1CERTMONGER(5) File Formats Manual CERTMONGER(5)
2
3
4
6 certmonger.conf - configuration file for certmonger
7
8
10 The certmonger.conf file contains default settings used by certmonger.
11 Its format is more or less that of a typical INI-style file. The only
12 sections currently of note are named defaults and selfsign.
13
14
16 Within the defaults section, these variables and values are recognized:
17
18
19 notify_ttls
20 This is the list of times, given in seconds, before a certifi‐
21 cate's not-after validity date (often referred to as its expira‐
22 tion time) when certmonger should warn that the certificate will
23 soon no longer be valid. If this value is not specified, cert‐
24 monger will attempt to use the value of the ttls setting. The
25 default list of values is "2419200, 604800, 259200, 172800,
26 86400, 43200, 21600, 7200, 3600".
27
28
29 enroll_ttls
30 This is the list of times, given in seconds, before a certifi‐
31 cate's not-after validity date (often referred to as its expira‐
32 tion time) when certmonger should attempt to automatically renew
33 the certificate, if it is configured to do so. If this value is
34 not specified, certmonger will attempt to use the value of the
35 ttls setting. The default list of values is "2419200, 604800,
36 259200, 172800, 86400, 43200, 21600, 7200, 3600".
37
38
39 notification_method
40 This is the method by which certmonger will notify the system
41 administrator that a certificate will soon become invalid. The
42 recognized values are syslog, mail, and command. The default is
43 syslog. When sending mail, the notification message will be the
44 mail message subject. When invoking a command, the notification
45 message will be available in the "CERTMONGER_NOTIFICATION" envi‐
46 ronment variable.
47
48
49 notification_destination
50 This is the destination to which certmonger will send notifica‐
51 tions. It can be a syslog priority and/or facility, separated
52 by a period, it can be an email address, or it can be a command
53 to run. The default value is daemon.notice.
54
55
56 key_type
57 This is the type of key pair which will be generated, used in
58 certificate signing requests, and used when self-signing cer‐
59 tificates. RSA and DSA are supported. EC (also known as ECDSA)
60 is also supported. The default is RSA.
61
62
63 symmetric_cipher
64 This is the symmetric cipher which will be used to encrypt pri‐
65 vate keys stored in OpenSSL's PEM format. Recognized values
66 include aes128 and aes256. The default is aes128. It is not
67 recommended that this value be changed except in cases where the
68 default is incompatible with other software.
69
70
71 digest This is the digest algorithm which will be used when signing
72 certificate signing requests and self-signed certificates. Rec‐
73 ognized values include sha1, sha256, sha384, and sha512. The
74 default is sha256. It is not recommended that this value be
75 changed except in cases where the default is incompatible with
76 other software.
77
78
79 nss_ca_trust
80 These are the trust attributes which are applied to CA certifi‐
81 cates which should be trusted, when they are saved to NSS data‐
82 bases. The default is CT,C,C.
83
84
85 nss_other_trust
86 These are the trust attributes which are applied to certificates
87 which are not necessarily to be trusted, when they are saved to
88 NSS databases. The default is ,,.
89
90
91 max_key_use_count
92 When attempting to replace a certificate, if certmonger has pre‐
93 viously obtained at least this number of certificates using the
94 current key pair, it will generate a new key pair to use before
95 proceeding. There is effectively no default for this setting.
96
97
98 max_key_lifetime
99 The amount of time after a key was first generated when certmon‐
100 ger will attempt to generate a new key pair to replace it, as
101 part of the process of replacing a certificate. The value is
102 specified as a combination of years (y), months (M), weeks (w),
103 days (d), hours (h), minutes (m), and/or seconds (s). If no
104 unit of time is specified, seconds are assumed. The date when a
105 key was generated is not recorded if the key was not generated
106 by certmonger, or if the key was generated with a version of
107 certmonger older than 0.78, and for those cases, this option has
108 no effect. There is effectively no default for this setting.
109
110
112 Within the selfsign section, these variables and values are recognized:
113
114
115 validity_period
116 This is the validity period given to self-signed certificates.
117 The value is specified as a combination of years (y), months
118 (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
119 (s). If no unit of time is specified, seconds are assumed. The
120 default value is 1y.
121
122
123 populate_unique_id
124 This controls whether or not self-signed certificates will have
125 their subjectUniqueID and issuerUniqueID fields populated.
126 While RFC5280 prohibits their use, they may be needed and/or
127 used by older applications. The default value is no.
128
129
131 Within the local section, these variables and values are recognized:
132
133
134 validity_period
135 This is the validity period given to the locally-signed CA's
136 certificate when it is generated. The value is specified as a
137 combination of years (y), months (M), weeks (w), days (d), hours
138 (h), minutes (m), and/or seconds (s). If no unit of time is
139 specified, seconds are assumed. If not set, the value of the
140 validity_period setting from the selfsign section, if one is set
141 there, will be used. The default value is 1y.
142
143
145 Please file tickets for any that you find at https://fedora‐
146 hosted.org/certmonger/
147
148
150 certmonger(8) certmonger_selinux(8)
151
152
153
154certmonger Manual May 12, 2015 CERTMONGER(5)