1certmonger(1) General Commands Manual certmonger(1)
2
3
4
6 getcert
7
8
10 getcert rekey [options]
11
12
14 Tells certmonger to generate a new key pair, generate a signing request
15 for the public key, and submit the signing request to a CA for signing,
16 in order to replace both a certificate and its private key.
17
18
20 -i NAME
21 The new key pair will be generated and the new certificate will
22 be obtained for the tracking request which has this nickname.
23 If this option is not specified, and a tracking entry which
24 matches the key and certificate storage options which are speci‐
25 fied already exists, that entry will be used. If not specified,
26 the location of the certificate should be specified with either
27 a combination of the -d and -n options, or with the -f option.
28
29
31 -d DIR The certificate is in the NSS database in the specified direc‐
32 tory.
33
34 -n NAME
35 The certificate in the NSS database named with -d has the speci‐
36 fied nickname. Only valid with -d.
37
38 -t TOKEN
39 If the NSS database has more than one token available, the cer‐
40 tificate is stored in this token. This argument only rarely
41 needs to be specified. Only valid with -d.
42
43 -f FILE
44 The certificate is stored in the named file.
45
46
48 -G TYPE
49 In case a new key pair needs to be generated, this option speci‐
50 fies the type of the keys to be generated. If not specified,
51 the current key type will be used.
52
53 -g BITS
54 This option specifies the size of the new key to be generated.
55 If not specified, a key of the same size as the existing key
56 will be generated.
57
58 -c NAME
59
61 -c NAME
62 Submit the new signing request to the specified CA rather than
63 the one which was previously associated with this certificate.
64 The name of the CA should correspond to one listed by getcert
65 list-cas.
66
67 -T NAME
68 Request a certificate using the named profile, template, or
69 certtype, from the specified CA.
70
71 --ms-template-spec SPEC
72 Include a V2 Certificate Template extension in the signing
73 request. This datum includes an Object Identifier, a major ver‐
74 sion number (positive integer) and an optional minor version
75 number. The format is: <oid>:<majorVersion>[:<minorVersion>].
76
77 -X NAME
78 Request a certificate using the named issuer from the specified
79 CA.
80
81 -I NAME
82 Assign the specified nickname to this task, replacing the previ‐
83 ous nickname.
84
85
87 -N NAME
88 Change the subject name to include in the signing request.
89
90 -u keyUsage
91 Add an extensionRequest for the specified keyUsage to the sign‐
92 ing request. The keyUsage value is expected to be one of these
93 names:
94
95 digitalSignature
96
97 nonRepudiation
98
99 keyEncipherment
100
101 dataEncipherment
102
103 keyAgreement
104
105 keyCertSign
106
107 cRLSign
108
109 encipherOnly
110
111 decipherOnly
112
113 -U EKU Change the extendedKeyUsage value specified in an extended‐
114 KeyUsage extension part of the extensionRequest attribute in the
115 signing request. The EKU value is expected to be an object
116 identifier (OID).
117
118 -K NAME
119 Change the Kerberos principal name specified as part of a sub‐
120 jectAltName extension part of the extensionRequest attribute in
121 the signing request.
122
123 -E EMAIL
124 Change the email address specified as part of a subjectAltName
125 extension part of the extensionRequest attribute in the signing
126 request.
127
128 -D DNSNAME
129 Change the DNS name specified as part of a subjectAltName exten‐
130 sion part of the extensionRequest attribute in the signing
131 request.
132
133 -A ADDRESS
134 Change the IP address specified as part of a subjectAltName
135 extension part of the extensionRequest attribute in the signing
136 request.
137
138 -l FILE
139 Add an optional ChallengePassword value, read from the file, to
140 the signing request. A ChallengePassword is often required when
141 the CA is accessed using SCEP.
142
143 -L PIN Add the argument value to the signing request as a Chal‐
144 lengePassword attribute. A ChallengePassword is often required
145 when the CA is accessed using SCEP.
146
147
149 -B COMMAND
150 When ever the certificate or the CA's certificates are saved to
151 the specified locations, run the specified command as the client
152 user before saving the certificates.
153
154 -C COMMAND
155 When ever the certificate or the CA's certificates are saved to
156 the specified locations, run the specified command as the client
157 user after saving the certificates.
158
159 -a DIR When ever the certificate is saved to the specified location, if
160 root certificates for the CA are available, save them to the
161 specified NSS database.
162
163 -F FILE
164 When ever the certificate is saved to the specified location, if
165 root certificates for the CA are available, and when the local
166 copies of the CA's root certificates are updated, save them to
167 the specified file.
168
169 -w Wait for the new certificate to be issued and saved, or for the
170 attempt to obtain one using the new key to fail.
171
172 -v Be verbose about errors. Normally, the details of an error
173 received from the daemon will be suppressed if the client can
174 make a diagnostic suggestion.
175
176
178 Please file tickets for any that you find at https://fedora‐
179 hosted.org/certmonger/
180
181
183 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
184 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
185 refresh-ca(1) getcert-refresh(1) getcert-remove-ca(1) getcert-
186 request(1) getcert-start-tracking(1) getcert-status(1) getcert-stop-
187 tracking(1) certmonger-certmaster-submit(8) certmonger-dogtag-ipa-
188 renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-sub‐
189 mit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
190 ger_selinux(8)
191
192
193
194certmonger Manual 31 July 2015 certmonger(1)