1CERTMONGER(5)                 File Formats Manual                CERTMONGER(5)
2
3
4

NAME

6       certmonger.conf - configuration file for certmonger
7
8

DESCRIPTION

10       The  certmonger.conf file contains default settings used by certmonger.
11       Its format is more or less that of a typical INI-style file.  The  only
12       sections currently of note are named defaults and selfsign.
13
14

DEFAULTS

16       Within the defaults section, these variables and values are recognized:
17
18
19       notify_ttls
20              This  is  the list of times, given in seconds, before a certifi‐
21              cate's not-after validity date (often referred to as its expira‐
22              tion time) when certmonger should warn that the certificate will
23              soon no longer be valid.  If this value is not specified,  cert‐
24              monger  will  attempt to use the value of the ttls setting.  The
25              default list of values  is  "2419200,  604800,  259200,  172800,
26              86400, 43200, 21600, 7200, 3600".
27
28
29       enroll_ttls
30              This  is  the list of times, given in seconds, before a certifi‐
31              cate's not-after validity date (often referred to as its expira‐
32              tion time) when certmonger should attempt to automatically renew
33              the certificate, if it is configured to do so.  If this value is
34              not  specified,  certmonger will attempt to use the value of the
35              ttls setting.  The default list of values is  "2419200,  604800,
36              259200, 172800, 86400, 43200, 21600, 7200, 3600".
37
38
39       notification_method
40              This  is  the  method by which certmonger will notify the system
41              administrator that a certificate will soon become invalid.   The
42              recognized values are syslog, mail, and command.  The default is
43              syslog.  When sending mail, the notification message will be the
44              mail message subject.  When invoking a command, the notification
45              message will be available in the "CERTMONGER_NOTIFICATION" envi‐
46              ronment variable.
47
48
49       notification_destination
50              This  is the destination to which certmonger will send notifica‐
51              tions.  It can be a syslog priority and/or  facility,  separated
52              by  a period, it can be an email address, or it can be a command
53              to run.  The default value is daemon.notice.
54
55
56       key_type
57              This is the type of key pair which will be  generated,  used  in
58              certificate  signing  requests,  and used when self-signing cer‐
59              tificates.  RSA and DSA are supported.  EC (also known as ECDSA)
60              is also supported.  The default is RSA.
61
62
63       symmetric_cipher
64              This  is the symmetric cipher which will be used to encrypt pri‐
65              vate keys stored in OpenSSL's  PEM  format.   Recognized  values
66              include  aes128  and  aes256.  The default is aes128.  It is not
67              recommended that this value be changed except in cases where the
68              default is incompatible with other software.
69
70
71       digest This  is  the  digest  algorithm which will be used when signing
72              certificate signing requests and self-signed certificates.  Rec‐
73              ognized  values  include  sha1, sha256, sha384, and sha512.  The
74              default is sha256.  It is not recommended  that  this  value  be
75              changed  except  in cases where the default is incompatible with
76              other software.
77
78
79       nss_ca_trust
80              These are the trust attributes which are applied to CA  certifi‐
81              cates  which should be trusted, when they are saved to NSS data‐
82              bases.  The default is CT,C,C.
83
84
85       nss_other_trust
86              These are the trust attributes which are applied to certificates
87              which  are not necessarily to be trusted, when they are saved to
88              NSS databases.  The default is ,,.
89
90
91       max_key_use_count
92              When attempting to replace a certificate, if certmonger has pre‐
93              viously  obtained at least this number of certificates using the
94              current key pair, it will generate a new key pair to use  before
95              proceeding.  There is effectively no default for this setting.
96
97
98       max_key_lifetime
99              The amount of time after a key was first generated when certmon‐
100              ger will attempt to generate a new key pair to  replace  it,  as
101              part  of  the  process of replacing a certificate.  The value is
102              specified as a combination of years (y), months (M), weeks  (w),
103              days  (d),  hours  (h),  minutes (m), and/or seconds (s).  If no
104              unit of time is specified, seconds are assumed.  The date when a
105              key  was  generated is not recorded if the key was not generated
106              by certmonger, or if the key was generated  with  a  version  of
107              certmonger older than 0.78, and for those cases, this option has
108              no effect.  There is effectively no default for this setting.
109
110

SELFSIGN

112       Within the selfsign section, these variables and values are recognized:
113
114
115       validity_period
116              This is the validity period given to  self-signed  certificates.
117              The  value  is  specified  as a combination of years (y), months
118              (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
119              (s).  If no unit of time is specified, seconds are assumed.  The
120              default value is 1y.
121
122
123       populate_unique_id
124              This controls whether or not self-signed certificates will  have
125              their   subjectUniqueID  and  issuerUniqueID  fields  populated.
126              While RFC5280 prohibits their use, they  may  be  needed  and/or
127              used by older applications.  The default value is no.
128
129

LOCAL

131       Within the local section, these variables and values are recognized:
132
133
134       validity_period
135              This  is  the  validity  period given to the locally-signed CA's
136              certificate when it is generated.  The value is specified  as  a
137              combination of years (y), months (M), weeks (w), days (d), hours
138              (h), minutes (m), and/or seconds (s).  If no  unit  of  time  is
139              specified,  seconds  are  assumed.  If not set, the value of the
140              validity_period setting from the selfsign section, if one is set
141              there, will be used.  The default value is 1y.
142
143

BUGS

145       Please   file   tickets  for  any  that  you  find  at  https://fedora
146       hosted.org/certmonger/
147
148

SEE ALSO

150       certmonger(8) certmonger_selinux(8)
151
152
153
154certmonger Manual                May 12, 2015                    CERTMONGER(5)
Impressum