1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR Use  an NSS database in the specified directory for storing this
21              certificate and key.
22
23       -n NAME
24              Use the key with this nickname to generate the signing  request.
25              If  no  such key is found, generate one.  Give the enrolled cer‐
26              tificate this nickname, too.  Only valid with -d.
27
28       -t TOKEN
29              If the NSS database has more than one token available,  use  the
30              token  with  this name for storing and accessing the certificate
31              and key.  This argument only rarely needs to be specified.  Only
32              valid with -d.
33
34       -f FILE
35              Store  the  issued certificate in this file.  For safety's sake,
36              do not use the same file specified with the -k option.
37
38       -k FILE
39              Use the key stored in this file to generate the signing request.
40              If no such file is found, generate a new key pair and store them
41              in the file.  Only valid with -f.
42
43

KEY ENCRYPTION OPTIONS

45       -p FILE
46              Encrypt private key files or databases using the PIN  stored  in
47              the named file as the passphrase.
48
49       -P PIN Encrypt  private  key files or databases using the specified PIN
50              as the passphrase.  Because command-line  arguments  to  running
51              processes  are trivially discoverable, use of this option is not
52              recommended except for testing.
53
54

KEY GENERATION OPTIONS

56       -G TYPE
57              In case a new key pair needs to be generated, this option speci‐
58              fies  the type of the keys to be generated.  If not specified, a
59              reasonable default (currently RSA) will be used.
60
61       -g BITS
62              In case a new key pair needs to be generated, this option speci‐
63              fies  the  size  of  the  key.   If  not specified, a reasonable
64              default (currently 2048 bits) will be used.
65
66

TRACKING OPTIONS

68       -r     Attempt to obtain a new certificate from the CA when the expira‐
69              tion date of a certificate nears.  This is the default setting.
70
71       -R     Don't  attempt  to obtain a new certificate from the CA when the
72              expiration date of a certificate nears.  If this option is spec‐
73              ified, an expired certificate will simply stay expired.
74
75       -I NAME
76              Assign  the  specified nickname to this task.  If this option is
77              not specified, a name will be assigned automatically.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll with the specified CA rather  than  a  possible  default.
83              The  name  of  the CA should correspond to one listed by getcert
84              list-cas.
85
86       -T NAME
87              Request a certificate using  the  named  profile,  template,  or
88              certtype, from the specified CA.
89
90

SIGNING REQUEST OPTIONS

92       If  none  of  -N,  -U, -K, -E, and -D are specified, a default group of
93       settings will be used to request an SSL server certificate for the cur‐
94       rent host, with the host Kerberos service as an additional name.
95
96
97       -N NAME
98              Set  the  subject  name  to include in the signing request.  The
99              default used is CN=hostname, where hostname is the  local  host‐
100              name.
101
102       -u keyUsage
103              Add  an extensionRequest for the specified keyUsage to the sign‐
104              ing request.  The keyUsage value is expected to be one of  these
105              names:
106
107              digitalSignature
108
109              nonRepudiation
110
111              keyEncipherment
112
113              dataEncipherment
114
115              keyAgreement
116
117              keyCertSign
118
119              cRLSign
120
121              encipherOnly
122
123              decipherOnly
124
125       -U EKU Add  an  extensionRequest  for the specified extendedKeyUsage to
126              the signing request.  The EKU value is expected to be an  object
127              identifier  (OID),  but some specific names are also recognized.
128              These are some names and their associated OID values:
129
130              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
131
132              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
133
134              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
135
136              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
137
138              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
139
140              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
141
142              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
143
144              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
145
146              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
147
148       -K NAME
149              Add an extensionRequest for a subjectAltName, with the specified
150              Kerberos principal name as its value, to the signing request.
151
152       -E EMAIL
153              Add an extensionRequest for a subjectAltName, with the specified
154              email address as its value, to the signing request.
155
156       -D DNSNAME
157              Add an extensionRequest for a subjectAltName, with the specified
158              DNS name as its value, to the signing request.
159
160       -A ADDRESS
161              Add an extensionRequest for a subjectAltName, with the specified
162              IP address as its value, to the signing request.
163
164       -l FILE
165              Add an optional ChallengePassword value, read from the file,  to
166              the signing request.  A ChallengePassword is often required when
167              the CA is accessed using SCEP.
168
169       -L PIN Add the argument  value  to  the  signing  request  as  a  Chal‐
170              lengePassword  attribute.  A ChallengePassword is often required
171              when the CA is accessed using SCEP.
172
173

OTHER OPTIONS

175       -B COMMAND
176              When ever the certificate or the CA's certificates are saved  to
177              the specified locations, run the specified command as the client
178              user before saving the certificates.
179
180       -C COMMAND
181              When ever the certificate or the CA's certificates are saved  to
182              the specified locations, run the specified command as the client
183              user after saving the certificates.
184
185       -a DIR When ever the certificate is saved to the specified location, if
186              root  certificates  for  the  CA are available, save them to the
187              specified NSS database.
188
189       -F FILE
190              When ever the certificate is saved to the specified location, if
191              root  certificates  for the CA are available, and when the local
192              copies of the CA's root certificates are updated, save  them  to
193              the specified file.
194
195       -w     Wait  for  the  certificate  to  be issued and saved, or for the
196              attempt to obtain one to fail.
197
198       -v     Be verbose about errors.  Normally,  the  details  of  an  error
199              received  from  the  daemon will be suppressed if the client can
200              make a diagnostic suggestion.
201
202

NOTES

204       Locations specified for key and certificate storage need to be accessi‐
205       ble to the certmonger daemon process.  When run as a system daemon on a
206       system which uses a mandatory access control mechanism such as SELinux,
207       the  system policy must ensure that the daemon is allowed to access the
208       locations where certificates and keys  that  it  will  manage  will  be
209       stored  (these  locations are typically labeled as cert_t or an equiva‐
210       lent).   More  SELinux-specific  information  can  be  found   in   the
211       selinux.txt documentation file for this package.
212
213

BUGS

215       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
216       hosted.org/certmonger/
217
218

SEE ALSO

220       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
221       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
222       refresh-ca(1)  getcert-refresh(1)  getcert-remove-ca(1)  getcert-resub‐
223       mit(1)  getcert-start-tracking(1) getcert-status(1) getcert-stop-track‐
224       ing(1)   certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-renew-
225       agent-submit(8)   certmonger-dogtag-submit(8)  certmonger-ipa-submit(8)
226       certmonger-local-submit(8)      certmonger-scep-submit(8)      certmon‐
227       ger_selinux(8)
228
229
230
231certmonger Manual               9 February 2015                  certmonger(1)