Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
CERTMONGER(1)		    General Commands Manual		 CERTMONGER(1)

NAME
       getcert

SYNOPSIS
       getcert rekey [options]

DESCRIPTION
       Tells certmonger	to generate a new key pair, generate a signing request
       for the public key, and submit the signing request to a CA for signing,
       in order	to replace both	a certificate and its private key.

SPECIFYING REQUESTS BY NICKNAME
       -i NAME,	--id=NAME
	      The  new key pair	will be	generated and the new certificate will
	      be obtained for the tracking request which  has  this  nickname.
	      If  this	option	is  not	 specified, and	a tracking entry which
	      matches the key and certificate storage options which are	speci-
	      fied already exists, that	entry will be used.  If	not specified,
	      the location of the certificate should be	specified with	either
	      a	combination of the -d and -n options, or with the -f option.

SPECIFYING REQUESTS BY CERTIFICATE LOCATION
       -d DIR, --dbdir=DIR
	      The  certificate	is in the NSS database in the specified	direc-
	      tory.

       -n NAME,	--nickname=NAME
	      The certificate in the NSS database named	with -d	has the	speci-
	      fied nickname.  Only valid with -d.

       -t TOKEN, --token=TOKEN
	      If the NSS database has more than	one token available, the  cer-
	      tificate	is  stored  in	this token.  This argument only	rarely
	      needs to be specified.  Only valid with -d.

       -f FILE,	--certfile=FILE
	      The certificate is stored	in the named file.

KEY GENERATION OPTIONS
       -G TYPE,	--key-type=TYPE
	      In case a	new key	pair needs to be generated, this option	speci-
	      fies the type of the keys	to be generated.   If  not  specified,
	      the current key type will	be used.

       -g BITS,	--key-size=BITS
	      This  option  specifies the size of the new key to be generated.
	      If not specified,	a key of the same size	as  the	 existing  key
	      will be generated.

ENROLLMENT OPTIONS
       -c NAME,	--ca=NAME
	      Submit  the  new signing request to the specified	CA rather than
	      the one which was	previously associated with  this  certificate.
	      The  name	 of  the CA should correspond to one listed by getcert
	      list-cas.

       -T NAME,	--profile=NAME
	      Request a	certificate using  the	named  profile,	 template,  or
	      certtype,	from the specified CA.

       --ms-template-spec SPEC
	      Include  a  V2 Certificate Template extension in the signing re-
	      quest.  This datum includes an Object Identifier,	a  major  ver-
	      sion  number  (positive  integer)	 and an	optional minor version
	      number.  The format is: <oid>:<majorVersion>[:<minorVersion>].

       -X NAME,	--issuer=NAME
	      Request a	certificate using the named issuer from	the  specified
	      CA.

       -I NAME,	--new-id=NAME
	      Assign the specified nickname to this task, replacing the	previ-
	      ous nickname.

SIGNING	REQUEST	OPTIONS
       -N NAME,	--subject-name=NAME
	      Change the subject name to include in the	signing	request.

       -u keyUsage, --key-usage=keyUsage
	      Add  an extensionRequest for the specified keyUsage to the sign-
	      ing request.  The	keyUsage value is expected to be one of	 these
	      names:

	      digitalSignature

	      nonRepudiation

	      keyEncipherment

	      dataEncipherment

	      keyAgreement

	      keyCertSign

	      cRLSign

	      encipherOnly

	      decipherOnly

       -U EKU, --extended-key-usage=EKU
	      Change  the  extendedKeyUsage  value  specified  in an extended-
	      KeyUsage extension part of the extensionRequest attribute	in the
	      signing request.	The EKU	value is  expected  to	be  an	object
	      identifier (OID).

       -K NAME,	--ca=NAME
	      Change  the  Kerberos principal name specified as	part of	a sub-
	      jectAltName extension part of the	extensionRequest attribute  in
	      the signing request.

       -E EMAIL, --email=EMAIL
	      Change  the  email address specified as part of a	subjectAltName
	      extension	part of	the extensionRequest attribute in the  signing
	      request.

       -D DNSNAME, --dns=DNSNAME
	      Change the DNS name specified as part of a subjectAltName	exten-
	      sion  part  of the extensionRequest attribute in the signing re-
	      quest.

       -A ADDRESS, --ip-address=ADDRESS
	      Change the IP address specified as part of a subjectAltName  ex-
	      tension  part  of	 the extensionRequest attribute	in the signing
	      request.

       -l FILE,	--challenge-password-file=NAME
	      Add an optional ChallengePassword	value, read from the file,  to
	      the signing request.  A ChallengePassword	is often required when
	      the CA is	accessed using SCEP.

       -L PIN, --challenge-password=PIN
	      Add  the	argument  value	 to  the  signing  request  as a Chal-
	      lengePassword attribute.	A ChallengePassword is often  required
	      when the CA is accessed using SCEP.

OTHER OPTIONS
       -B COMMAND, --before-command=COMMAND
	      When  ever the certificate or the	CA's certificates are saved to
	      the specified locations, run the specified command as the	client
	      user before saving the certificates.

       -C COMMAND, --after-command=COMMAND
	      When ever	the certificate	or the CA's certificates are saved  to
	      the specified locations, run the specified command as the	client
	      user after saving	the certificates.

       -a DIR, --ca-dbdir=DIR
	      When ever	the certificate	is saved to the	specified location, if
	      root  certificates  for  the  CA are available, save them	to the
	      specified	NSS database.

       -F FILE,	--ca-file=FILE
	      When ever	the certificate	is saved to the	specified location, if
	      root certificates	for the	CA are available, and when  the	 local
	      copies  of  the CA's root	certificates are updated, save them to
	      the specified file.

       --for-ca
	      Request a	CA certificate.

       --not-for-ca
	      Request a	non-CA certificate (the	default).

       --ca-path-length=LENGTH
	      Path length for CA certificate. Only valid with --for-ca.

       -w, --wait
	      Wait for the new certificate to be issued	and saved, or for  the
	      attempt to obtain	one using the new key to fail.

       --wait-timeout=TIMEOUT
	      Maximum time to wait for the certificate to be issued.

       -v --verbose
	      Be  verbose about	errors.	 Normally, the details of an error re-
	      ceived from the daemon will be suppressed	if the client can make
	      a	diagnostic suggestion.

BUGS
       Please  file  tickets  for  any	that  you  find	  at   https://fedora-
       hosted.org/certmonger/

SEE ALSO
       certmonger(8)   getcert(1)   getcert-add-ca(1)	getcert-add-scep-ca(1)
       getcert-list-cas(1)  getcert-list(1)  getcert-modify-ca(1)  getcert-re-
       fresh-ca(1)  getcert-refresh(1) getcert-remove-ca(1) getcert-request(1)
       getcert-start-tracking(1)  getcert-status(1)   getcert-stop-tracking(1)
       certmonger-certmaster-submit(8)	certmonger-dogtag-ipa-renew-agent-sub-
       mit(8)  certmonger-dogtag-submit(8)  certmonger-ipa-submit(8)  certmon-
       ger-local-submit(8) certmonger-scep-submit(8) certmonger_selinux(8)

certmonger Manual		 July 31, 2015			 CERTMONGER(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=getcert-rekey&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help