Provided by: certmonger_0.74-0ubuntu1_amd64 bug

NAME

       getcert

SYNOPSIS

       getcert request [options]

DESCRIPTION

       Tells  certmonger  to  use  an existing key pair (or to generate one if one is not already
       found in the specified location), to generate a signing request using the key pair, and to
       submit them for signing to a CA.

KEY AND CERTIFICATE STORAGE OPTIONS

       -d DIR Use  an  NSS  database  in the specified directory for storing this certificate and
              key.

       -n NAME
              Use the key with this nickname to generate the signing request.  If no such key  is
              found, generate one.  Give the enrolled certificate this nickname, too.  Only valid
              with -d.

       -t TOKEN
              If the NSS database has more than one token available, use the token with this name
              for storing and accessing the certificate and key.  This argument only rarely needs
              to be specified.  Only valid with -d.

       -f FILE
              Store the issued certificate in this file.  For safety's sake, do not use the  same
              file specified with the -k option.

       -k FILE
              Use  the  key stored in this file to generate the signing request.  If no such file
              is found, generate a new key pair and store them in the file.  Only valid with -f.

KEY ENCRYPTION OPTIONS

       -p FILE
              Encrypt private key files or databases using the PIN stored in the  named  file  as
              the passphrase.

       -P PIN Encrypt  private  key files or databases using the specified PIN as the passphrase.
              Because command-line arguments to running processes are trivially discoverable, use
              of this option is not recommended except for testing.

KEY GENERATION OPTIONS

       -G TYPE
              In case a new key pair needs to be generated, this option specifies the type of the
              keys to be generated.  If not specified, a reasonable default (currently RSA)  will
              be used.

       -g BITS
              In case a new key pair needs to be generated, this option specifies the size of the
              key.  If not specified, a reasonable default (currently 2048 bits) will be used.

TRACKING OPTIONS

       -r     Attempt to obtain a new certificate from the CA  when  the  expiration  date  of  a
              certificate nears.  This is the default setting.

       -R     Don't attempt to obtain a new certificate from the CA when the expiration date of a
              certificate nears.  If this option is specified, an expired certificate will simply
              stay expired.

       -I NAME
              Assign  the  specified  nickname  to this task.  If this option is not specified, a
              name will be assigned automatically.

ENROLLMENT OPTIONS

       -c NAME
              Enroll with the specified CA rather than a possible default.  The name  of  the  CA
              should correspond to one listed by getcert list-cas.

       -T NAME
              Request  a  certificate  using  the  named profile, template, or certtype, from the
              specified CA.

SIGNING REQUEST OPTIONS

       If none of -N, -U, -K, -E, and -D are specified, a default group of settings will be  used
       to  request an SSL server certificate for the current host, with the host Kerberos service
       as an additional name.

       -N NAME
              Set the subject name to include in  the  signing  request.   The  default  used  is
              CN=hostname, where hostname is the local hostname.

       -u keyUsage
              Add  an  extensionRequest  for  the specified keyUsage to the signing request.  The
              keyUsage value is expected to be one of these names:

              digitalSignature

              nonRepudiation

              keyEncipherment

              dataEncipherment

              keyAgreement

              keyCertSign

              cRLSign

              encipherOnly

              decipherOnly

       -U EKU Add an extensionRequest for the specified extendedKeyUsage to the signing  request.
              The EKU value is expected to be an object identifier (OID), but some specific names
              are also recognized.  These are some names and their associated OID values:

              id-kp-serverAuth 1.3.6.1.5.5.7.3.1

              id-kp-clientAuth 1.3.6.1.5.5.7.3.2

              id-kp-codeSigning 1.3.6.1.5.5.7.3.3

              id-kp-emailProtection 1.3.6.1.5.5.7.3.4

              id-kp-timeStamping 1.3.6.1.5.5.7.3.8

              id-kp-OCSPSigning 1.3.6.1.5.5.7.3.9

              id-pkinit-KPClientAuth 1.3.6.1.5.2.3.4

              id-pkinit-KPKdc 1.3.6.1.5.2.3.5

              id-ms-kp-sc-logon 1.3.6.1.4.1.311.20.2.2

       -K NAME
              Add an extensionRequest for a subjectAltName, with the specified Kerberos principal
              name as its value, to the signing request.

       -E EMAIL
              Add  an  extensionRequest for a subjectAltName, with the specified email address as
              its value, to the signing request.

       -D DNSNAME
              Add an extensionRequest for a subjectAltName, with the specified DNS  name  as  its
              value, to the signing request.

OTHER OPTIONS

       -B command
              When  ever  the  certificate  is saved to the specified location, run the specified
              command as the client user before saving the certificate.

       -C command
              When ever the certificate is saved to the specified  location,  run  the  specified
              command as the client user after saving the certificate.

       -v     Be  verbose  about  errors.   Normally,  the  details of an error received from the
              daemon will be suppressed if the client can make a diagnostic suggestion.

NOTES

       Locations specified for  key  and  certificate  storage  need  to  be  accessible  to  the
       certmonger daemon process.  When run as a system daemon on a system which uses a mandatory
       access control mechanism such as SELinux, the system policy must ensure that the daemon is
       allowed  to  access  the locations where certificates and keys that it will manage will be
       stored.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8) getcert(1) getcert-list(1) getcert-list-cas(1) getcert-resubmit(1)  getcert-
       start-tracking(1) getcert-stop-tracking(1) certmonger-certmaster-submit(8) certmonger-ipa-
       submit(8) certmonger_selinux(8)