Ubuntu Manpage: getcert

NAME

       getcert

SYNOPSIS

       getcert request [options]

DESCRIPTION

       Tells  certmonger  to  use  an existing key pair (or to generate one if one is not already
       found in the specified location), to generate a signing request using the key pair, and to
       submit them for signing to a CA.

KEY AND CERTIFICATE STORAGE OPTIONS

       -d DIR, --dbdir=DIR
              Use  an  NSS  database  in the specified directory for storing this certificate and
              key.

       -n NAME, --nickname=NAME
              Use the key with this nickname to generate the signing request.  If no such key  is
              found, generate one.  Give the enrolled certificate this nickname, too.  Only valid
              with -d.

       -t TOKEN, --token=TOKEN
              If the NSS database has more than one token available, use the token with this name
              for storing and accessing the certificate and key.  This argument only rarely needs
              to be specified.  Only valid with -d.

       -f FILE, --certfile=FILE
              Store the issued certificate in this file.  For safety's sake, do not use the  same
              file specified with the -k option.

       -k FILE, --keyfile=FILE
              Use  the  key stored in this file to generate the signing request.  If no such file
              is found, generate a new key pair and store them in the file.  Only valid with -f.

KEY ENCRYPTION OPTIONS

       -p FILE, --pinfile=FILE
              Encrypt private key files or databases using the PIN stored in the  named  file  as
              the passphrase.

       -P PIN, --pin=PIN
              Encrypt  private  key files or databases using the specified PIN as the passphrase.
              Because command-line arguments to running processes are trivially discoverable, use
              of this option is not recommended except for testing.

KEY GENERATION OPTIONS

       -G TYPE, --key-type=TYPE
              In case a new key pair needs to be generated, this option specifies the type of the
              keys to be generated.  If not specified, a reasonable default (currently RSA)  will
              be used.

       -g BITS, --key-size=BITS
              In case a new key pair needs to be generated, this option specifies the size of the
              key.  If not specified, a reasonable default (currently 2048 bits)  will  be  used.
              See certmonger.conf(5) for configuration of the default.

TRACKING OPTIONS

       -r, --renew
              Attempt  to  obtain  a  new  certificate  from the CA when the expiration date of a
              certificate nears.  This is the default setting.

       -R, --no-renew
              Don't attempt to obtain a new certificate from the CA when the expiration date of a
              certificate nears.  If this option is specified, an expired certificate will simply
              stay expired.

       -I NAME, --id=NAME
              Assign the specified nickname to this task.  If this option  is  not  specified,  a
              name will be assigned automatically.

ENROLLMENT OPTIONS

       -c NAME, --ca=NAME
              Enroll  with  the  specified CA rather than a possible default.  The name of the CA
              should correspond to one listed by getcert list-cas.

       -T NAME, --profile=NAME
              Request a certificate using the named profile,  template,  or  certtype,  from  the
              specified CA.

       --ms-template-spec SPEC
              Include  a  V2  Certificate  Template extension in the signing request.  This datum
              includes an Object Identifier, a major version number  (positive  integer)  and  an
              optional        minor       version       number.        The       format       is:
              <oid>:<majorVersion>[:<minorVersion>].

       -X NAME, --issuer=NAME
              Request a certificate using the named issuer from the specified CA.

SIGNING REQUEST OPTIONS

       If none of -N, -U, -K, -E, and -D are specified, a default group of settings will be  used
       to  request an SSL server certificate for the current host, with the host Kerberos service
       as an additional name.

       The  options  -K,  -E,  -D  and  -A  may  be  provided  multiple  times  to  set  multiple
       subjectAltName of the same type.

       -N NAME, , --subject-name=NAME
              Set  the  subject  name  to  include  in  the signing request.  The default used is
              CN=hostname, where hostname is the local hostname.

       -u keyUsage, --key-usage=keyUsage
              Add an extensionRequest for the specified keyUsage to  the  signing  request.   The
              keyUsage value is expected to be one of these names:

              digitalSignature

              nonRepudiation

              keyEncipherment

              dataEncipherment

              keyAgreement

              keyCertSign

              cRLSign

              encipherOnly

              decipherOnly

       -U EKU, --extended-key-usage=EKU
              Add  an extensionRequest for the specified extendedKeyUsage to the signing request.
              The EKU value is expected to be an object identifier (OID), but some specific names
              are also recognized.  These are some names and their associated OID values:

              id-kp-serverAuth 1.3.6.1.5.5.7.3.1

              id-kp-clientAuth 1.3.6.1.5.5.7.3.2

              id-kp-codeSigning 1.3.6.1.5.5.7.3.3

              id-kp-emailProtection 1.3.6.1.5.5.7.3.4

              id-kp-timeStamping 1.3.6.1.5.5.7.3.8

              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

              id-pkinit-KPKdc 1.3.6.1.5.2.3.5

              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

       -K NAME, --principal=NAME
              Add an extensionRequest for a subjectAltName, with the specified Kerberos principal
              name as its value, to the signing request.

       -E EMAIL, --email=EMAIL
              Add an extensionRequest for a subjectAltName, with the specified email  address  as
              its value, to the signing request.

       -D DNSNAME, --dns=DNSNAME
              Add  an  extensionRequest  for a subjectAltName, with the specified DNS name as its
              value, to the signing request.

       -A ADDRESS, --ip-address=ADDRESS
              Add an extensionRequest for a subjectAltName, with the specified IP address as  its
              value, to the signing request.

       -l FILE, --challenge-password-file=FILE
              Add  an  optional  ChallengePassword  value,  read  from  the  file, to the signing
              request.  A ChallengePassword is often required when the CA is accessed using SCEP.

       -L PIN, --challenge-password=PIN
              Add the argument value to the signing request as a ChallengePassword attribute.   A
              ChallengePassword is often required when the CA is accessed using SCEP.

OTHER OPTIONS

-B COMMAND, --before-command=COMMAND
When ever the certificate or the CA's certificates are saved to the specified
locations, run the specified command as the client user before saving the
certificates.

-C COMMAND, --after-command=COMMAND
When ever the certificate or the CA's certificates are saved to the specified
locations, run the specified command as the client user after saving the
certificates.

-a DIR, --ca-dbdir=DIR
When ever the certificate is saved to the specified location, if root certificates
for the CA are available, save them to the specified NSS database.

-F FILE, --ca-file=FILE
When ever the certificate is saved to the specified location, if root certificates
for the CA are available, and when the local copies of the CA's root certificates
are updated, save them to the specified file.

--for-ca
Request a CA certificate.

--not-for-ca
Request a non-CA certificate (the default).

--ca-path-length=LENGTH
Path length for CA certificate. Only valid with --for-ca.

-w, --wait
Wait for the certificate to be issued and saved, or for the attempt to obtain one
to fail.

--wait-timeout=TIMEOUT
Maximum time to wait for the certificate to be issued.

-v, --verbose
Be verbose about errors. Normally, the details of an error received from the
daemon will be suppressed if the client can make a diagnostic suggestion.

-o OWNER, --key-owner=OWNER
After generation set the owner on the private key file or database to OWNER.

-m MODE, --key-perms=MODE
After generation set the file permissions on the private key file or database to
MODE.

-O OWNER, --cert-owner=OWNER
After generation set the owner on the certificate file or database to OWNER.

-M MODE, --cert-perms=MODE
After generation set the file permissions on the certificate file or database to
MODE.

BUS OPTIONS

       -s, --session Connect to certmonger on the session bus rather than the system bus.

       -S, --system
              Connect to certmonger on the system bus rather than the session bus.  This  is  the
              default.

NOTES

       Locations  specified  for  key  and  certificate  storage  need  to  be  accessible to the
       certmonger daemon process.  When run as a system daemon on a system which uses a mandatory
       access control mechanism such as SELinux, the system policy must ensure that the daemon is
       allowed to access the locations where certificates and keys that it will  manage  will  be
       stored  (these  locations  are  typically  labeled  as  cert_t  or  an  equivalent).  More
       SELinux-specific information can be found in the selinux.txt documentation file  for  this
       package.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/