Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.21. certmonger

Updated certmonger packages that fix two bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The certmonger service monitors certificates, warns of their impending expiration, and optionally attempts to renew certificates by enrolling the system with a certificate authority (CA).

Bug Fixes

Prior to this update, after the user upgraded from Red Hat Enterprise Linux 6.5 to Red Hat Enterprise Linux 6.6 and rebooted the system, certmonger in some cases erroneously exited shortly after starting or performed a series of unnecessary checks for new certificates. A patch has been applied to fix this bug, and these problems no longer occur in the described situation.
Previously, the "getcert list" command did not display the "pre-save command" and "post-save command" values. As a consequence, running "getcert list" could return incomplete results. With this update, the problem has been fixed, and running "getcert list" displays the "pre-save command" and "post-save command" values as expected.


The certmonger service now supports the Simple Certificate Enrollment Protocol (SCEP). For obtaining certificates from servers, the user can now offer enrollment over SCEP.
Requesting a certificate using the getcert utility during an IdM client kickstart enrollment no longer requires certmonger to be running. Previously, an attempt to do this failed because certmonger was not running. With this update, getcert can successfully request a certificate in the described situation, on the condition that the D-Bus daemon is not running. Note that certmonger requires a system reboot to start monitoring the certificate obtained in this way.
Previously, after the user ran the "getcert list" command, the output included the PIN value if it was set for the certificate. Consequently, the user could unintentionally expose the PIN, for example by publicly sharing the output of the command. With this update, the "getcert list" output only contains a note that a PIN is set for the certificate. As a result, the PIN value itself is no longer displayed in the "getcert list" output.
Users of certmonger are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.