1certmonger.conf(5) File Formats Manual certmonger.conf(5)
2
3
4
6 certmonger.conf - configuration file for certmonger
7
8
10 The certmonger.conf file contains default settings used by certmonger.
11 Its format is more or less that of a typical INI-style file. The only
12 sections currently of note are named defaults and selfsign.
13
14
16 Within the defaults section, these variables and values are recognized:
17
18
19 notify_ttls
20 This is the list of times, given in seconds, before a certifi‐
21 cate's not-after validity date (often referred to as its expira‐
22 tion time) when certmonger should warn that the certificate will
23 soon no longer be valid. If this value is not specified, cert‐
24 monger will attempt to use the value of the ttls setting. The
25 default list of values is "2419200, 604800, 259200, 172800,
26 86400".
27
28
29 enroll_ttls
30 This is the list of times, given in seconds, before a certifi‐
31 cate's not-after validity date (often referred to as its expira‐
32 tion time) when certmonger should attempt to automatically renew
33 the certificate, if it is configured to do so. If this value is
34 not specified, certmonger will attempt to use the value of the
35 ttls setting. The default list of values is "2419200, 604800,
36 259200, 172800, 86400".
37
38
39 notification_method
40 This is the method by which certmonger will notify the system
41 administrator that a certificate will soon become invalid. The
42 recognized values are syslog, mail, and command. The default is
43 syslog. When sending mail, the notification message will be the
44 mail message subject. When invoking a command, the notification
45 message will be available in the "CERTMONGER_NOTIFICATION" envi‐
46 ronment variable.
47
48
49 notification_destination
50 This is the destination to which certmonger will send notifica‐
51 tions. It can be a syslog priority and/or facility, separated
52 by a period, it can be an email address, or it can be a command
53 to run. The default value is daemon.notice.
54
55
56 key_type
57 This is the type of key pair which will be generated, used in
58 certificate signing requests, and used when self-signing cer‐
59 tificates. RSA and DSA are supported. EC (also known as ECDSA)
60 is also supported. The default is RSA.
61
62
63 symmetric_cipher
64 This is the symmetric cipher which will be used to encrypt pri‐
65 vate keys stored in OpenSSL's PEM format. Recognized values
66 include aes128 and aes256. The default is aes128. It is not
67 recommended that this value be changed except in cases where the
68 default is incompatible with other software.
69
70
71 digest This is the digest algorithm which will be used when signing
72 certificate signing requests and self-signed certificates. Rec‐
73 ognized values include sha1, sha256, sha384, and sha512. The
74 default is sha256. It is not recommended that this value be
75 changed except in cases where the default is incompatible with
76 other software.
77
78
79 nss_ca_trust
80 These are the trust attributes which are applied to CA certifi‐
81 cates which should be trusted, when they are saved to NSS data‐
82 bases. The default is CT,C,C.
83
84
85 nss_other_trust
86 These are the trust attributes which are applied to certificates
87 which are not necessarily to be trusted, when they are saved to
88 NSS databases. The default is ,,.
89
90
92 Within the selfsign section, these variables and values are recognized:
93
94
95 validity_period
96 This is the validity period given to self-signed certificates.
97 The value is specified as a combination of years (y), months
98 (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
99 (s). If no unit of time is specified, seconds are assumed. The
100 default value is 1y.
101
102
103 populate_unique_id
104 This controls whether or not self-signed certificates will have
105 their subjectUniqueID and issuerUniqueID fields populated.
106 While RFC5280 prohibits their use, they may be needed and/or
107 used by older applications. The default value is no.
108
109
111 Within the local section, these variables and values are recognized:
112
113
114 validity_period
115 This is the validity period given to the locally-signed CA's
116 certificate when it is generated. The value is specified as a
117 combination of years (y), months (M), weeks (w), days (d), hours
118 (h), minutes (m), and/or seconds (s). If no unit of time is
119 specified, seconds are assumed. If not set, the value of the
120 validity_period setting from the selfsign section, if one is set
121 there, will be used. The default value is 1y.
122
123
125 Please file tickets for any that you find at https://fedora‐
126 hosted.org/certmonger/
127
128
130 certmonger(8) certmonger_selinux(8)
131
132
133
134certmonger Manual 11 June 2014 certmonger.conf(5)