1certmonger.conf(5)            File Formats Manual           certmonger.conf(5)
2
3
4

NAME

6       certmonger.conf - configuration file for certmonger
7
8

DESCRIPTION

10       The  certmonger.conf file contains default settings used by certmonger.
11       Its format is more or less that of a typical INI-style file.  The  only
12       sections currently of note are named defaults and selfsign.
13
14

DEFAULTS

16       Within the defaults section, these variables and values are recognized:
17
18
19       notify_ttls
20              This  is  the list of times, given in seconds, before a certifi‐
21              cate's not-after validity date (often referred to as its expira‐
22              tion time) when certmonger should warn that the certificate will
23              soon no longer be valid.  If this value is not specified,  cert‐
24              monger  will  attempt to use the value of the ttls setting.  The
25              default list of values  is  "2419200,  604800,  259200,  172800,
26              86400".
27
28
29       enroll_ttls
30              This  is  the list of times, given in seconds, before a certifi‐
31              cate's not-after validity date (often referred to as its expira‐
32              tion time) when certmonger should attempt to automatically renew
33              the certificate, if it is configured to do so.  If this value is
34              not  specified,  certmonger will attempt to use the value of the
35              ttls setting.  The default list of values is  "2419200,  604800,
36              259200, 172800, 86400".
37
38
39       notification_method
40              This  is  the  method by which certmonger will notify the system
41              administrator that a certificate will soon become invalid.   The
42              recognized values are syslog, mail, and command.  The default is
43              syslog.  When sending mail, the notification message will be the
44              mail message subject.  When invoking a command, the notification
45              message will be available in the "CERTMONGER_NOTIFICATION" envi‐
46              ronment variable.
47
48
49       notification_destination
50              This  is the destination to which certmonger will send notifica‐
51              tions.  It can be a syslog priority and/or  facility,  separated
52              by  a period, it can be an email address, or it can be a command
53              to run.  The default value is daemon.notice.
54
55
56       key_type
57              This is the type of key pair which will be  generated,  used  in
58              certificate  signing  requests,  and used when self-signing cer‐
59              tificates.  RSA and DSA are supported.  EC (also known as ECDSA)
60              is also supported.  The default is RSA.
61
62
63       symmetric_cipher
64              This  is the symmetric cipher which will be used to encrypt pri‐
65              vate keys stored in OpenSSL's  PEM  format.   Recognized  values
66              include  aes128  and  aes256.  The default is aes128.  It is not
67              recommended that this value be changed except in cases where the
68              default is incompatible with other software.
69
70
71       digest This  is  the  digest  algorithm which will be used when signing
72              certificate signing requests and self-signed certificates.  Rec‐
73              ognized  values  include  sha1, sha256, sha384, and sha512.  The
74              default is sha256.  It is not recommended  that  this  value  be
75              changed  except  in cases where the default is incompatible with
76              other software.
77
78
79       nss_ca_trust
80              These are the trust attributes which are applied to CA  certifi‐
81              cates  which should be trusted, when they are saved to NSS data‐
82              bases.  The default is CT,C,C.
83
84
85       nss_other_trust
86              These are the trust attributes which are applied to certificates
87              which  are not necessarily to be trusted, when they are saved to
88              NSS databases.  The default is ,,.
89
90

SELFSIGN

92       Within the selfsign section, these variables and values are recognized:
93
94
95       validity_period
96              This is the validity period given to  self-signed  certificates.
97              The  value  is  specified  as a combination of years (y), months
98              (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
99              (s).  If no unit of time is specified, seconds are assumed.  The
100              default value is 1y.
101
102
103       populate_unique_id
104              This controls whether or not self-signed certificates will  have
105              their   subjectUniqueID  and  issuerUniqueID  fields  populated.
106              While RFC5280 prohibits their use, they  may  be  needed  and/or
107              used by older applications.  The default value is no.
108
109

LOCAL

111       Within the local section, these variables and values are recognized:
112
113
114       validity_period
115              This  is  the  validity  period given to the locally-signed CA's
116              certificate when it is generated.  The value is specified  as  a
117              combination of years (y), months (M), weeks (w), days (d), hours
118              (h), minutes (m), and/or seconds (s).  If no  unit  of  time  is
119              specified,  seconds  are  assumed.  If not set, the value of the
120              validity_period setting from the selfsign section, if one is set
121              there, will be used.  The default value is 1y.
122
123

BUGS

125       Please   file   tickets  for  any  that  you  find  at  https://fedora
126       hosted.org/certmonger/
127
128

SEE ALSO

130       certmonger(8) certmonger_selinux(8)
131
132
133
134certmonger Manual                11 June 2014               certmonger.conf(5)
Impressum