Provided by: certmonger_0.79.19-1build4_amd64 
NAME
certmonger.conf - configuration file for certmonger
DESCRIPTION
The certmonger.conf file contains default settings used by certmonger. Its format is more or less that
of a typical INI-style file. The only sections currently of note are named defaults and selfsign.
DEFAULTS
Within the defaults section, these variables and values are recognized:
notify_ttls
This is the list of times, given in seconds, before a certificate's not-after validity date (often
referred to as its expiration time) when certmonger should warn that the certificate will soon no
longer be valid. If this value is not specified, certmonger will attempt to use the value of the
ttls setting. The default list of values is "2419200, 604800, 259200, 172800, 86400, 43200,
21600, 7200, 3600".
enroll_ttls
This is the list of times, given in seconds, before a certificate's not-after validity date (often
referred to as its expiration time) when certmonger should attempt to automatically renew the
certificate, if it is configured to do so. If this value is not specified, certmonger will
attempt to use the value of the ttls setting. The default list of values is "2419200, 604800,
259200, 172800, 86400, 43200, 21600, 7200, 3600".
notification_method
This is the method by which certmonger will notify the system administrator that a certificate
will soon become invalid. The recognized values are syslog, mail, and command. The default is
syslog. When sending mail, the notification message will be the mail message subject. When
invoking a command, the notification message will be available in the "CERTMONGER_NOTIFICATION"
environment variable.
notification_destination
This is the destination to which certmonger will send notifications. It can be a syslog priority
and/or facility, separated by a period, it can be an email address, or it can be a command to run.
The default value is daemon.notice.
key_type
This is the type of key pair which will be generated, used in certificate signing requests, and
used when self-signing certificates. RSA is supported. EC (also known as ECDSA) is also
supported. The default is RSA.
rsa_key_size
This is the size of an RSA key if the value is not included in a certificate request. If this
value is not set then the default is 2048. The minimum value allowed is 1024.
symmetric_cipher
This is the symmetric cipher which will be used to encrypt private keys stored in OpenSSL's PEM
format. Recognized values include aes128 and aes256. The default is aes128. It is not
recommended that this value be changed except in cases where the default is incompatible with
other software.
digest This is the digest algorithm which will be used when signing certificate signing requests and
self-signed certificates. Recognized values include sha1, sha256, sha384, and sha512. The
default is sha256. It is not recommended that this value be changed except in cases where the
default is incompatible with other software.
nss_ca_trust
These are the trust attributes which are applied to CA certificates which should be trusted, when
they are saved to NSS databases. The default is CT,C,C.
nss_other_trust
These are the trust attributes which are applied to certificates which are not necessarily to be
trusted, when they are saved to NSS databases. The default is ,,.
max_key_use_count
When attempting to replace a certificate, if certmonger has previously obtained at least this
number of certificates using the current key pair, it will generate a new key pair to use before
proceeding. There is effectively no default for this setting.
max_key_lifetime
The amount of time after a key was first generated when certmonger will attempt to generate a new
key pair to replace it, as part of the process of replacing a certificate. The value is specified
as a combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or
seconds (s). If no unit of time is specified, seconds are assumed. The date when a key was
generated is not recorded if the key was not generated by certmonger, or if the key was generated
with a version of certmonger older than 0.78, and for those cases, this option has no effect.
There is effectively no default for this setting.
SELFSIGN
Within the selfsign section, these variables and values are recognized:
validity_period
This is the validity period given to self-signed certificates. The value is specified as a
combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
(s). If no unit of time is specified, seconds are assumed. The default value is 1y.
populate_unique_id
This controls whether or not self-signed certificates will have their subjectUniqueID and
issuerUniqueID fields populated. While RFC5280 prohibits their use, they may be needed and/or
used by older applications. The default value is no.
LOCAL
Within the local section, these variables and values are recognized:
validity_period
This is the validity period given to the locally-signed CA's certificate when it is generated.
The value is specified as a combination of years (y), months (M), weeks (w), days (d), hours (h),
minutes (m), and/or seconds (s). If no unit of time is specified, seconds are assumed. If not
set, the value of the validity_period setting from the selfsign section, if one is set there, will
be used. The default value is 1y.
SCEP
Within the scep section, these variables and values are recognized:
challenge_password_otp
This controls whether the SCEP challenge password is treated as a one-time password. If set to yes
then the challenge password and/or challenge password file will be removed from the tracking
request after the first certificate issuance so will not be sent with renewal requests. The
default is no.
BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
SEE ALSO
certmonger(8) certmonger_selinux(8)