Provided by: certmonger_0.79.5-3ubuntu1_amd64 bug

NAME

       getcert

SYNOPSIS

       getcert request [options]

DESCRIPTION

       Tells  certmonger  to  use  an existing key pair (or to generate one if one is not already
       found in the specified location), to generate a signing request using the key pair, and to
       submit them for signing to a CA.

KEY AND CERTIFICATE STORAGE OPTIONS

       -d DIR Use  an  NSS  database  in the specified directory for storing this certificate and
              key.

       -n NAME
              Use the key with this nickname to generate the signing request.  If no such key  is
              found, generate one.  Give the enrolled certificate this nickname, too.  Only valid
              with -d.

       -t TOKEN
              If the NSS database has more than one token available, use the token with this name
              for storing and accessing the certificate and key.  This argument only rarely needs
              to be specified.  Only valid with -d.

       -f FILE
              Store the issued certificate in this file.  For safety's sake, do not use the  same
              file specified with the -k option.

       -k FILE
              Use  the  key stored in this file to generate the signing request.  If no such file
              is found, generate a new key pair and store them in the file.  Only valid with -f.

KEY ENCRYPTION OPTIONS

       -p FILE
              Encrypt private key files or databases using the PIN stored in the  named  file  as
              the passphrase.

       -P PIN Encrypt  private  key files or databases using the specified PIN as the passphrase.
              Because command-line arguments to running processes are trivially discoverable, use
              of this option is not recommended except for testing.

KEY GENERATION OPTIONS

       -G TYPE
              In case a new key pair needs to be generated, this option specifies the type of the
              keys to be generated.  If not specified, a reasonable default (currently RSA)  will
              be used.

       -g BITS
              In case a new key pair needs to be generated, this option specifies the size of the
              key.  If not specified, a reasonable default (currently 2048 bits) will be used.

TRACKING OPTIONS

       -r     Attempt to obtain a new certificate from the CA  when  the  expiration  date  of  a
              certificate nears.  This is the default setting.

       -R     Don't attempt to obtain a new certificate from the CA when the expiration date of a
              certificate nears.  If this option is specified, an expired certificate will simply
              stay expired.

       -I NAME
              Assign  the  specified  nickname  to this task.  If this option is not specified, a
              name will be assigned automatically.

ENROLLMENT OPTIONS

       -c NAME
              Enroll with the specified CA rather than a possible default.  The name  of  the  CA
              should correspond to one listed by getcert list-cas.

       -T NAME
              Request  a  certificate  using  the  named profile, template, or certtype, from the
              specified CA.

       --ms-template-spec SPEC
              Include a V2 Certificate Template extension in the  signing  request.   This  datum
              includes  an  Object  Identifier,  a major version number (positive integer) and an
              optional       minor       version       number.        The       format        is:
              <oid>:<majorVersion>[:<minorVersion>].

       -X NAME
              Request a certificate using the named issuer from the specified CA.

SIGNING REQUEST OPTIONS

       If  none of -N, -U, -K, -E, and -D are specified, a default group of settings will be used
       to request an SSL server certificate for the current host, with the host Kerberos  service
       as an additional name.

       -N NAME
              Set  the  subject  name  to  include  in  the signing request.  The default used is
              CN=hostname, where hostname is the local hostname.

       -u keyUsage
              Add an extensionRequest for the specified keyUsage to  the  signing  request.   The
              keyUsage value is expected to be one of these names:

              digitalSignature

              nonRepudiation

              keyEncipherment

              dataEncipherment

              keyAgreement

              keyCertSign

              cRLSign

              encipherOnly

              decipherOnly

       -U EKU Add  an extensionRequest for the specified extendedKeyUsage to the signing request.
              The EKU value is expected to be an object identifier (OID), but some specific names
              are also recognized.  These are some names and their associated OID values:

              id-kp-serverAuth 1.3.6.1.5.5.7.3.1

              id-kp-clientAuth 1.3.6.1.5.5.7.3.2

              id-kp-codeSigning 1.3.6.1.5.5.7.3.3

              id-kp-emailProtection 1.3.6.1.5.5.7.3.4

              id-kp-timeStamping 1.3.6.1.5.5.7.3.8

              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

              id-pkinit-KPKdc 1.3.6.1.5.2.3.5

              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

       -K NAME
              Add an extensionRequest for a subjectAltName, with the specified Kerberos principal
              name as its value, to the signing request.

       -E EMAIL
              Add an extensionRequest for a subjectAltName, with the specified email  address  as
              its value, to the signing request.

       -D DNSNAME
              Add  an  extensionRequest  for a subjectAltName, with the specified DNS name as its
              value, to the signing request.

       -A ADDRESS
              Add an extensionRequest for a subjectAltName, with the specified IP address as  its
              value, to the signing request.

       -l FILE
              Add  an  optional  ChallengePassword  value,  read  from  the  file, to the signing
              request.  A ChallengePassword is often required when the CA is accessed using SCEP.

       -L PIN Add the argument value to the signing request as a ChallengePassword attribute.   A
              ChallengePassword is often required when the CA is accessed using SCEP.

OTHER OPTIONS

       -B COMMAND
              When  ever  the  certificate  or  the  CA's certificates are saved to the specified
              locations, run  the  specified  command  as  the  client  user  before  saving  the
              certificates.

       -C COMMAND
              When  ever  the  certificate  or  the  CA's certificates are saved to the specified
              locations,  run  the  specified  command  as  the  client  user  after  saving  the
              certificates.

       -a DIR When  ever the certificate is saved to the specified location, if root certificates
              for the CA are available, save them to the specified NSS database.

       -F FILE
              When ever the certificate is saved to the specified location, if root  certificates
              for  the  CA are available, and when the local copies of the CA's root certificates
              are updated, save them to the specified file.

       -w     Wait for the certificate to be issued and saved, or for the attempt to  obtain  one
              to fail.

       -v     Be  verbose  about  errors.   Normally,  the  details of an error received from the
              daemon will be suppressed if the client can make a diagnostic suggestion.

NOTES

       Locations specified for  key  and  certificate  storage  need  to  be  accessible  to  the
       certmonger daemon process.  When run as a system daemon on a system which uses a mandatory
       access control mechanism such as SELinux, the system policy must ensure that the daemon is
       allowed  to  access  the locations where certificates and keys that it will manage will be
       stored (these locations are typically labeled as cert_t or an equivalent).  More  SELinux-
       specific information can be found in the selinux.txt documentation file for this package.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)   getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)  getcert-list-cas(1)
       getcert-list(1)  getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)  getcert-
       rekey(1)   getcert-remove-ca(1)   getcert-resubmit(1)  getcert-start-tracking(1)  getcert-
       status(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8)  certmonger-dogtag-ipa-
       renew-agent-submit(8)   certmonger-dogtag-submit(8)  certmonger-ipa-submit(8)  certmonger-
       local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)