- 1 Introduction
- 2 Commands
- 3 Common Usage
- 4 External Documentation
- 5 How Certmonger finds an IPA CA
The certmonger daemon monitors certificates for impending expiration, and can optionally refresh soon-to-be-expired certificates with the help of a CA. If told to, it can drive the entire enrollment process from key generation through enrollment and refresh.
It can work with either flat files, like those used by OpenSSL, or with NSS databases.
The certmonger command-line too,
getcert is a very generic tool that can manage the certificates you are tracking. A superset of this too,
ipa-getcert works specifically with an IPA CA. ipa-getcert is equivalent to
getcert -c IPA
For the NSS cases this assumes there is no password associated with the NSS database. If there is then the key must be in a file readable by certmonger and passed in using the -p option.
Get a list of currently tracked certificates
The difference between "all" and "IPA-issued" is subtle. An IPA-issued certificate means it was issued using the XML-RPC API provided by IPA. It does not refer to any certificate issued by the IPA CA. There are some certificates, such as some subsystem certificates of the CA itself, than can be tracked by certmonger but are not issued by the XML-RPC API.
Anatomy of a tracked certificate
A typical OpenSSL certificate looks like this:
Request ID '20120912211542': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/ssl/private.key' certificate: type=FILE,location='/etc/ssl/server.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=edsel.greyoak.com,O=EXAMPLE.COM expires: 2014-09-13 21:15:44 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
You'll need the Request ID when running other certmonger commands.
The status MONITORING means that the certificate is valid and being tracked by certmonger.
The key and certificate values indicate where the OpenSSL private key and certificate are stored in the filesystem.
The CA type is IPA. This was passed in as the -c option of getcert, or automatically set to IPA by ipa-getcert.
The issuer is the subject of the CA that issued the certificate.
The subject is the subject of the certificate in the certificate file.
The expiration date is UTC. By default certmonger will start trying to renew the certificate 28 days before it expires.
eku lists the Enhanced Key Usage (EKU) extensions of the certificate. By default IPA certificates are usable both as server and client certificates.
The pre and post-save commands define commands that are executed before and after the renewal process. This can be used, for example, to restart a service when a certificate is renewed.
All tracked certificates
# getcert list
All IPA-issued certificate
# ipa-getcert list
The difference is that IPA is treated as a special CA by certmonger. This is the equivalent of:
# getcert list -c IPA
Request a new certificate
This will generate a new key pair, create a CSR and request a certificate from the IPA server configured in
/etc/ipa/default.conf, authenticating using the machine's host service principal in
# ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r
# ipa-getcert request -d /path/to/database -n 'Test' -r
Manually renew a certificate
If you want to manually renew a certificate prior to its expiration date, run:
# ipa-getcert resubmit -i REQUEST_ID
Stop tracking a certificate
To tell certmonger to forget about a certificate and stop tracking it run:
# ipa-getcert stop-tracking -i REQUEST_ID
This does not touch the certificate or keys, it merely tells certmonger to not track it.
How Certmonger finds an IPA CA
Certmonger will first look in /etc/ipa/default.conf for the value of xmlrpc_uri and use that to make the certificate request for IPA.
Any IPA Master, even those that do not have a CA locally installed, can handle a certificate request by proxying the request to a master that does have a CA.
If the request fails due to a connect error Certmonger will next look for a value of server in /etc/ipa/default.conf. If one is found then a similar request is made to the value of server plus /ipa/xm.
If there is no server defined, and there likely will not be given this directive is deprecated, then an LDAP search will be done using the default LDAP search values in /etc/openldap/ldap.conf for the list of IPA Masters that have a CA. One of these masters, if any, will be picked by certmonger and the request will be made again. If this request fails then certmonger will give up.