Jump to: navigation, search



The certmonger daemon monitors certificates for impending expiration, and can optionally refresh soon-to-be-expired certificates with the help of a CA. If told to, it can drive the entire enrollment process from key generation through enrollment and refresh.

It can work with either flat files, like those used by OpenSSL, or with NSS databases.


The certmonger command-line too, getcert is a very generic tool that can manage the certificates you are tracking. A superset of this too, ipa-getcert works specifically with an IPA CA. ipa-getcert is equivalent to getcert -c IPA

Common Usage

For the NSS cases this assumes there is no password associated with the NSS database. If there is then the key must be in a file readable by certmonger and passed in using the -p option.

Get a list of currently tracked certificates

The difference between "all" and "IPA-issued" is subtle. An IPA-issued certificate means it was issued using the XML-RPC API provided by IPA. It does not refer to any certificate issued by the IPA CA. There are some certificates, such as some subsystem certificates of the CA itself, than can be tracked by certmonger but are not issued by the XML-RPC API.

Anatomy of a tracked certificate

A typical OpenSSL certificate looks like this:

Request ID '20120912211542':
       status: MONITORING
       stuck: no
       key pair storage: type=FILE,location='/etc/ssl/private.key'
       certificate: type=FILE,location='/etc/ssl/server.crt'
       CA: IPA
       issuer: CN=Certificate Authority,O=EXAMPLE.COM
       subject: CN=edsel.greyoak.com,O=EXAMPLE.COM
       expires: 2014-09-13 21:15:44 UTC
       eku: id-kp-serverAuth,id-kp-clientAuth
       pre-save command: 
       post-save command: 
       track: yes
       auto-renew: yes

You'll need the Request ID when running other certmonger commands.

The status MONITORING means that the certificate is valid and being tracked by certmonger.

The key and certificate values indicate where the OpenSSL private key and certificate are stored in the filesystem.

The CA type is IPA. This was passed in as the -c option of getcert, or automatically set to IPA by ipa-getcert.

The issuer is the subject of the CA that issued the certificate.

The subject is the subject of the certificate in the certificate file.

The expiration date is UTC. By default certmonger will start trying to renew the certificate 28 days before it expires.

eku lists the Enhanced Key Usage (EKU) extensions of the certificate. By default IPA certificates are usable both as server and client certificates.

The pre and post-save commands define commands that are executed before and after the renewal process. This can be used, for example, to restart a service when a certificate is renewed.

All tracked certificates

# getcert list

All IPA-issued certificate

# ipa-getcert list

The difference is that IPA is treated as a special CA by certmonger. This is the equivalent of:

 # getcert list -c IPA

Request a new certificate

This will generate a new key pair, create a CSR and request a certificate from the IPA server configured in /etc/ipa/default.conf, authenticating using the machine's host service principal in /etc/krb5.keytab.


#  ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r


# ipa-getcert request -d /path/to/database -n 'Test' -r

Manually renew a certificate

If you want to manually renew a certificate prior to its expiration date, run:

# ipa-getcert resubmit -i REQUEST_ID

Stop tracking a certificate

To tell certmonger to forget about a certificate and stop tracking it run:

# ipa-getcert stop-tracking -i REQUEST_ID

This does not touch the certificate or keys, it merely tells certmonger to not track it.

Issue a certificate with specific properties

To issue a certificate with specific CN or other properties, specify additional options to the utility. getcert has a lot of flexibility with options described in its manual page. For example, to issue a certificate for Nginx to use a specific fully qualified hostname on a host without it, use following sequence:

# cd /etc/nginx/ssl
# fqdn=$(hostname -f); REALM=(hostname -d|tr '[:lower:]' '[:upper:]'); 
# ipa-getcert request -f $fqdn.crt -k $fqdn.key -r -K HTTP/$fqdn@$REALM -N $fqdn

External Documentation

How Certmonger finds an IPA CA

Certmonger will first look in /etc/ipa/default.conf for the value of xmlrpc_uri and use that to make the certificate request for IPA.

Any IPA Master, even those that do not have a CA locally installed, can handle a certificate request by proxying the request to a master that does have a CA.

If the request fails due to a connect error Certmonger will next look for a value of server in /etc/ipa/default.conf. If one is found then a similar request is made to the value of server plus /ipa/xm.

If there is no server defined, and there likely will not be given this directive is deprecated, then an LDAP search will be done using the default LDAP search values in /etc/openldap/ldap.conf for the list of IPA Masters that have a CA. One of these masters, if any, will be picked by certmonger and the request will be made again. If this request fails then certmonger will give up.