1certmonger(1) General Commands Manual certmonger(1)
2
3
4
6 getcert
7
8
10 getcert resubmit [options]
11
12
14 Tells certmonger to generate (or regenerate) a signing request and sub‐
15 mit (or resubmit) the signing request to a CA for signing.
16
17
19 -i NAME
20 Resubmit a signing request for the tracking request which has
21 this nickname. If this option is not specified, and a tracking
22 entry which matches the key and certificate storage options
23 which are specified already exists, that entry will be used. If
24 not specified, the location of the certificate should be speci‐
25 fied with either a combination of the -d and -n options, or with
26 the -f option.
27
28
30 -d DIR The certificate is in the NSS database in the specified direc‐
31 tory.
32
33 -n NAME
34 The certificate in the NSS database named with -d has the speci‐
35 fied nickname. Only valid with -d.
36
37 -t TOKEN
38 If the NSS database has more than one token available, the cer‐
39 tificate is stored in this token. This argument only rarely
40 needs to be specified. Only valid with -d.
41
42 -f FILE
43 The certificate is stored in the named file.
44
45
47 -c NAME
48 Submit the new signing request to the specified CA rather than
49 the one which was previously associated with this certificate.
50 The name of the CA should correspond to one listed by getcert
51 list-cas.
52
53 -T NAME
54 Request a certificate using the named profile, template, or
55 certtype, from the specified CA.
56
57 --ms-template-spec SPEC
58 Include a V2 Certificate Template extension in the signing
59 request. This datum includes an Object Identifier, a major ver‐
60 sion number (positive integer) and an optional minor version
61 number. The format is: <oid>:<majorVersion>[:<minorVersion>].
62
63 -X NAME
64 Request a certificate using the named issuer from the specified
65 CA.
66
67 -I NAME
68 Assign the specified nickname to this task, replacing the previ‐
69 ous nickname.
70
71
73 -N NAME
74 Change the subject name to include in the signing request.
75
76 -u keyUsage
77 Add an extensionRequest for the specified keyUsage to the sign‐
78 ing request. The keyUsage value is expected to be one of these
79 names:
80
81 digitalSignature
82
83 nonRepudiation
84
85 keyEncipherment
86
87 dataEncipherment
88
89 keyAgreement
90
91 keyCertSign
92
93 cRLSign
94
95 encipherOnly
96
97 decipherOnly
98
99 -U EKU Change the extendedKeyUsage value specified in an extended‐
100 KeyUsage extension part of the extensionRequest attribute in the
101 signing request. The EKU value is expected to be an object
102 identifier (OID).
103
104 -K NAME
105 Change the Kerberos principal name specified as part of a sub‐
106 jectAltName extension part of the extensionRequest attribute in
107 the signing request.
108
109 -E EMAIL
110 Change the email address specified as part of a subjectAltName
111 extension part of the extensionRequest attribute in the signing
112 request.
113
114 -D DNSNAME
115 Change the DNS name specified as part of a subjectAltName exten‐
116 sion part of the extensionRequest attribute in the signing
117 request.
118
119 -A ADDRESS
120 Change the IP address specified as part of a subjectAltName
121 extension part of the extensionRequest attribute in the signing
122 request.
123
124 -l FILE
125 Add an optional ChallengePassword value, read from the file, to
126 the signing request. A ChallengePassword is often required when
127 the CA is accessed using SCEP.
128
129 -L PIN Add the argument value to the signing request as a Chal‐
130 lengePassword attribute. A ChallengePassword is often required
131 when the CA is accessed using SCEP.
132
133
135 -B COMMAND
136 When ever the certificate or the CA's certificates are saved to
137 the specified locations, run the specified command as the client
138 user before saving the certificates.
139
140 -C COMMAND
141 When ever the certificate or the CA's certificates are saved to
142 the specified locations, run the specified command as the client
143 user after saving the certificates.
144
145 -a DIR When ever the certificate is saved to the specified location, if
146 root certificates for the CA are available, save them to the
147 specified NSS database.
148
149 -F FILE
150 When ever the certificate is saved to the specified location, if
151 root certificates for the CA are available, and when the local
152 copies of the CA's root certificates are updated, save them to
153 the specified file.
154
155 -w Wait for the certificate to be reissued and saved, or for the
156 attempt to obtain one to fail.
157
158 -v Be verbose about errors. Normally, the details of an error
159 received from the daemon will be suppressed if the client can
160 make a diagnostic suggestion. -o OWNER, --key-owner=OWNER After
161 generation set the owner on the private key file or database to
162 OWNER. -m MODE, --key-perms=MODE After generation set the file
163 permissions on the private key file or database to MODE. -O
164 OWNER, --cert-owner=OWNER After generation set the owner on the
165 certificate file or database to OWNER. -M MODE, --cert-
166 perms=MODE After generation set the file permissions on the cer‐
167 tificate file or database to MODE.
168
169
171 Please file tickets for any that you find at https://fedora‐
172 hosted.org/certmonger/
173
174
176 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
177 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-
178 refresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
179 getcert-request(1) getcert-start-tracking(1) getcert-status(1) getcert-
180 stop-tracking(1) certmonger-certmaster-submit(8) certmonger-dogtag-ipa-
181 renew-agent-submit(8) certmonger-dogtag-submit(8) certmonger-ipa-sub‐
182 mit(8) certmonger-local-submit(8) certmonger-scep-submit(8) certmon‐
183 ger_selinux(8)
184
185
186
187certmonger Manual 9 February 2015 certmonger(1)