              token  with  this  name  for  accessing the certificate and key.
42              This argument only rarely needs to  be  specified.   Only  valid
43              with -d.
44
45       -f FILE
46              Read  the certificate from this file.  For safety's sake, do not
47              use the same file specified with the -k option.
48
49       -k FILE
50              Use the key stored in this file to generate  a  signing  request
51              for  refreshing  the certificate.  If no such file is found when
52              needed, generate a new key pair and  store  them  in  the  file.
53              Only valid with -f.
54
55

KEY ENCRYPTION OPTIONS

57       -p FILE
58              The  private  key files or databases are encrypted using the PIN
59              stored in the named file as the passphrase.
60
61       -P PIN The private key files or databases are encrypted using the spec‐
62              ified  PIN as the passphrase.  Because command-line arguments to
63              running processes are trivially discoverable, use of this option
64              is not recommended except for testing.
65
66

TRACKING OPTIONS

68       -I NAME
69              Assign  the  specified nickname to this task.  If this option is
70              not specified, a name will be assigned automatically.
71
72       -r     Attempt to obtain a new certificate from the CA when the expira‐
73              tion date of a certificate nears.  This is the default setting.
74
75       -R     Don't  attempt  to obtain a new certificate from the CA when the
76              expiration date of a certificate nears.  If this option is spec‐
77              ified, an expired certificate will simply stay expired.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll  with  the  specified  CA rather than a possible default.
83              The name of the CA should correspond to one  listed  by  getcert
84              list-cas.  Only useful in combination with -r.
85
86       -T NAME
87              Request  a  certificate  using  the  named profile, template, or
88              certtype, from the specified CA.
89
90

SIGNING REQUEST OPTIONS

92       If and when certmonger attempts to obtain a new certificate to  replace
93       the  one being monitored, the values to be added to the signing request
94       will be taken from the current certificate, unless preferred values are
95       set using one or more of -uU, -K, -E, and -D.
96
97
98       -u keyUsage
99              Add  an extensionRequest for the specified keyUsage to the sign‐
100              ing request.  The keyUsage value is expected to be one of  these
101              names:
102
103              digitalSignature
104
105              nonRepudiation
106
107              keyEncipherment
108
109              dataEncipherment
110
111              keyAgreement
112
113              keyCertSign
114
115              cRLSign
116
117              encipherOnly
118
119              decipherOnly
120
121       -U EKU Add  an  extensionRequest  for the specified extendedKeyUsage to
122              the signing request.  The EKU value is expected to be an  object
123              identifier (OID).
124
125       -K NAME
126              Add an extensionRequest for a subjectAltName, with the specified
127              Kerberos principal name as its value, to the signing request.
128
129       -E EMAIL
130              Add an extensionRequest for a subjectAltName, with the specified
131              email address as its value, to the signing request.
132
133       -D DNSNAME
134              Add an extensionRequest for a subjectAltName, with the specified
135              DNS name as its value, to the signing request.  -A  ADDRESS  Add
136              an  extensionRequest for a subjectAltName, with the specified IP
137              address as its value, to the signing request.
138
139       -l FILE
140              Add an optional ChallengePassword value, read from the file,  to
141              the signing request.  A ChallengePassword is often required when
142              the CA is accessed using SCEP.
143
144       -L PIN Add the argument  value  to  the  signing  request  as  a  Chal‐
145              lengePassword  attribute.  A ChallengePassword is often required
146              when the CA is accessed using SCEP.
147
148

OTHER OPTIONS

150       -B COMMAND
151              When ever the certificate or the CA's certificates are saved  to
152              the specified locations, run the specified command as the client
153              user before saving the certificates.
154
155       -C COMMAND
156              When ever the certificate or the CA's certificates are saved  to
157              the specified locations, run the specified command as the client
158              user after saving the certificates.
159
160       -a DIR When ever the certificate is saved to the specified location, if
161              root  certificates  for  the  CA are available, save them to the
162              specified NSS database.
163
164       -F FILE
165              When ever the certificate is saved to the specified location, if
166              root  certificates  for the CA are available, and when the local
167              copies of the CA's root certificates are updated, save  them  to
168              the specified file.
169
170       -w     Wait  for  the certificate to become valid or to be reissued and
171              saved, or for the attempt to obtain a new one to fail.
172
173       -v     Be verbose about errors.  Normally,  the  details  of  an  error
174              received  from  the  daemon will be suppressed if the client can
175              make a diagnostic suggestion.
176
177

NOTES

179       Locations specified for key and certificate storage need to be accessi‐
180       ble to the certmonger daemon process.  When run as a system daemon on a
181       system which uses a mandatory access control mechanism such as SELinux,
182       the  system policy must ensure that the daemon is allowed to access the
183       locations where certificates and keys  that  it  will  manage  will  be
184       stored  (these  locations are typically labeled as cert_t or an equiva‐
185       lent).   More  SELinux-specific  information  can  be  found   in   the
186       selinux.txt documentation file for this package.
187
188

BUGS

190       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
191       hosted.org/certmonger/
192
193