Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
CERTMONGER(1)		    General Commands Manual		 CERTMONGER(1)

NAME
       getcert

SYNOPSIS
       getcert resubmit	[options]

DESCRIPTION
       Tells certmonger	to generate (or	regenerate) a signing request and sub-
       mit (or resubmit) the signing request to	a CA for signing.

SPECIFYING REQUESTS BY NICKNAME
       -i NAME,	--id=NAME
	      Resubmit	a  signing  request for	the tracking request which has
	      this nickname.  If this option is	not specified, and a  tracking
	      entry  which  matches  the  key  and certificate storage options
	      which are	specified already exists, that entry will be used.  If
	      not specified, the location of the certificate should be	speci-
	      fied with	either a combination of	the -d and -n options, or with
	      the -f option.

SPECIFYING REQUESTS BY CERTIFICATE LOCATION
       -d DIR, --dbdir=DIR
	      The  certificate	is in the NSS database in the specified	direc-
	      tory.

       -n NAME,	--nickname=NAME
	      The certificate in the NSS database named	with -d	has the	speci-
	      fied nickname.  Only valid with -d.

       -t TOKEN, --token=TOKEN
	      If the NSS database has more than	one token available, the  cer-
	      tificate	is  stored  in	this token.  This argument only	rarely
	      needs to be specified.  Only valid with -d.

       -f FILE,	--certfile=FILE
	      The certificate is stored	in the named file.

ENROLLMENT OPTIONS
       -c NAME,	--ca=NAME
	      Submit the new signing request to	the specified CA  rather  than
	      the  one	which was previously associated	with this certificate.
	      The name of the CA should	correspond to one  listed  by  getcert
	      list-cas.

       -T NAME,	--profile=NAME
	      Request  a  certificate  using  the  named profile, template, or
	      certtype,	from the specified CA.

       --ms-template-spec SPEC
	      Include a	V2 Certificate Template	extension in the  signing  re-
	      quest.   This  datum includes an Object Identifier, a major ver-
	      sion number (positive integer) and  an  optional	minor  version
	      number.  The format is: <oid>:<majorVersion>[:<minorVersion>].

       -X NAME,	--issuer=NAME
	      Request  a certificate using the named issuer from the specified
	      CA.

       -I NAME,	--id=NAME
	      Assign the specified nickname to this task, replacing the	previ-
	      ous nickname.

SIGNING	REQUEST	OPTIONS
       -N NAME,	--subject-name=NAME
	      Change the subject name to include in the	signing	request.

       -u keyUsage, --key-usage=keyUsage
	      Add an extensionRequest for the specified	keyUsage to the	 sign-
	      ing  request.  The keyUsage value	is expected to be one of these
	      names:

	      digitalSignature

	      nonRepudiation

	      keyEncipherment

	      dataEncipherment

	      keyAgreement

	      keyCertSign

	      cRLSign

	      encipherOnly

	      decipherOnly

       -U EKU, --extended-key-usage=EKU
	      Change the extendedKeyUsage  value  specified  in	 an  extended-
	      KeyUsage extension part of the extensionRequest attribute	in the
	      signing  request.	  The  EKU  value  is expected to be an	object
	      identifier (OID).

       -K NAME,	--principal=NAME
	      Change the Kerberos principal name specified as part of  a  sub-
	      jectAltName  extension part of the extensionRequest attribute in
	      the signing request.

       -E EMAIL, --email=EMAIL
	      Change the email address specified as part of  a	subjectAltName
	      extension	 part of the extensionRequest attribute	in the signing
	      request.

       -D DNSNAME, --dns=DNSNAME
	      Change the DNS name specified as part of a subjectAltName	exten-
	      sion part	of the extensionRequest	attribute in the  signing  re-
	      quest.

       -A ADDRESS, --ip-address=ADDRESS
	      Change  the IP address specified as part of a subjectAltName ex-
	      tension part of the extensionRequest attribute  in  the  signing
	      request.

       -l FILE,	--challenge-password-file=FILE
	      Add  an optional ChallengePassword value,	read from the file, to
	      the signing request.  A ChallengePassword	is often required when
	      the CA is	accessed using SCEP.

       -L PIN, --challenge-password=PIN
	      Add the argument	value  to  the	signing	 request  as  a	 Chal-
	      lengePassword  attribute.	 A ChallengePassword is	often required
	      when the CA is accessed using SCEP.

OTHER OPTIONS
       -B COMMAND, --before-command=COMMAND
	      When ever	the certificate	or the CA's certificates are saved  to
	      the specified locations, run the specified command as the	client
	      user before saving the certificates.

       -C COMMAND, --after-command=COMMAND
	      When  ever the certificate or the	CA's certificates are saved to
	      the specified locations, run the specified command as the	client
	      user after saving	the certificates.

       -a DIR, --ca-dbdir=DIR
	      When ever	the certificate	is saved to the	specified location, if
	      root certificates	for the	CA are available,  save	 them  to  the
	      specified	NSS database.

       -F FILE,	--ca-file=FILE
	      When ever	the certificate	is saved to the	specified location, if
	      root  certificates  for the CA are available, and	when the local
	      copies of	the CA's root certificates are updated,	save  them  to
	      the specified file.

       --for-ca
	      Request a	CA certificate.

       --not-for-ca
	      Request a	non-CA certificate (the	default).

       --ca-path-length=LENGTH
	      Path length for CA certificate. Only valid with --for-ca.

       -w, --wait
	      Wait  for	 the  certificate to be	reissued and saved, or for the
	      attempt to obtain	one to fail.

       --wait-timeout=TIMEOUT
	      Maximum time to wait for the certificate to be issued.

       -v, --verbose
	      Be verbose about errors.	Normally, the details of an error  re-
	      ceived from the daemon will be suppressed	if the client can make
	      a	diagnostic suggestion.

       -o OWNER, --key-owner=OWNER
	      After  generation	set the	owner on the private key file or data-
	      base to OWNER.

       -m MODE,	--key-perms=MODE
	      After generation set the file permissions	 on  the  private  key
	      file or database to MODE.

       -O OWNER, --cert-owner=OWNER
	      After  generation	set the	owner on the certificate file or data-
	      base to OWNER.

       -M MODE,	--cert-perms=MODE
	      After generation set the file  permissions  on  the  certificate
	      file or database to MODE.

BUGS
       Please	file   tickets	for  any  that	you  find  at  https://fedora-
       hosted.org/certmonger/

SEE ALSO
       certmonger(8)   getcert(1)   getcert-add-ca(1)	getcert-add-scep-ca(1)
       getcert-list-cas(1)  getcert-list(1)  getcert-modify-ca(1)  getcert-re-
       fresh-ca(1)  getcert-refresh(1)	getcert-rekey(1)  getcert-remove-ca(1)
       getcert-request(1)      getcert-start-tracking(1)     getcert-status(1)
       getcert-stop-tracking(1)	   certmonger-certmaster-submit(8)    certmon-
       ger-dogtag-ipa-renew-agent-submit(8)  certmonger-dogtag-submit(8) cert-
       monger-ipa-submit(8)  certmonger-local-submit(8)	  certmonger-scep-sub-
       mit(8) certmonger_selinux(8)

certmonger Manual	       February	9, 2015			 CERTMONGER(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=getcert-resubmit&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help