1CERTMONGER(1)               General Commands Manual              CERTMONGER(1)
2
3
4

NAME

6       getcert
7
8

SYNOPSIS

10       getcert request [options]
11
12

DESCRIPTION

14       Tells certmonger to use an existing key pair (or to generate one if one
15       is not already found in the specified location), to generate a  signing
16       request using the key pair, and to submit them for signing to a CA.
17
18

KEY AND CERTIFICATE STORAGE OPTIONS

20       -d DIR, --dbdir=DIR
21              Use  an NSS database in the specified directory for storing this
22              certificate and key.
23
24       -n NAME, --nickname=NAME
25              Use the key with this nickname to generate the signing  request.
26              If  no  such key is found, generate one.  Give the enrolled cer‐
27              tificate this nickname, too.  Only valid with -d.
28
29       -t TOKEN, --token=TOKEN
30              If the NSS database has more than one token available,  use  the
31              token  with  this name for storing and accessing the certificate
32              and key.  This argument only rarely needs to be specified.  Only
33              valid with -d.
34
35       -f FILE, --certfile=FILE
36              Store  the  issued certificate in this file.  For safety's sake,
37              do not use the same file specified with the -k option.
38
39       -k FILE, --keyfile=FILE
40              Use the key stored in this file to generate the signing request.
41              If no such file is found, generate a new key pair and store them
42              in the file.  Only valid with -f.
43
44

KEY ENCRYPTION OPTIONS

46       -p FILE, --pinfile=FILE
47              Encrypt private key files or databases using the PIN  stored  in
48              the named file as the passphrase.
49
50       -P PIN, --pin=PIN
51              Encrypt  private  key files or databases using the specified PIN
52              as the passphrase.  Because command-line  arguments  to  running
53              processes  are trivially discoverable, use of this option is not
54              recommended except for testing.
55
56

KEY GENERATION OPTIONS

58       -G TYPE, --key-type=TYPE
59              In case a new key pair needs to be generated, this option speci‐
60              fies  the type of the keys to be generated.  If not specified, a
61              reasonable default (currently RSA) will be used.
62
63       -g BITS, --key-size=BITS
64              In case a new key pair needs to be generated, this option speci‐
65              fies  the  size  of the key.  If not specified, a reasonable de‐
66              fault (currently 2048 bits) will be used. See certmonger.conf(5)
67              for configuration of the default.
68
69

TRACKING OPTIONS

71       -r, --renew
72              Attempt to obtain a new certificate from the CA when the expira‐
73              tion date of a certificate nears.  This is the default setting.
74
75       -R, --no-renew
76              Don't attempt to obtain a new certificate from the CA  when  the
77              expiration date of a certificate nears.  If this option is spec‐
78              ified, an expired certificate will simply stay expired.
79
80       -I NAME, --id=NAME
81              Assign the specified nickname to this task.  If this  option  is
82              not specified, a name will be assigned automatically.
83
84

ENROLLMENT OPTIONS

86       -c NAME, --ca=NAME
87              Enroll  with  the  specified  CA rather than a possible default.
88              The name of the CA should correspond to one  listed  by  getcert
89              list-cas.
90
91       -T NAME, --profile=NAME
92              Request  a  certificate  using  the  named profile, template, or
93              certtype, from the specified CA.
94
95       --ms-template-spec SPEC
96              Include a V2 Certificate Template extension in the  signing  re‐
97              quest.   This  datum includes an Object Identifier, a major ver‐
98              sion number (positive integer) and  an  optional  minor  version
99              number.  The format is: <oid>:<majorVersion>[:<minorVersion>].
100
101       -X NAME, --issuer=NAME
102              Request  a certificate using the named issuer from the specified
103              CA.
104
105

SIGNING REQUEST OPTIONS

107       If none of -N, -U, -K, -E, and -D are specified,  a  default  group  of
108       settings will be used to request an SSL server certificate for the cur‐
109       rent host, with the host Kerberos service as an additional name.
110
111       The options -K, -E, -D and -A may be provided  multiple  times  to  set
112       multiple subjectAltName of the same type.
113
114
115       -N NAME, , --subject-name=NAME
116              Set the subject name to include in the signing request.  The de‐
117              fault used is CN=hostname, where hostname is the local hostname.
118
119       -u keyUsage, --key-usage=keyUsage
120              Add an extensionRequest for the specified keyUsage to the  sign‐
121              ing  request.  The keyUsage value is expected to be one of these
122              names:
123
124              digitalSignature
125
126              nonRepudiation
127
128              keyEncipherment
129
130              dataEncipherment
131
132              keyAgreement
133
134              keyCertSign
135
136              cRLSign
137
138              encipherOnly
139
140              decipherOnly
141
142       -U EKU, --extended-key-usage=EKU
143              Add an extensionRequest for the  specified  extendedKeyUsage  to
144              the  signing request.  The EKU value is expected to be an object
145              identifier (OID), but some specific names are  also  recognized.
146              These are some names and their associated OID values:
147
148              id-kp-serverAuth 1.3.6.1.5.5.7.3.1
149
150              id-kp-clientAuth 1.3.6.1.5.5.7.3.2
151
152              id-kp-codeSigning 1.3.6.1.5.5.7.3.3
153
154              id-kp-emailProtection 1.3.6.1.5.5.7.3.4
155
156              id-kp-timeStamping 1.3.6.1.5.5.7.3.8
157
158              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
159
160              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
161
162              id-pkinit-KPKdc 1.3.6.1.5.2.3.5
163
164              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
165
166       -K NAME, --principal=NAME
167              Add an extensionRequest for a subjectAltName, with the specified
168              Kerberos principal name as its value, to the signing request.
169
170       -E EMAIL, --email=EMAIL
171              Add an extensionRequest for a subjectAltName, with the specified
172              email address as its value, to the signing request.
173
174       -D DNSNAME, --dns=DNSNAME
175              Add an extensionRequest for a subjectAltName, with the specified
176              DNS name as its value, to the signing request.
177
178       -A ADDRESS, --ip-address=ADDRESS
179              Add an extensionRequest for a subjectAltName, with the specified
180              IP address as its value, to the signing request.
181
182       -l FILE, --challenge-password-file=FILE
183              Add  an optional ChallengePassword value, read from the file, to
184              the signing request.  A ChallengePassword is often required when
185              the CA is accessed using SCEP.
186
187       -L PIN, --challenge-password=PIN
188              Add  the  argument  value  to  the  signing  request  as a Chal‐
189              lengePassword attribute.  A ChallengePassword is often  required
190              when the CA is accessed using SCEP.
191
192

OTHER OPTIONS

194       -B COMMAND, --before-command=COMMAND
195              When  ever the certificate or the CA's certificates are saved to
196              the specified locations, run the specified command as the client
197              user before saving the certificates.
198
199       -C COMMAND, --after-command=COMMAND
200              When  ever the certificate or the CA's certificates are saved to
201              the specified locations, run the specified command as the client
202              user after saving the certificates.
203
204       -a DIR, --ca-dbdir=DIR
205              When ever the certificate is saved to the specified location, if
206              root certificates for the CA are available,  save  them  to  the
207              specified NSS database.
208
209       -F FILE, --ca-file=FILE
210              When ever the certificate is saved to the specified location, if
211              root certificates for the CA are available, and when  the  local
212              copies  of  the CA's root certificates are updated, save them to
213              the specified file.
214
215       --for-ca
216              Request a CA certificate.
217
218       --not-for-ca
219              Request a non-CA certificate (the default).
220
221       --ca-path-length=LENGTH
222              Path length for CA certificate. Only valid with --for-ca.
223
224       -w, --wait
225              Wait for the certificate to be issued and saved, or for the  at‐
226              tempt to obtain one to fail.
227
228       --wait-timeout=TIMEOUT
229              Maximum time to wait for the certificate to be issued.
230
231       -v, --verbose
232              Be  verbose about errors.  Normally, the details of an error re‐
233              ceived from the daemon will be suppressed if the client can make
234              a diagnostic suggestion.
235
236       -o OWNER, --key-owner=OWNER
237              After  generation set the owner on the private key file or data‐
238              base to OWNER.
239
240       -m MODE, --key-perms=MODE
241              After generation set the file permissions  on  the  private  key
242              file or database to MODE.
243
244       -O OWNER, --cert-owner=OWNER
245              After  generation set the owner on the certificate file or data‐
246              base to OWNER.
247
248       -M MODE, --cert-perms=MODE
249              After generation set the file  permissions  on  the  certificate
250              file or database to MODE.
251

BUS OPTIONS

253       -s,  --session Connect to certmonger on the session bus rather than the
254       system bus.
255
256       -S, --system
257              Connect to certmonger on the system bus rather than the  session
258              bus.  This is the default.
259

NOTES

261       Locations specified for key and certificate storage need to be accessi‐
262       ble to the certmonger daemon process.  When run as a system daemon on a
263       system which uses a mandatory access control mechanism such as SELinux,
264       the system policy must ensure that the daemon is allowed to access  the
265       locations  where  certificates  and  keys  that  it will manage will be
266       stored (these locations are typically labeled as cert_t or  an  equiva‐
267       lent).    More   SELinux-specific  information  can  be  found  in  the
268       selinux.txt documentation file for this package.
269
270

BUGS

272       Please  file  tickets  for  any  that  you  find   at   https://fedora
273       hosted.org/certmonger/
274
275

SEE ALSO

277       certmonger(8)   getcert(1)   getcert-add-ca(1)   getcert-add-scep-ca(1)
278       getcert-list-cas(1)  getcert-list(1)  getcert-modify-ca(1)  getcert-re‐
279       fresh-ca(1)  getcert-refresh(1)  getcert-rekey(1)  getcert-remove-ca(1)
280       getcert-resubmit(1)     getcert-start-tracking(1)     getcert-status(1)
281       getcert-stop-tracking(1)    certmonger-certmaster-submit(8)    certmon‐
282       ger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8)  cert‐
283       monger-ipa-submit(8)   certmonger-local-submit(8)  certmonger-scep-sub‐
284       mit(8) certmonger_selinux(8)
285
286
287
288certmonger Manual              February 9, 2015                  CERTMONGER(1)
Impressum