Provided by: certmonger_0.79.9-2_amd64 bug

NAME

       getcert

SYNOPSIS

       getcert request [options]

DESCRIPTION

       Tells  certmonger  to  use  an existing key pair (or to generate one if one is not already
       found in the specified location), to generate a signing request using the key pair, and to
       submit them for signing to a CA.

KEY AND CERTIFICATE STORAGE OPTIONS

       -d DIR Use  an  NSS  database  in the specified directory for storing this certificate and
              key.

       -n NAME
              Use the key with this nickname to generate the signing request.  If no such key  is
              found, generate one.  Give the enrolled certificate this nickname, too.  Only valid
              with -d.

       -t TOKEN
              If the NSS database has more than one token available, use the token with this name
              for storing and accessing the certificate and key.  This argument only rarely needs
              to be specified.  Only valid with -d.

       -f FILE
              Store the issued certificate in this file.  For safety's sake, do not use the  same
              file specified with the -k option.

       -k FILE
              Use  the  key stored in this file to generate the signing request.  If no such file
              is found, generate a new key pair and store them in the file.  Only valid with -f.

KEY ENCRYPTION OPTIONS

       -p FILE
              Encrypt private key files or databases using the PIN stored in the  named  file  as
              the passphrase.

       -P PIN Encrypt  private  key files or databases using the specified PIN as the passphrase.
              Because command-line arguments to running processes are trivially discoverable, use
              of this option is not recommended except for testing.

KEY GENERATION OPTIONS

       -G TYPE
              In case a new key pair needs to be generated, this option specifies the type of the
              keys to be generated.  If not specified, a reasonable default (currently RSA)  will
              be used.

       -g BITS
              In case a new key pair needs to be generated, this option specifies the size of the
              key.  If not specified, a reasonable default (currently 2048 bits) will be used.

TRACKING OPTIONS

       -r     Attempt to obtain a new certificate from the CA  when  the  expiration  date  of  a
              certificate nears.  This is the default setting.

       -R     Don't attempt to obtain a new certificate from the CA when the expiration date of a
              certificate nears.  If this option is specified, an expired certificate will simply
              stay expired.

       -I NAME
              Assign  the  specified  nickname  to this task.  If this option is not specified, a
              name will be assigned automatically.

ENROLLMENT OPTIONS

       -c NAME
              Enroll with the specified CA rather than a possible default.  The name  of  the  CA
              should correspond to one listed by getcert list-cas.

       -T NAME
              Request  a  certificate  using  the  named profile, template, or certtype, from the
              specified CA.

       --ms-template-spec SPEC
              Include a V2 Certificate Template extension in the  signing  request.   This  datum
              includes  an  Object  Identifier,  a major version number (positive integer) and an
              optional       minor       version       number.        The       format        is:
              <oid>:<majorVersion>[:<minorVersion>].

       -X NAME
              Request a certificate using the named issuer from the specified CA.

SIGNING REQUEST OPTIONS

       If  none of -N, -U, -K, -E, and -D are specified, a default group of settings will be used
       to request an SSL server certificate for the current host, with the host Kerberos  service
       as an additional name.

       The  options  -K,  -E,  -D  and  -A  may  be  provided  multiple  times  to  set  multiple
       subjectAltName of the same type.

       -N NAME
              Set the subject name to include in  the  signing  request.   The  default  used  is
              CN=hostname, where hostname is the local hostname.

       -u keyUsage
              Add  an  extensionRequest  for  the specified keyUsage to the signing request.  The
              keyUsage value is expected to be one of these names:

              digitalSignature

              nonRepudiation

              keyEncipherment

              dataEncipherment

              keyAgreement

              keyCertSign

              cRLSign

              encipherOnly

              decipherOnly

       -U EKU Add an extensionRequest for the specified extendedKeyUsage to the signing  request.
              The EKU value is expected to be an object identifier (OID), but some specific names
              are also recognized.  These are some names and their associated OID values:

              id-kp-serverAuth 1.3.6.1.5.5.7.3.1

              id-kp-clientAuth 1.3.6.1.5.5.7.3.2

              id-kp-codeSigning 1.3.6.1.5.5.7.3.3

              id-kp-emailProtection 1.3.6.1.5.5.7.3.4

              id-kp-timeStamping 1.3.6.1.5.5.7.3.8

              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

              id-pkinit-KPKdc 1.3.6.1.5.2.3.5

              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

       -K NAME
              Add an extensionRequest for a subjectAltName, with the specified Kerberos principal
              name as its value, to the signing request.

       -E EMAIL
              Add  an  extensionRequest for a subjectAltName, with the specified email address as
              its value, to the signing request.

       -D DNSNAME
              Add an extensionRequest for a subjectAltName, with the specified DNS  name  as  its
              value, to the signing request.

       -A ADDRESS
              Add  an extensionRequest for a subjectAltName, with the specified IP address as its
              value, to the signing request.

       -l FILE
              Add an optional ChallengePassword  value,  read  from  the  file,  to  the  signing
              request.  A ChallengePassword is often required when the CA is accessed using SCEP.

       -L PIN Add  the argument value to the signing request as a ChallengePassword attribute.  A
              ChallengePassword is often required when the CA is accessed using SCEP.

OTHER OPTIONS

       -B COMMAND
              When ever the certificate or the CA's  certificates  are  saved  to  the  specified
              locations,  run  the  specified  command  as  the  client  user  before  saving the
              certificates.

       -C COMMAND
              When ever the certificate or the CA's  certificates  are  saved  to  the  specified
              locations,  run  the  specified  command  as  the  client  user  after  saving  the
              certificates.

       -a DIR When ever the certificate is saved to the specified location, if root  certificates
              for the CA are available, save them to the specified NSS database.

       -F FILE
              When  ever the certificate is saved to the specified location, if root certificates
              for the CA are available, and when the local copies of the CA's  root  certificates
              are updated, save them to the specified file.

       -w     Wait  for  the certificate to be issued and saved, or for the attempt to obtain one
              to fail.

       -v     Be verbose about errors.  Normally, the details  of  an  error  received  from  the
              daemon  will  be  suppressed  if  the  client can make a diagnostic suggestion.  -o
              OWNER, --key-owner=OWNER After generation set the owner on the private key file  or
              database  to  OWNER.   -m  MODE,  --key-perms=MODE  After  generation  set the file
              permissions on the private key  file  or  database  to  MODE.   -O  OWNER,  --cert-
              owner=OWNER  After  generation set the owner on the certificate file or database to
              OWNER.  -M MODE, --cert-perms=MODE After generation set the file permissions on the
              certificate file or database to MODE.

NOTES

       Locations  specified  for  key  and  certificate  storage  need  to  be  accessible to the
       certmonger daemon process.  When run as a system daemon on a system which uses a mandatory
       access control mechanism such as SELinux, the system policy must ensure that the daemon is
       allowed to access the locations where certificates and keys that it will  manage  will  be
       stored  (these locations are typically labeled as cert_t or an equivalent).  More SELinux-
       specific information can be found in the selinux.txt documentation file for this package.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-add-ca(1)  getcert-add-scep-ca(1)   getcert-list-cas(1)
       getcert-list(1)  getcert-modify-ca(1)  getcert-refresh-ca(1)  getcert-refresh(1)  getcert-
       rekey(1)  getcert-remove-ca(1)  getcert-resubmit(1)   getcert-start-tracking(1)   getcert-
       status(1)  getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-dogtag-ipa-
       renew-agent-submit(8)  certmonger-dogtag-submit(8)  certmonger-ipa-submit(8)   certmonger-
       local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)