1certmonger(1)               General Commands Manual              certmonger(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert start-tracking [options]
11
12

DESCRIPTION

14       Tells certmonger to monitor an already-issued certificate.  Optionally,
15       when the certificate nears expiration, use an existing key pair (or  to
16       generate one if one is not already found in the specified location), to
17       generate a signing request using the key pair and to  submit  them  for
18       signing to a CA.
19
20

SPECIFYING EXISTING REQUESTS

22       -i NAME
23              Modify  the  request which has this nickname.  If this option is
24              not specified, and a tracking entry which matches  the  key  and
25              certificate  storage options which are specified already exists,
26              that entry will be modified.  Otherwise, a  new  tracking  entry
27              will be added.
28
29

KEY AND CERTIFICATE STORAGE OPTIONS

31       -d DIR Use  an NSS database in the specified directory for reading this
32              certificate and, if possible, the corresponding key.
33
34       -n NAME
35              Use the certificate with this nickname, and  if  a  private  key
36              with  the  same nickname or which corresponds to the certificate
37              is available, to use it, too.  Only valid with -d.
38
39       -t TOKEN
40              If the NSS database has more than one token available,  use  the
41              token  with  this  name  for  accessing the certificate and key.
42              This argument only rarely needs to  be  specified.   Only  valid
43              with -d.
44
45       -f FILE
46              Read  the certificate from this file.  For safety's sake, do not
47              use the same file specified with the -k option.
48
49       -k FILE
50              Use the key stored in this file to generate  a  signing  request
51              for  refreshing  the certificate.  If no such file is found when
52              needed, generate a new key pair and  store  them  in  the  file.
53              Only valid with -f.
54
55

KEY ENCRYPTION OPTIONS

57       -p FILE
58              The  private  key files or databases are encrypted using the PIN
59              stored in the named file as the passphrase.
60
61       -P PIN The private key files or databases are encrypted using the spec‐
62              ified  PIN as the passphrase.  Because command-line arguments to
63              running processes are trivially discoverable, use of this option
64              is not recommended except for testing.
65
66

TRACKING OPTIONS

68       -I NAME
69              Assign  the  specified nickname to this task.  If this option is
70              not specified, a name will be assigned automatically.
71
72       -r     Attempt to obtain a new certificate from the CA when the expira‐
73              tion date of a certificate nears.  This is the default setting.
74
75       -R     Don't  attempt  to obtain a new certificate from the CA when the
76              expiration date of a certificate nears.  If this option is spec‐
77              ified, an expired certificate will simply stay expired.
78
79

ENROLLMENT OPTIONS

81       -c NAME
82              Enroll  with  the  specified  CA rather than a possible default.
83              The name of the CA should correspond to one  listed  by  getcert
84              list-cas.  Only useful in combination with -r.
85
86       -T NAME
87              Request  a  certificate  using  the  named profile, template, or
88              certtype, from the specified CA.
89
90       --ms-template-spec SPEC
91              Include a V2  Certificate  Template  extension  in  the  signing
92              request.  This datum includes an Object Identifier, a major ver‐
93              sion number (positive integer) and  an  optional  minor  version
94              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
95
96       -X NAME
97              Request  a certificate using the named issuer from the specified
98              CA.
99
100

SIGNING REQUEST OPTIONS

102       If and when certmonger attempts to obtain a new certificate to  replace
103       the  one being monitored, the values to be added to the signing request
104       will be taken from the current certificate, unless preferred values are
105       set using one or more of -uU, -K, -E, and -D.
106
107
108       -u keyUsage
109              Add  an extensionRequest for the specified keyUsage to the sign‐
110              ing request.  The keyUsage value is expected to be one of  these
111              names:
112
113              digitalSignature
114
115              nonRepudiation
116
117              keyEncipherment
118
119              dataEncipherment
120
121              keyAgreement
122
123              keyCertSign
124
125              cRLSign
126
127              encipherOnly
128
129              decipherOnly
130
131       -U EKU Add  an  extensionRequest  for the specified extendedKeyUsage to
132              the signing request.  The EKU value is expected to be an  object
133              identifier (OID).
134
135       -K NAME
136              Add an extensionRequest for a subjectAltName, with the specified
137              Kerberos principal name as its value, to the signing request.
138
139       -E EMAIL
140              Add an extensionRequest for a subjectAltName, with the specified
141              email address as its value, to the signing request.
142
143       -D DNSNAME
144              Add an extensionRequest for a subjectAltName, with the specified
145              DNS name as its value, to the signing request.  -A  ADDRESS  Add
146              an  extensionRequest for a subjectAltName, with the specified IP
147              address as its value, to the signing request.
148
149       -l FILE
150              Add an optional ChallengePassword value, read from the file,  to
151              the signing request.  A ChallengePassword is often required when
152              the CA is accessed using SCEP.
153
154       -L PIN Add the argument  value  to  the  signing  request  as  a  Chal‐
155              lengePassword  attribute.  A ChallengePassword is often required
156              when the CA is accessed using SCEP.
157
158

OTHER OPTIONS

160       -B COMMAND
161              When ever the certificate or the CA's certificates are saved  to
162              the specified locations, run the specified command as the client
163              user before saving the certificates.
164
165       -C COMMAND
166              When ever the certificate or the CA's certificates are saved  to
167              the specified locations, run the specified command as the client
168              user after saving the certificates.
169
170       -a DIR When ever the certificate is saved to the specified location, if
171              root  certificates  for  the  CA are available, save them to the
172              specified NSS database.
173
174       -F FILE
175              When ever the certificate is saved to the specified location, if
176              root  certificates  for the CA are available, and when the local
177              copies of the CA's root certificates are updated, save  them  to
178              the specified file.
179
180       -w     Wait  for  the certificate to become valid or to be reissued and
181              saved, or for the attempt to obtain a new one to fail.
182
183       -v     Be verbose about errors.  Normally,  the  details  of  an  error
184              received  from  the  daemon will be suppressed if the client can
185              make a diagnostic suggestion.  -o OWNER, --key-owner=OWNER After
186              generation  set the owner on the private key file or database to
187              OWNER.  -m MODE, --key-perms=MODE After generation set the  file
188              permissions  on  the  private  key file or database to MODE.  -O
189              OWNER, --cert-owner=OWNER After generation set the owner on  the
190              certificate  file  or  database  to  OWNER.   -M  MODE,  --cert-
191              perms=MODE After generation set the file permissions on the cer‐
192              tificate file or database to MODE.
193
194

NOTES

196       Locations specified for key and certificate storage need to be accessi‐
197       ble to the certmonger daemon process.  When run as a system daemon on a
198       system which uses a mandatory access control mechanism such as SELinux,
199       the system policy must ensure that the daemon is allowed to access  the
200       locations  where  certificates  and  keys  that  it will manage will be
201       stored (these locations are typically labeled as cert_t or  an  equiva‐
202       lent).    More   SELinux-specific  information  can  be  found  in  the
203       selinux.txt documentation file for this package.
204
205

BUGS

207       Please  file  tickets  for  any  that  you  find   at   https://fedora
208       hosted.org/certmonger/
209
210

SEE ALSO

212       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
213       getcert-list-cas(1)   getcert-list(1)   getcert-modify-ca(1)   getcert-
214       refresh-ca(1)  getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
215       getcert-request(1) getcert-resubmit(1) getcert-status(1)  getcert-stop-
216       tracking(1)    certmonger-certmaster-submit(8)   certmonger-dogtag-ipa-
217       renew-agent-submit(8)  certmonger-dogtag-submit(8)  certmonger-ipa-sub‐
218       mit(8)  certmonger-local-submit(8)  certmonger-scep-submit(8)  certmon‐
219       ger_selinux(8)
220
221
222
223certmonger Manual               9 February 2015                  certmonger(1)
Impressum