1CERTMONGER(1) General Commands Manual CERTMONGER(1)
2
3
4
6 getcert
7
8
10 getcert request [options]
11
12
14 Tells certmonger to use an existing key pair (or to generate one if one
15 is not already found in the specified location), to generate a signing
16 request using the key pair, and to submit them for signing to a CA.
17
18
20 -d DIR, --dbdir=DIR
21 Use an NSS database in the specified directory for storing this
22 certificate and key.
23
24 -n NAME, --nickname=NAME
25 Use the key with this nickname to generate the signing request.
26 If no such key is found, generate one. Give the enrolled cer‐
27 tificate this nickname, too. Only valid with -d.
28
29 -t TOKEN, --token=TOKEN
30 If the NSS database has more than one token available, use the
31 token with this name for storing and accessing the certificate
32 and key. This argument only rarely needs to be specified. Only
33 valid with -d.
34
35 -f FILE, --certfile=FILE
36 Store the issued certificate in this file. For safety's sake,
37 do not use the same file specified with the -k option.
38
39 -k FILE, --keyfile=FILE
40 Use the key stored in this file to generate the signing request.
41 If no such file is found, generate a new key pair and store them
42 in the file. Only valid with -f.
43
44
46 -p FILE, --pinfile=FILE
47 Encrypt private key files or databases using the PIN stored in
48 the named file as the passphrase.
49
50 -P PIN, --pin=PIN
51 Encrypt private key files or databases using the specified PIN
52 as the passphrase. Because command-line arguments to running
53 processes are trivially discoverable, use of this option is not
54 recommended except for testing.
55
56
58 -G TYPE, --key-type=TYPE
59 In case a new key pair needs to be generated, this option speci‐
60 fies the type of the keys to be generated. If not specified, a
61 reasonable default (currently RSA) will be used.
62
63 -g BITS, --key-size=BITS
64 In case a new key pair needs to be generated, this option speci‐
65 fies the size of the key. If not specified, a reasonable de‐
66 fault (currently 2048 bits) will be used. See certmonger.conf(5)
67 for configuration of the default.
68
69
71 -r, --renew
72 Attempt to obtain a new certificate from the CA when the expira‐
73 tion date of a certificate nears. This is the default setting.
74
75 -R, --no-renew
76 Don't attempt to obtain a new certificate from the CA when the
77 expiration date of a certificate nears. If this option is spec‐
78 ified, an expired certificate will simply stay expired.
79
80 -I NAME, --id=NAME
81 Assign the specified nickname to this task. If this option is
82 not specified, a name will be assigned automatically.
83
84
86 -c NAME, --ca=NAME
87 Enroll with the specified CA rather than a possible default.
88 The name of the CA should correspond to one listed by getcert
89 list-cas.
90
91 -T NAME, --profile=NAME
92 Request a certificate using the named profile, template, or
93 certtype, from the specified CA.
94
95 --ms-template-spec SPEC
96 Include a V2 Certificate Template extension in the signing re‐
97 quest. This datum includes an Object Identifier, a major ver‐
98 sion number (positive integer) and an optional minor version
99 number. The format is: <oid>:<majorVersion>[:<minorVersion>].
100
101 -X NAME, --issuer=NAME
102 Request a certificate using the named issuer from the specified
103 CA.
104
105
107 If none of -N, -U, -K, -E, and -D are specified, a default group of
108 settings will be used to request an SSL server certificate for the cur‐
109 rent host, with the host Kerberos service as an additional name.
110
111 The options -K, -E, -D and -A may be provided multiple times to set
112 multiple subjectAltName of the same type.
113
114
115 -N NAME, , --subject-name=NAME
116 Set the subject name to include in the signing request. The de‐
117 fault used is CN=hostname, where hostname is the local hostname.
118
119 -u keyUsage, --key-usage=keyUsage
120 Add an extensionRequest for the specified keyUsage to the sign‐
121 ing request. The keyUsage value is expected to be one of these
122 names:
123
124 digitalSignature
125
126 nonRepudiation
127
128 keyEncipherment
129
130 dataEncipherment
131
132 keyAgreement
133
134 keyCertSign
135
136 cRLSign
137
138 encipherOnly
139
140 decipherOnly
141
142 -U EKU, --extended-key-usage=EKU
143 Add an extensionRequest for the specified extendedKeyUsage to
144 the signing request. The EKU value is expected to be an object
145 identifier (OID), but some specific names are also recognized.
146 These are some names and their associated OID values:
147
148 id-kp-serverAuth 1.3.6.1.5.5.7.3.1
149
150 id-kp-clientAuth 1.3.6.1.5.5.7.3.2
151
152 id-kp-codeSigning 1.3.6.1.5.5.7.3.3
153
154 id-kp-emailProtection 1.3.6.1.5.5.7.3.4
155
156 id-kp-timeStamping 1.3.6.1.5.5.7.3.8
157
158 id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9
159
160 id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4
161
162 id-pkinit-KPKdc 1.3.6.1.5.2.3.5
163
164 id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2
165
166 -K NAME, --principal=NAME
167 Add an extensionRequest for a subjectAltName, with the specified
168 Kerberos principal name as its value, to the signing request.
169
170 -E EMAIL, --email=EMAIL
171 Add an extensionRequest for a subjectAltName, with the specified
172 email address as its value, to the signing request.
173
174 -D DNSNAME, --dns=DNSNAME
175 Add an extensionRequest for a subjectAltName, with the specified
176 DNS name as its value, to the signing request.
177
178 -A ADDRESS, --ip-address=ADDRESS
179 Add an extensionRequest for a subjectAltName, with the specified
180 IP address as its value, to the signing request.
181
182 -l FILE, --challenge-password-file=FILE
183 Add an optional ChallengePassword value, read from the file, to
184 the signing request. A ChallengePassword is often required when
185 the CA is accessed using SCEP.
186
187 -L PIN, --challenge-password=PIN
188 Add the argument value to the signing request as a Chal‐
189 lengePassword attribute. A ChallengePassword is often required
190 when the CA is accessed using SCEP.
191
192
194 -B COMMAND, --before-command=COMMAND
195 When ever the certificate or the CA's certificates are saved to
196 the specified locations, run the specified command as the client
197 user before saving the certificates.
198
199 -C COMMAND, --after-command=COMMAND
200 When ever the certificate or the CA's certificates are saved to
201 the specified locations, run the specified command as the client
202 user after saving the certificates.
203
204 -a DIR, --ca-dbdir=DIR
205 When ever the certificate is saved to the specified location, if
206 root certificates for the CA are available, save them to the
207 specified NSS database.
208
209 -F FILE, --ca-file=FILE
210 When ever the certificate is saved to the specified location, if
211 root certificates for the CA are available, and when the local
212 copies of the CA's root certificates are updated, save them to
213 the specified file.
214
215 --for-ca
216 Request a CA certificate.
217
218 --not-for-ca
219 Request a non-CA certificate (the default).
220
221 --ca-path-length=LENGTH
222 Path length for CA certificate. Only valid with --for-ca.
223
224 -w, --wait
225 Wait for the certificate to be issued and saved, or for the at‐
226 tempt to obtain one to fail.
227
228 --wait-timeout=TIMEOUT
229 Maximum time to wait for the certificate to be issued.
230
231 -v, --verbose
232 Be verbose about errors. Normally, the details of an error re‐
233 ceived from the daemon will be suppressed if the client can make
234 a diagnostic suggestion.
235
236 -o OWNER, --key-owner=OWNER
237 After generation set the owner on the private key file or data‐
238 base to OWNER.
239
240 -m MODE, --key-perms=MODE
241 After generation set the file permissions on the private key
242 file or database to MODE.
243
244 -O OWNER, --cert-owner=OWNER
245 After generation set the owner on the certificate file or data‐
246 base to OWNER.
247
248 -M MODE, --cert-perms=MODE
249 After generation set the file permissions on the certificate
250 file or database to MODE.
251
253 -s, --session Connect to certmonger on the session bus rather than the
254 system bus.
255
256 -S, --system
257 Connect to certmonger on the system bus rather than the session
258 bus. This is the default.
259
261 Locations specified for key and certificate storage need to be accessi‐
262 ble to the certmonger daemon process. When run as a system daemon on a
263 system which uses a mandatory access control mechanism such as SELinux,
264 the system policy must ensure that the daemon is allowed to access the
265 locations where certificates and keys that it will manage will be
266 stored (these locations are typically labeled as cert_t or an equiva‐
267 lent). More SELinux-specific information can be found in the
268 selinux.txt documentation file for this package.
269
270
272 Please file tickets for any that you find at https://fedora‐
273 hosted.org/certmonger/
274
275
277 certmonger(8) getcert(1) getcert-add-ca(1) getcert-add-scep-ca(1)
278 getcert-list-cas(1) getcert-list(1) getcert-modify-ca(1) getcert-re‐
279 fresh-ca(1) getcert-refresh(1) getcert-rekey(1) getcert-remove-ca(1)
280 getcert-resubmit(1) getcert-start-tracking(1) getcert-status(1)
281 getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmon‐
282 ger-dogtag-ipa-renew-agent-submit(8) certmonger-dogtag-submit(8) cert‐
283 monger-ipa-submit(8) certmonger-local-submit(8) certmonger-scep-sub‐
284 mit(8) certmonger_selinux(8)
285
286
287
288certmonger Manual February 9, 2015 CERTMONGER(1)