getcert-start-tracking(1)

1CERTMONGER(1)               General Commands Manual              CERTMONGER(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert start-tracking [options]
11
12

DESCRIPTION

14       Tells certmonger to monitor an already-issued certificate.  Optionally,
15       when the certificate nears expiration, use an existing key pair (or  to
16       generate one if one is not already found in the specified location), to
17       generate a signing request using the key pair and to  submit  them  for
18       signing to a CA.
19
20

SPECIFYING EXISTING REQUESTS

22       -i NAME, --id=NAME
23              Modify  the  request which has this nickname.  If this option is
24              not specified, and a tracking entry which matches  the  key  and
25              certificate  storage options which are specified already exists,
26              that entry will be modified.  Otherwise, a  new  tracking  entry
27              will be added.
28
29

KEY AND CERTIFICATE STORAGE OPTIONS

31       -d DIR, --dbdir=DIR
32              Use  an NSS database in the specified directory for reading this
33              certificate and, if possible, the corresponding key.
34
35       -n NAME, --nickname=NAME
36              Use the certificate with this nickname, and  if  a  private  key
37              with  the  same nickname or which corresponds to the certificate
38              is available, to use it, too.  Only valid with -d.
39
40       -t TOKEN, --token=TOKEN
41              If the NSS database has more than one token available,  use  the
42              token  with  this  name  for  accessing the certificate and key.
43              This argument only rarely needs to  be  specified.   Only  valid
44              with -d.
45
46       -f FILE, --certfile=FILE
47              Read  the certificate from this file.  For safety's sake, do not
48              use the same file specified with the -k option.
49
50       -k FILE, --keyfile=FILE
51              Use the key stored in this file to generate  a  signing  request
52              for  refreshing  the certificate.  If no such file is found when
53              needed, generate a new key pair and  store  them  in  the  file.
54              Only valid with -f.
55
56

KEY ENCRYPTION OPTIONS

58       -p FILE, --pinfile=FILE
59              The  private  key files or databases are encrypted using the PIN
60              stored in the named file as the passphrase.
61
62       -P PIN, --pin=PIN
63              The private key files or databases are encrypted using the spec‐
64              ified  PIN as the passphrase.  Because command-line arguments to
65              running processes are trivially discoverable, use of this option
66              is not recommended except for testing.
67
68

TRACKING OPTIONS

70       -I NAME, --new-id=NAME
71              Assign  the  specified nickname to this task.  If this option is
72              not specified, a name will be assigned automatically.
73
74       -r, --renew
75              Attempt to obtain a new certificate from the CA when the expira‐
76              tion date of a certificate nears.  This is the default setting.
77
78       -R, --no-renew
79              Don't  attempt  to obtain a new certificate from the CA when the
80              expiration date of a certificate nears.  If this option is spec‐
81              ified, an expired certificate will simply stay expired.
82
83

ENROLLMENT OPTIONS

85       -c  NAME, --ca=NAME
86              Enroll  with  the  specified  CA rather than a possible default.
87              The name of the CA should correspond to one  listed  by  getcert
88              list-cas.  Only useful in combination with -r.
89
90       -T NAME, --profile=NAME
91              Request  a  certificate  using  the  named profile, template, or
92              certtype, from the specified CA.
93
94       --ms-template-spec SPEC
95              Include a V2  Certificate  Template  extension  in  the  signing
96              request.  This datum includes an Object Identifier, a major ver‐
97              sion number (positive integer) and  an  optional  minor  version
98              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
99
100       -X NAME, --issuer=NAME
101              Request  a certificate using the named issuer from the specified
102              CA.
103
104

SIGNING REQUEST OPTIONS

106       If and when certmonger attempts to obtain a new certificate to  replace
107       the  one being monitored, the values to be added to the signing request
108       will be taken from the current certificate, unless preferred values are
109       set using one or more of -uU, -K, -E, and -D.
110
111
112       -u keyUsage, --key-usage=keyUsage
113              Add  an extensionRequest for the specified keyUsage to the sign‐
114              ing request.  The keyUsage value is expected to be one of  these
115              names:
116
117              digitalSignature
118
119              nonRepudiation
120
121              keyEncipherment
122
123              dataEncipherment
124
125              keyAgreement
126
127              keyCertSign
128
129              cRLSign
130
131              encipherOnly
132
133              decipherOnly
134
135       -U EKU, --extended-key-usage=EKU
136              Add  an  extensionRequest  for the specified extendedKeyUsage to
137              the signing request.  The EKU value is expected to be an  object
138              identifier (OID).
139
140       -K NAME, --principal=NAME
141              Add an extensionRequest for a subjectAltName, with the specified
142              Kerberos principal name as its value, to the signing request.
143
144       -E EMAIL, --email=EMAIL
145              Add an extensionRequest for a subjectAltName, with the specified
146              email address as its value, to the signing request.
147
148       -D DNSNAME, --dns=DNSNAME
149              Add an extensionRequest for a subjectAltName, with the specified
150              DNS name as its value, to the signing request.
151
152       -A ADDRESS, --ip-address=ADDRESS
153              Add an extensionRequest for a subjectAltName, with the specified
154              IP address as its value, to the signing request.
155
156       -l FILE, --challenge-password-file=FILE
157              Add  an optional ChallengePassword value, read from the file, to
158              the signing request.  A ChallengePassword is often required when
159              the CA is accessed using SCEP.
160
161       -L PASSWORD, --challenge-password=PASSWORD
162              Add  the  argument  value  to  the  signing  request  as a Chal‐
163              lengePassword attribute.  A ChallengePassword is often  required
164              when the CA is accessed using SCEP.
165
166

OTHER OPTIONS

168       -B COMMAND, --before-command=COMMAND
169              When  ever the certificate or the CA's certificates are saved to
170              the specified locations, run the specified command as the client
171              user before saving the certificates.
172
173       -C COMMAND, --after-command=COMMAND
174              When  ever the certificate or the CA's certificates are saved to
175              the specified locations, run the specified command as the client
176              user after saving the certificates.
177
178       -a DIR, --ca-dbdir=DIR
179              When ever the certificate is saved to the specified location, if
180              root certificates for the CA are available,  save  them  to  the
181              specified NSS database.
182
183       -F FILE, --ca-file=FILE
184              When ever the certificate is saved to the specified location, if
185              root certificates for the CA are available, and when  the  local
186              copies  of  the CA's root certificates are updated, save them to
187              the specified file.
188
189       -w, --wait
190              Wait for the certificate to become valid or to be  reissued  and
191              saved, or for the attempt to obtain a new one to fail.
192
193       --wait-timeout=TIMEOUT
194              Maximum time to wait for the certificate to be issued.
195
196       -v, --verbose
197              Be  verbose  about  errors.   Normally,  the details of an error
198              received from the daemon will be suppressed if  the  client  can
199              make a diagnostic suggestion.
200
201       -o OWNER, --key-owner=OWNER
202              After  generation set the owner on the private key file or data‐
203              base to OWNER.
204
205       -m MODE, --key-perms=MODE
206              After generation set the file permissions  on  the  private  key
207              file or database to MODE.
208
209       -O OWNER, --cert-owner=OWNER
210              After  generation set the owner on the certificate file or data‐
211              base to OWNER.
212
213       -M MODE, --cert-perms=MODE
214              After generation set the file  permissions  on  the  certificate
215              file or database to MODE.
216

BUS OPTIONS

218       -s, --session
219              Connect  to certmonger on the session bus rather than the system
220              bus.
221
222       -S, --system
223              Connect to certmonger on the system bus rather than the  session
224              bus.  This is the default.
225

NOTES

227       Locations specified for key and certificate storage need to be accessi‐
228       ble to the certmonger daemon process.  When run as a system daemon on a
229       system which uses a mandatory access control mechanism such as SELinux,
230       the system policy must ensure that the daemon is allowed to access  the
231       locations  where  certificates  and  keys  that  it will manage will be
232       stored (these locations are typically labeled as cert_t or  an  equiva‐
233       lent).    More   SELinux-specific  information  can  be  found  in  the
234       selinux.txt documentation file for this package.
235
236

BUGS

238       Please  file  tickets  for  any  that  you  find   at   https://fedora‐
239       hosted.org/certmonger/
240
241