Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Appendix B. Working with certmonger

Part of managing machine authentication is managing machine certificates. On clients, IdM manages the certificate lifecycle with the certmonger service, which works together with the certificate authority (CA) provided by IdM.
The certmonger daemon and its command-line clients simplify the process of generating public/private key pairs, creating certificate requests, and submitting requests to the CA for signing. As part of managing certificates, the certmonger daemon monitors certificates for expiration and can renew certificates that are about to expire. The certificates that certmonger monitors are tracked in files stored in a configurable directory. The default location is /var/lib/certmonger/requests.
certmonger uses the IdM getcert command to manage all certificates. As covered in Section 3.4, “Examples: Installing with Different CA Configurations”, an IdM server can be configured to use different types of certificate authorities. The most common (and recommended) configuration is to use a full CA server, but it is also possible to use a much more limited, self-signed CA. The exact getcert command used by certmonger to communicate with the IdM backend depends on which type of CA is used. The ipa-getcert command is used with a full CA, while the selfsign-getcert command is used with a self-signed CA.


Because of general security issues, self-signed certificates are not typically used in production, but can be used for development and testing.

B.1. Requesting a Certificate with certmonger

With the IdM CA, certmonger uses the ipa-getcert command.
Certificates and keys are stored locally in plaintext files (.pem) or in an NSS database, identified by the certificate nickname. When requesting a certificate, then, the request should identify the location where the certificate will be stored and the nickname of the certificate. For example:
# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
The /etc/pki/nssdb file is the global NSS database, and Server-Cert is the nickname of this certificate. The certificate nickname must be unique within this database.
When requesting a certificate to be used with an IdM service, the -K option is required to specify the service principal. Otherwise, certmonger assumes the certificate is for a host. The -N option must specify the certificate subject DN, and the subject base DN must match the base DN for the IdM server, or the request is rejected.
$ ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ -N ',O=EXAMPLE.COM'

Example B.1. Using certmonger for a Service

$ ipa-getcert request -r -f /etc/httpd/conf/ssl.crt/server.crt -k /etc/httpd/conf/ssl.key/server.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth
The options vary depending on whether you are using a self-signed certificate (selfsign-getcert) and the desired configuration for the final certificate, as well as other settings. In Example B.1, “Using certmonger for a Service”, these are common options:
  • The -r option will automatically renew the certificate if the key pair already exists. This is used by default.
  • The -f option stores the certificate in the given file.
  • The -k option either stores the key in the given file or, if the key file already exists, uses the key in the file.
  • The -N option gives the subject name.
  • The -D option gives the DNS domain name.
  • The -U option sets the extended key usage flag.