1CERTMONGER(5)                 File Formats Manual                CERTMONGER(5)
2
3
4

NAME

6       certmonger.conf - configuration file for certmonger
7
8

DESCRIPTION

10       The  certmonger.conf file contains default settings used by certmonger.
11       Its format is more or less that of a typical INI-style file.  The  only
12       sections currently of note are named defaults and selfsign.
13
14

DEFAULTS

16       Within the defaults section, these variables and values are recognized:
17
18
19       notify_ttls
20              This  is  the list of times, given in seconds, before a certifi‐
21              cate's not-after validity date (often referred to as its expira‐
22              tion time) when certmonger should warn that the certificate will
23              soon no longer be valid.  If this value is not specified,  cert‐
24              monger  will  attempt to use the value of the ttls setting.  The
25              default list of values  is  "2419200,  604800,  259200,  172800,
26              86400, 43200, 21600, 7200, 3600".
27
28
29       enroll_ttls
30              This  is  the list of times, given in seconds, before a certifi‐
31              cate's not-after validity date (often referred to as its expira‐
32              tion time) when certmonger should attempt to automatically renew
33              the certificate, if it is configured to do so.  If this value is
34              not  specified,  certmonger will attempt to use the value of the
35              ttls setting.  The default list of values is  "2419200,  604800,
36              259200, 172800, 86400, 43200, 21600, 7200, 3600".
37
38
39       notification_method
40              This  is  the  method by which certmonger will notify the system
41              administrator that a certificate will soon become invalid.   The
42              recognized values are syslog, mail, and command.  The default is
43              syslog.  When sending mail, the notification message will be the
44              mail message subject.  When invoking a command, the notification
45              message will be available in the "CERTMONGER_NOTIFICATION" envi‐
46              ronment variable.
47
48
49       notification_destination
50              This  is the destination to which certmonger will send notifica‐
51              tions.  It can be a syslog priority and/or  facility,  separated
52              by  a period, it can be an email address, or it can be a command
53              to run.  The default value is daemon.notice.
54
55
56       key_type
57              This is the type of key pair which will be  generated,  used  in
58              certificate  signing  requests,  and used when self-signing cer‐
59              tificates.  RSA is supported.  EC (also known as ECDSA) is  also
60              supported.  The default is RSA.
61
62
63       rsa_key_size
64              This is the size of an RSA key if the value is not included in a
65              certificate request. If this value is not set then  the  default
66              is 2048. The minimum value allowed is 1024.
67
68
69       symmetric_cipher
70              This  is the symmetric cipher which will be used to encrypt pri‐
71              vate keys stored in OpenSSL's PEM format.  Recognized values in‐
72              clude aes128 and aes256.  The default is aes128.  It is not rec‐
73              ommended that this value be changed except in  cases  where  the
74              default is incompatible with other software.
75
76
77       digest This  is  the  digest  algorithm which will be used when signing
78              certificate signing requests and self-signed certificates.  Rec‐
79              ognized  values  include  sha1, sha256, sha384, and sha512.  The
80              default is sha256.  It is not recommended  that  this  value  be
81              changed  except  in cases where the default is incompatible with
82              other software.
83
84
85       nss_ca_trust
86              These are the trust attributes which are applied to CA  certifi‐
87              cates  which should be trusted, when they are saved to NSS data‐
88              bases.  The default is CT,C,C.
89
90
91       nss_other_trust
92              These are the trust attributes which are applied to certificates
93              which  are not necessarily to be trusted, when they are saved to
94              NSS databases.  The default is ,,.
95
96
97       max_key_use_count
98              When attempting to replace a certificate, if certmonger has pre‐
99              viously  obtained at least this number of certificates using the
100              current key pair, it will generate a new key pair to use  before
101              proceeding.  There is effectively no default for this setting.
102
103
104       max_key_lifetime
105              The amount of time after a key was first generated when certmon‐
106              ger will attempt to generate a new key pair to  replace  it,  as
107              part  of  the  process of replacing a certificate.  The value is
108              specified as a combination of years (y), months (M), weeks  (w),
109              days  (d),  hours  (h),  minutes (m), and/or seconds (s).  If no
110              unit of time is specified, seconds are assumed.  The date when a
111              key  was  generated is not recorded if the key was not generated
112              by certmonger, or if the key was generated  with  a  version  of
113              certmonger older than 0.78, and for those cases, this option has
114              no effect.  There is effectively no default for this setting.
115
116

SELFSIGN

118       Within the selfsign section, these variables and values are recognized:
119
120
121       validity_period
122              This is the validity period given to  self-signed  certificates.
123              The  value  is  specified  as a combination of years (y), months
124              (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
125              (s).  If no unit of time is specified, seconds are assumed.  The
126              default value is 1y.
127
128
129       populate_unique_id
130              This controls whether or not self-signed certificates will  have
131              their   subjectUniqueID  and  issuerUniqueID  fields  populated.
132              While RFC5280 prohibits their use, they  may  be  needed  and/or
133              used by older applications.  The default value is no.
134
135

LOCAL

137       Within the local section, these variables and values are recognized:
138
139
140       validity_period
141              This  is  the  validity  period given to the locally-signed CA's
142              certificate when it is generated.  The value is specified  as  a
143              combination of years (y), months (M), weeks (w), days (d), hours
144              (h), minutes (m), and/or seconds (s).  If no  unit  of  time  is
145              specified,  seconds  are  assumed.  If not set, the value of the
146              validity_period setting from the selfsign section, if one is set
147              there, will be used.  The default value is 1y.
148
149

SCEP

151       Within the scep section, these variables and values are recognized:
152
153
154       challenge_password_otp
155              This  controls whether the SCEP challenge password is treated as
156              a one-time password. If set to yes then the  challenge  password
157              and/or challenge password file will be removed from the tracking
158              request after the first certificate issuance so will not be sent
159              with renewal requests.  The default is no.
160
161

BUGS

163       Please   file   tickets  for  any  that  you  find  at  https://fedora
164       hosted.org/certmonger/
165
166

SEE ALSO

168       certmonger(8) certmonger_selinux(8)
169
170
171
172certmonger Manual                May 12, 2015                    CERTMONGER(5)
Impressum