bionic (5) certmonger.conf.5.gz

Provided by: certmonger_0.79.5-3ubuntu1_amd64 bug

NAME

       certmonger.conf - configuration file for certmonger

DESCRIPTION

       The  certmonger.conf  file contains default settings used by certmonger.  Its format is more or less that
       of a typical INI-style file.  The only sections currently of note are named defaults and selfsign.

DEFAULTS

       Within the defaults section, these variables and values are recognized:

       notify_ttls
              This is the list of times, given in seconds, before a certificate's not-after validity date (often
              referred  to as its expiration time) when certmonger should warn that the certificate will soon no
              longer be valid.  If this value is not specified, certmonger will attempt to use the value of  the
              ttls  setting.   The  default  list  of  values is "2419200, 604800, 259200, 172800, 86400, 43200,
              21600, 7200, 3600".

       enroll_ttls
              This is the list of times, given in seconds, before a certificate's not-after validity date (often
              referred  to  as  its  expiration  time) when certmonger should attempt to automatically renew the
              certificate, if it is configured to do so.  If  this  value  is  not  specified,  certmonger  will
              attempt  to  use  the  value of the ttls setting.  The default list of values is "2419200, 604800,
              259200, 172800, 86400, 43200, 21600, 7200, 3600".

       notification_method
              This is the method by which certmonger will notify the system  administrator  that  a  certificate
              will  soon  become  invalid.  The recognized values are syslog, mail, and command.  The default is
              syslog.  When sending mail, the notification message will  be  the  mail  message  subject.   When
              invoking  a  command,  the notification message will be available in the "CERTMONGER_NOTIFICATION"
              environment variable.

       notification_destination
              This is the destination to which certmonger will send notifications.  It can be a syslog  priority
              and/or facility, separated by a period, it can be an email address, or it can be a command to run.
              The default value is daemon.notice.

       key_type
              This is the type of key pair which will be generated, used in certificate  signing  requests,  and
              used when self-signing certificates.  RSA and DSA are supported.  EC (also known as ECDSA) is also
              supported.  The default is RSA.

       symmetric_cipher
              This is the symmetric cipher which will be used to encrypt private keys stored  in  OpenSSL's  PEM
              format.   Recognized  values  include  aes128  and  aes256.   The  default  is  aes128.  It is not
              recommended that this value be changed except in cases where  the  default  is  incompatible  with
              other software.

       digest This  is  the  digest  algorithm  which will be used when signing certificate signing requests and
              self-signed certificates.  Recognized values  include  sha1,  sha256,  sha384,  and  sha512.   The
              default  is  sha256.   It  is not recommended that this value be changed except in cases where the
              default is incompatible with other software.

       nss_ca_trust
              These are the trust attributes which are applied to CA certificates which should be trusted,  when
              they are saved to NSS databases.  The default is CT,C,C.

       nss_other_trust
              These  are  the trust attributes which are applied to certificates which are not necessarily to be
              trusted, when they are saved to NSS databases.  The default is ,,.

       max_key_use_count
              When attempting to replace a certificate, if certmonger has  previously  obtained  at  least  this
              number  of  certificates using the current key pair, it will generate a new key pair to use before
              proceeding.  There is effectively no default for this setting.

       max_key_lifetime
              The amount of time after a key was first generated when certmonger will attempt to generate a  new
              key pair to replace it, as part of the process of replacing a certificate.  The value is specified
              as a combination of years (y), months (M), weeks (w), days (d), hours  (h),  minutes  (m),  and/or
              seconds  (s).   If  no  unit  of  time is specified, seconds are assumed.  The date when a key was
              generated is not recorded if the key was not generated by certmonger, or if the key was  generated
              with  a  version  of  certmonger  older than 0.78, and for those cases, this option has no effect.
              There is effectively no default for this setting.

SELFSIGN

       Within the selfsign section, these variables and values are recognized:

       validity_period
              This is the validity period given to self-signed  certificates.   The  value  is  specified  as  a
              combination  of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
              (s).  If no unit of time is specified, seconds are assumed.  The default value is 1y.

       populate_unique_id
              This controls whether  or  not  self-signed  certificates  will  have  their  subjectUniqueID  and
              issuerUniqueID  fields  populated.   While  RFC5280 prohibits their use, they may be needed and/or
              used by older applications.  The default value is no.

LOCAL

       Within the local section, these variables and values are recognized:

       validity_period
              This is the validity period given to the locally-signed CA's certificate  when  it  is  generated.
              The  value is specified as a combination of years (y), months (M), weeks (w), days (d), hours (h),
              minutes (m), and/or seconds (s).  If no unit of time is specified, seconds are  assumed.   If  not
              set, the value of the validity_period setting from the selfsign section, if one is set there, will
              be used.  The default value is 1y.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8) certmonger_selinux(8)