Provided by: certmonger_0.56-0ubuntu1_amd64 bug

NAME

       getcert

SYNOPSIS

       getcert request [options]

DESCRIPTION

       Tells  certmonger  to  use  an existing key pair (or to generate one if one is not already
       found in the specified location), to generate a signing request using the key pair, and to
       submit them for signing to a CA.

KEY AND CERTIFICATE STORAGE OPTIONS

       -d DIR Use  an  NSS  database  in the specified directory for storing this certificate and
              key.

       -n NAME
              Use the key with this nickname to generate the signing request.  If no such key  is
              found, generate one.  Give the enrolled certificate this nickname, too.  Only valid
              with -d.

       -t TOKEN
              If the NSS database has more than one token available, use the token with this name
              for storing and accessing the certificate and key.  This argument only rarely needs
              to be specified.  Only valid with -d.

       -f FILE
              Store the issued certificate in this file.  For safety's sake, do not use the  same
              file specified with the -k option.

       -k FILE
              Use  the  key stored in this file to generate the signing request.  If no such file
              is found, generate a new key pair and store them in the file.  Only valid with -f.

KEY ENCRYPTION OPTIONS

       -p FILE
              Encrypt private key files or databases using the PIN stored in the  named  file  as
              the passphrase.

       -P PIN Encrypt  private  key files or databases using the specified PIN as the passphrase.
              Because command-line arguments to running processes are trivially discoverable, use
              of this option is not recommended except for testing.

KEY GENERATION OPTIONS

       -g BITS
              In case a new key pair needs to be generated, this option specifies the size of the
              key.  If not specified, a reasonable default (currently 2048 bits) will be used.

TRACKING OPTIONS

       -r     Attempt to obtain a new certificate from the CA  when  the  expiration  date  of  a
              certificate nears.  This is the default setting.

       -R     Don't attempt to obtain a new certificate from the CA when the expiration date of a
              certificate nears.  If this option is specified, an expired certificate will simply
              stay expired.

       -I NAME
              Assign  the  specified  nickname  to this task.  If this option is not specified, a
              name will be assigned automatically.

ENROLLMENT OPTIONS

       -c NAME
              Enroll with the specified CA rather than a possible default.  The name  of  the  CA
              should correspond to one listed by getcert list-cas.

SIGNING REQUEST OPTIONS

       If  none of -N, -U, -K, -E, and -D are specified, a default group of settings will be used
       to request an SSL server certificate for the current host, with the host Kerberos  service
       as an additional name.

       -N NAME
              Set  the  subject  name  to  include  in  the signing request.  The default used is
              CN=hostname, where hostname is the local hostname.

       -U EKU Add an extensionRequest for the specified extendedKeyUsage to the signing  request.
              The EKU value is expected to be an object identifier (OID), but some specific names
              are also recognized.  These are some names and their associated OID values:

              id-kp-serverAuth 1.3.6.1.5.5.7.3.1

              id-kp-clientAuth 1.3.6.1.5.5.7.3.2

              id-kp-codeSigning 1.3.6.1.5.5.7.3.3

              id-kp-emailProtection 1.3.6.1.5.5.7.3.4

              id-kp-timeStamping 1.3.6.1.5.5.7.3.8

              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

              id-pkinit-KPKdc 1.3.6.1.5.2.3.5

              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

       -K NAME
              Add an extensionRequest for a subjectAltName, with the specified Kerberos principal
              name as its value, to the signing request.

       -E EMAIL
              Add  an  extensionRequest for a subjectAltName, with the specified email address as
              its value, to the signing request.

       -D DNSNAME
              Add an extensionRequest for a subjectAltName, with the specified DNS  name  as  its
              value, to the signing request.

OTHER OPTIONS

       -C command
              When  ever  the  certificate  is saved to the specified location, run the specified
              command as the client user.

       -v     Be verbose about errors.  Normally, the details  of  an  error  received  from  the
              daemon will be suppressed if the client can make a diagnostic suggestion.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1) getcert-list(1) getcert-list-cas(1) getcert-resubmit(1) getcert-
       start-tracking(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-ipa-
       submit(8)