getcert-rekey(1)

1CERTMONGER(1)               General Commands Manual              CERTMONGER(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert rekey [options]
11
12

DESCRIPTION

14       Tells certmonger to generate a new key pair, generate a signing request
15       for the public key, and submit the signing request to a CA for signing,
16       in order to replace both a certificate and its private key.
17
18

SPECIFYING REQUESTS BY NICKNAME

20       -i NAME, --id=NAME
21              The  new key pair will be generated and the new certificate will
22              be obtained for the tracking request which  has  this  nickname.
23              If  this  option  is  not  specified, and a tracking entry which
24              matches the key and certificate storage options which are speci‐
25              fied already exists, that entry will be used.  If not specified,
26              the location of the certificate should be specified with  either
27              a combination of the -d and -n options, or with the -f option.
28
29

SPECIFYING REQUESTS BY CERTIFICATE LOCATION

31       -d DIR, --dbdir=DIR
32              The  certificate  is in the NSS database in the specified direc‐
33              tory.
34
35       -n NAME, --nickname=NAME
36              The certificate in the NSS database named with -d has the speci‐
37              fied nickname.  Only valid with -d.
38
39       -t TOKEN, --token=TOKEN
40              If  the NSS database has more than one token available, the cer‐
41              tificate is stored in this token.   This  argument  only  rarely
42              needs to be specified.  Only valid with -d.
43
44       -f FILE, --certfile=FILE
45              The certificate is stored in the named file.
46
47

KEY GENERATION OPTIONS

49       -G TYPE, --key-type=TYPE
50              In case a new key pair needs to be generated, this option speci‐
51              fies the type of the keys to be generated.   If  not  specified,
52              the current key type will be used.
53
54       -g BITS, --key-size=BITS
55              This  option  specifies the size of the new key to be generated.
56              If not specified, a key of the same size  as  the  existing  key
57              will be generated.
58
59

ENROLLMENT OPTIONS

61       -c NAME, --ca=NAME
62              Submit  the  new signing request to the specified CA rather than
63              the one which was previously associated with  this  certificate.
64              The  name  of  the CA should correspond to one listed by getcert
65              list-cas.
66
67       -T NAME, --profile=NAME
68              Request a certificate using  the  named  profile,  template,  or
69              certtype, from the specified CA.
70
71       --ms-template-spec SPEC
72              Include  a  V2  Certificate  Template  extension  in the signing
73              request.  This datum includes an Object Identifier, a major ver‐
74              sion  number  (positive  integer)  and an optional minor version
75              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
76
77       -X NAME, --issuer=NAME
78              Request a certificate using the named issuer from the  specified
79              CA.
80
81       -I NAME, --new-id=NAME
82              Assign the specified nickname to this task, replacing the previ‐
83              ous nickname.
84
85

SIGNING REQUEST OPTIONS

87       -N NAME, --subject-name=NAME
88              Change the subject name to include in the signing request.
89
90       -u keyUsage, --key-usage=keyUsage
91              Add an extensionRequest for the specified keyUsage to the  sign‐
92              ing  request.  The keyUsage value is expected to be one of these
93              names:
94
95              digitalSignature
96
97              nonRepudiation
98
99              keyEncipherment
100
101              dataEncipherment
102
103              keyAgreement
104
105              keyCertSign
106
107              cRLSign
108
109              encipherOnly
110
111              decipherOnly
112
113       -U EKU, --extended-key-usage=EKU
114              Change the extendedKeyUsage  value  specified  in  an  extended‐
115              KeyUsage extension part of the extensionRequest attribute in the
116              signing request.  The EKU value is  expected  to  be  an  object
117              identifier (OID).
118
119       -K NAME, --ca=NAME
120              Change  the  Kerberos principal name specified as part of a sub‐
121              jectAltName extension part of the extensionRequest attribute  in
122              the signing request.
123
124       -E EMAIL, --email=EMAIL
125              Change  the  email address specified as part of a subjectAltName
126              extension part of the extensionRequest attribute in the  signing
127              request.
128
129       -D DNSNAME, --dns=DNSNAME
130              Change the DNS name specified as part of a subjectAltName exten‐
131              sion part of  the  extensionRequest  attribute  in  the  signing
132              request.
133
134       -A ADDRESS, --ip-address=ADDRESS
135              Change  the  IP  address  specified  as part of a subjectAltName
136              extension part of the extensionRequest attribute in the  signing
137              request.
138
139       -l FILE, --challenge-password-file=NAME
140              Add  an optional ChallengePassword value, read from the file, to
141              the signing request.  A ChallengePassword is often required when
142              the CA is accessed using SCEP.
143
144       -L PIN, --challenge-password=PIN
145              Add  the  argument  value  to  the  signing  request  as a Chal‐
146              lengePassword attribute.  A ChallengePassword is often  required
147              when the CA is accessed using SCEP.
148
149

OTHER OPTIONS

151       -B COMMAND, --before-command=COMMAND
152              When  ever the certificate or the CA's certificates are saved to
153              the specified locations, run the specified command as the client
154              user before saving the certificates.
155
156       -C COMMAND, --after-command=COMMAND
157              When  ever the certificate or the CA's certificates are saved to
158              the specified locations, run the specified command as the client
159              user after saving the certificates.
160
161       -a DIR, --ca-dbdir=DIR
162              When ever the certificate is saved to the specified location, if
163              root certificates for the CA are available,  save  them  to  the
164              specified NSS database.
165
166       -F FILE, --ca-file=FILE
167              When ever the certificate is saved to the specified location, if
168              root certificates for the CA are available, and when  the  local
169              copies  of  the CA's root certificates are updated, save them to
170              the specified file.
171
172       --for-ca
173              Request a CA certificate.
174
175       --not-for-ca
176              Request a non-CA certificate (the default).
177
178       --ca-path-length=LENGTH
179              Path length for CA certificate. Only valid with --for-ca.
180
181       -w, --wait
182              Wait for the new certificate to be issued and saved, or for  the
183              attempt to obtain one using the new key to fail.
184
185       --wait-timeout=TIMEOUT
186              Maximum time to wait for the certificate to be issued.
187
188       -v --verbose
189              Be  verbose  about  errors.   Normally,  the details of an error
190              received from the daemon will be suppressed if  the  client  can
191              make a diagnostic suggestion.
192
193

BUGS

195       Please   file   tickets  for  any  that  you  find  at  https://fedora‐
196       hosted.org/certmonger/
197
198