Provided by: certmonger_0.74-0ubuntu1_amd64 bug

NAME

       certmonger.conf - configuration file for certmonger

DESCRIPTION

       The certmonger.conf file contains default settings used by certmonger.  Its format is more
       or less that of a typical INI-style file.  The only sections currently of note  are  named
       defaults and selfsign.

DEFAULTS

       Within the defaults section, these variables and values are recognized:

       notify_ttls
              This  is  the  list  of  times,  given in seconds, before a certificate's not-after
              validity date (often referred to as its expiration  time)  when  certmonger  should
              warn  that  the  certificate  will  soon  no longer be valid.  If this value is not
              specified, certmonger will attempt to use the  value  of  the  ttls  setting.   The
              default list of values is "2419200, 604800, 259200, 172800, 86400".

       enroll_ttls
              This  is  the  list  of  times,  given in seconds, before a certificate's not-after
              validity date (often referred to as its expiration  time)  when  certmonger  should
              attempt  to  automatically renew the certificate, if it is configured to do so.  If
              this value is not specified, certmonger will attempt to use the value of  the  ttls
              setting.  The default list of values is "2419200, 604800, 259200, 172800, 86400".

       notification_method
              This  is the method by which certmonger will notify the system administrator that a
              certificate will soon become invalid.  The recognized values are syslog, mail,  and
              command.   The default is syslog.  When sending mail, the notification message will
              be the mail message subject.  When invoking a  command,  the  notification  message
              will be available in the "CERTMONGER_NOTIFICATION" environment variable.

       notification_destination
              This  is  the destination to which certmonger will send notifications.  It can be a
              syslog priority and/or facility, separated by a period, it can be an email address,
              or it can be a command to run.  The default value is daemon.notice.

       key_type
              This  is  the type of key pair which will be generated, used in certificate signing
              requests, and used when self-signing certificates.  RSA  is  supported.   EC  (also
              known as ECDSA) is also supported.  The default is RSA.

       symmetric_cipher
              This  is  the symmetric cipher which will be used to encrypt private keys stored in
              OpenSSL's PEM format.  Recognized values include aes128 and aes256.  The default is
              aes128.  It is not recommended that this value be changed except in cases where the
              default is incompatible with other software.

       digest This is the digest algorithm which will be used when  signing  certificate  signing
              requests  and  self-signed  certificates.   Recognized values include sha1, sha256,
              sha384, and sha512.  The default is sha256.  It is not recommended that this  value
              be changed except in cases where the default is incompatible with other software.

SELFSIGN

       Within the selfsign section, these variables and values are recognized:

       validity_period
              This  is  the  validity  period  given  to  self-signed certificates.  The value is
              specified as a combination of years (y), months (M), weeks  (w),  days  (d),  hours
              (h), minutes (m), and/or seconds (s).  If no unit of time is specified, seconds are
              assumed.  The default value is 1y.

       populate_unique_id
              This  controls  whether  or  not   self-signed   certificates   will   have   their
              subjectUniqueID and issuerUniqueID fields populated.  While RFC5280 prohibits their
              use, they may be needed and/or used by older applications.  The  default  value  is
              no.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8) certmonger_selinux(8)