1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR Use  an NSS database in the specified directory for storing this
21              certificate and key.
22
23       -n NAME
24              Use the key with this nickname to generate the signing  request.
25              If  no  such key is found, generate one.  Give the enrolled cer‐
26              tificate this nickname, too.  Only valid with -d.
27
28       -t TOKEN
29              If the NSS database has more than one token available,  use  the
30              token  with  this name for storing and accessing the certificate
31              and key.  This argument only rarely needs to be specified.  Only
32              valid with -d.
33
34       -f FILE
35              Store  the  issued certificate in this file.  For safety's sake,
36              do not use the same file specified with the -k option.
37
38       -k FILE
39              Use the key stored in this file to generate the signing request.
40              If no such file is found, generate a new key pair and store them
41              in the file.  Only valid with -f.
42
43

KEY ENCRYPTION OPTIONS

45       -p FILE
46              Encrypt private key files or databases using the PIN  stored  in
47              the named file as the passphrase.
48
49       -P PIN Encrypt  private  key files or databases using the specified PIN
50              as the passphrase.  Because command-line  arguments  to  running
51              processes  are trivially discoverable, use of this option is not
52              recommended except for testing.
53
54

KEY GENERATION OPTIONS

56       -G TYPE
57              In case a new key pair needs to be generated, this option speci‐
58              fies  the type of the keys to be generated.  If not specified, a
59              reasonable default (currently RSA) will be used.
60
61       -g BITS
62              In case a new key pair needs to be generated, this option speci‐
63              fies  the  size  of  the  key.   If  not specified, a reasonable
64              default (currently 2048 bits) will be used.
65
66

TRACKING OPTIONS

68       -r     Attempt to obtain a new certificate from the CA when the expira‐
69              tion date of a certificate nears.  This is the default setting.
70
71       -R     Don't  attempt  to obtain a new certificate from the CA when the
72              expiration date of a certificate nears.  If this option is spec‐
73              ified, an expired certificate will simply stay expired.
74
75       -I NAME
76              Assign  the  specified nickname to this task.  If this option is
77              not specified, a name will be assigned automatically.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll with the specified CA rather  than  a  possible  default.
83              The  name  of  the CA should correspond to one listed by getcert
84              list-cas.
85
86       -T NAME
87              Request a certificate using  the  named  profile,  template,  or
88              certtype, from the specified CA.
89
90       --ms-template-spec SPEC
91              Include  a  V2  Certificate  Template  extension  in the signing
92              request.  This datum includes an Object Identifier, a major ver‐
93              sion  number  (positive  integer)  and an optional minor version
94              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
95
96       -X NAME
97              Request a certificate using the named issuer from the  specified
98              CA.
99
100

SIGNING REQUEST OPTIONS

102       If  none  of  -N,  -U, -K, -E, and -D are specified, a default group of
103       settings will be used to request an SSL server certificate for the cur‐
104       rent host, with the host Kerberos service as an additional name.
105
106
107       -N NAME
108              Set  the  subject  name  to include in the signing request.  The
109              default used is CN=hostname, where hostname is the  local  host‐
110              name.
111
112       -u keyUsage
113              Add  an extensionRequest for the specified keyUsage to the sign‐
114              ing request.  The keyUsage value is expected to be one of  these
115              names:
116
117              digitalSignature
118
119              nonRepudiation
120
121              keyEncipherment
122
123              dataEncipherment
124
125              keyAgreement
126
127              keyCertSign
128
129              cRLSign
130
131              encipherOnly
132
133              decipherOnly
134
135       -U EKU Add  an  extensionRequest  for the specified extendedKeyUsage to
136              the signing request.  The EKU value is expected to be an  object
137              identifier  (OID),  but some specific names are also recognized.
138              These are some names and their associated OID values:
139
140              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
141
142              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
143
144              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
145
146              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
147
148              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
149
150              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
151
152              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
153
154              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
155
156              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
157
158       -K NAME
159              Add an extensionRequest for a subjectAltName, with the specified
160              Kerberos principal name as its value, to the signing request.
161
162       -E EMAIL
163              Add an extensionRequest for a subjectAltName, with the specified
164              email address as its value, to the signing request.
165
166       -D DNSNAME
167              Add an extensionRequest for a subjectAltName, with the specified
168              DNS name as its value, to the signing request.
169
170       -A ADDRESS
171              Add an extensionRequest for a subjectAltName, with the specified
172              IP address as its value, to the signing request.
173
174       -l FILE
175              Add an optional ChallengePassword value, read from the file,  to
176              the signing request.  A ChallengePassword is often required when
177              the CA is accessed using SCEP.
178
179       -L PIN Add the argument  value  to  the  signing  request  as  a  Chal‐
180              lengePassword  attribute.  A ChallengePassword is often required
181              when the CA is accessed using SCEP.
182
183

OTHER OPTIONS

185       -B COMMAND
186              When ever the certificate or the CA's certificates are saved  to
187              the specified locations, run the specified command as the client
188              user before saving the certificates.
189
190       -C COMMAND
191              When ever the certificate or the CA's certificates are saved  to
192              the specified locations, run the specified command as the client
193              user after saving the certificates.
194
195       -a DIR When ever the certificate is saved to the specified location, if
196              root  certificates  for  the  CA are available, save them to the
197              specified NSS database.
198
199       -F FILE
200              When ever the certificate is saved to the specified location, if
201              root  certificates  for the CA are available, and when the local
202              copies of the CA's root certificates are updated, save  them  to
203              the specified file.
204
205       -w     Wait  for  the  certificate  to  be issued and saved, or for the
206              attempt to obtain one to fail.
207
208       -v     Be verbose about errors.  Normally,  the  details  of  an  error
209              received  from  the  daemon will be suppressed if the client can
210              make a diagnostic suggestion.
211
212

NOTES

214       Locations specified for key and certificate storage need to be accessi‐
215       ble to the certmonger daemon process.  When run as a system daemon on a
216       system which uses a mandatory access control mechanism such as SELinux,
217       the  system policy must ensure that the daemon is allowed to access the
218       locations where certificates and keys  that  it  will  manage  will  be
219       stored  (these  locations are typically labeled as cert_t or an equiva‐
220       lent).   More  SELinux-specific  information  can  be  found   in   the
221       selinux.txt documentation file for this package.
222
223

BUGS

225       Please   file   tickets  for  any  that  you  find  at  https://fedora
226       hosted.org/certmonger/
227
228

SEE ALSO

230       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
231       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
232       refresh-ca(1)  getcert-refresh(1)  getcert-remove-ca(1)  getcert-resub‐
233       mit(1)  getcert-start-tracking(1) getcert-status(1) getcert-stop-track‐
234       ing(1)   certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-renew-
235       agent-submit(8)   certmonger-dogtag-submit(8)  certmonger-ipa-submit(8)
236       certmonger-local-submit(8)      certmonger-scep-submit(8)      certmon‐
237       ger_selinux(8)
238
239
240
241certmonger Manual               9 February 2015                  certmonger(1)
Impressum