1CERTMONGER(1)               General Commands Manual              CERTMONGER(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert resubmit [options]
11
12

DESCRIPTION

14       Tells certmonger to generate (or regenerate) a signing request and sub‐
15       mit (or resubmit) the signing request to a CA for signing.
16
17

SPECIFYING REQUESTS BY NICKNAME

19       -i NAME, --id=NAME
20              Resubmit a signing request for the tracking  request  which  has
21              this  nickname.  If this option is not specified, and a tracking
22              entry which matches the  key  and  certificate  storage  options
23              which are specified already exists, that entry will be used.  If
24              not specified, the location of the certificate should be  speci‐
25              fied with either a combination of the -d and -n options, or with
26              the -f option.
27
28

SPECIFYING REQUESTS BY CERTIFICATE LOCATION

30       -d DIR, --dbdir=DIR
31              The certificate is in the NSS database in the  specified  direc‐
32              tory.
33
34       -n NAME, --nickname=NAME
35              The certificate in the NSS database named with -d has the speci‐
36              fied nickname.  Only valid with -d.
37
38       -t TOKEN, --token=TOKEN
39              If the NSS database has more than one token available, the  cer‐
40              tificate  is  stored  in  this token.  This argument only rarely
41              needs to be specified.  Only valid with -d.
42
43       -f FILE, --certfile=FILE
44              The certificate is stored in the named file.
45
46

ENROLLMENT OPTIONS

48       -c NAME, --ca=NAME
49              Submit the new signing request to the specified CA  rather  than
50              the  one  which was previously associated with this certificate.
51              The name of the CA should correspond to one  listed  by  getcert
52              list-cas.
53
54       -T NAME, --profile=NAME
55              Request  a  certificate  using  the  named profile, template, or
56              certtype, from the specified CA.
57
58       --ms-template-spec SPEC
59              Include a V2  Certificate  Template  extension  in  the  signing
60              request.  This datum includes an Object Identifier, a major ver‐
61              sion number (positive integer) and  an  optional  minor  version
62              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
63
64       -X NAME, --issuer=NAME
65              Request  a certificate using the named issuer from the specified
66              CA.
67
68       -I NAME, --id=NAME
69              Assign the specified nickname to this task, replacing the previ‐
70              ous nickname.
71
72

SIGNING REQUEST OPTIONS

74       -N NAME, --subject-name=NAME
75              Change the subject name to include in the signing request.
76
77       -u keyUsage, --key-usage=keyUsage
78              Add  an extensionRequest for the specified keyUsage to the sign‐
79              ing request.  The keyUsage value is expected to be one of  these
80              names:
81
82              digitalSignature
83
84              nonRepudiation
85
86              keyEncipherment
87
88              dataEncipherment
89
90              keyAgreement
91
92              keyCertSign
93
94              cRLSign
95
96              encipherOnly
97
98              decipherOnly
99
100       -U EKU, --extended-key-usage=EKU
101              Change  the  extendedKeyUsage  value  specified  in an extended‐
102              KeyUsage extension part of the extensionRequest attribute in the
103              signing  request.   The  EKU  value  is expected to be an object
104              identifier (OID).
105
106       -K NAME, --principal=NAME
107              Change the Kerberos principal name specified as part of  a  sub‐
108              jectAltName  extension part of the extensionRequest attribute in
109              the signing request.
110
111       -E EMAIL, --email=EMAIL
112              Change the email address specified as part of  a  subjectAltName
113              extension  part of the extensionRequest attribute in the signing
114              request.
115
116       -D DNSNAME, --dns=DNSNAME
117              Change the DNS name specified as part of a subjectAltName exten‐
118              sion  part  of  the  extensionRequest  attribute  in the signing
119              request.
120
121       -A ADDRESS, --ip-address=ADDRESS
122              Change the IP address specified  as  part  of  a  subjectAltName
123              extension  part of the extensionRequest attribute in the signing
124              request.
125
126       -l FILE, --challenge-password-file=FILE
127              Add an optional ChallengePassword value, read from the file,  to
128              the signing request.  A ChallengePassword is often required when
129              the CA is accessed using SCEP.
130
131       -L PIN, --challenge-password=PIN
132              Add the argument  value  to  the  signing  request  as  a  Chal‐
133              lengePassword  attribute.  A ChallengePassword is often required
134              when the CA is accessed using SCEP.
135
136

OTHER OPTIONS

138       -B COMMAND, --before-command=COMMAND
139              When ever the certificate or the CA's certificates are saved  to
140              the specified locations, run the specified command as the client
141              user before saving the certificates.
142
143       -C COMMAND, --after-command=COMMAND
144              When ever the certificate or the CA's certificates are saved  to
145              the specified locations, run the specified command as the client
146              user after saving the certificates.
147
148       -a DIR, --ca-dbdir=DIR
149              When ever the certificate is saved to the specified location, if
150              root  certificates  for  the  CA are available, save them to the
151              specified NSS database.
152
153       -F FILE, --ca-file=FILE
154              When ever the certificate is saved to the specified location, if
155              root  certificates  for the CA are available, and when the local
156              copies of the CA's root certificates are updated, save  them  to
157              the specified file.
158
159       --for-ca
160              Request a CA certificate.
161
162       --not-for-ca
163              Request a non-CA certificate (the default).
164
165       --ca-path-length=LENGTH
166              Path length for CA certificate. Only valid with --for-ca.
167
168       -w, --wait
169              Wait  for  the  certificate to be reissued and saved, or for the
170              attempt to obtain one to fail.
171
172       --wait-timeout=TIMEOUT
173              Maximum time to wait for the certificate to be issued.
174
175       -v, --verbose
176              Be verbose about errors.  Normally,  the  details  of  an  error
177              received  from  the  daemon will be suppressed if the client can
178              make a diagnostic suggestion.  -o OWNER, --key-owner=OWNER After
179              generation  set the owner on the private key file or database to
180              OWNER.  -m MODE, --key-perms=MODE After generation set the  file
181              permissions  on  the  private  key file or database to MODE.  -O
182              OWNER, --cert-owner=OWNER After generation set the owner on  the
183              certificate    file    or   database   to   OWNER.    -M   MODE,
184              --cert-perms=MODE After generation set the file  permissions  on
185              the certificate file or database to MODE.
186
187

BUGS

189       Please   file   tickets  for  any  that  you  find  at  https://fedora
190       hosted.org/certmonger/
191
192

SEE ALSO

194       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
195       getcert-list-cas(1)         getcert-list(1)        getcert-modify-ca(1)
196       getcert-refresh-ca(1)        getcert-refresh(1)        getcert-rekey(1)
197       getcert-remove-ca(1)    getcert-request(1)    getcert-start-tracking(1)
198       getcert-status(1)  getcert-stop-tracking(1)  certmonger-certmaster-sub‐
199       mit(8)    certmonger-dogtag-ipa-renew-agent-submit(8)   certmonger-dog‐
200       tag-submit(8) certmonger-ipa-submit(8) certmonger-local-submit(8) cert‐
201       monger-scep-submit(8) certmonger_selinux(8)
202
203
204
205certmonger Manual              February 9, 2015                  CERTMONGER(1)
Impressum