Chapter 12. Working with certmonger
certmongerservice manages certificate life cycle for applications and, if properly configured, can work together with a certificate authority (CA) to renew certificates.
certmongerdaemon and its command-line clients simplify the process of generating public/private key pairs, creating certificate requests, and submitting requests to the CA for signing. The
certmongerdaemon monitors certificates for expiration and can renew certificates that are about to expire. The certificates that
certmongermonitors are tracked in files stored in a configurable directory. The default location is
certmongerdaemon cannot revoke certificates. A certificate can only be revoked by a relevant Certificate Authority, which needs to invalidate the certificate and update its Certificate Revocation List.
12.1. certmonger and Certificate Authorities
certmongercan automatically obtain three kinds of certificates that differ in what authority source the certificate employs:
- Self-signed certificateGenerating a self-signed certificate does not involve any CA, because each certificate is signed using the certificate's own key. The software that is verifying a self-signed certificate needs to be instructed to trust that certificates directly in order to verify it.To obtain a self-signed certificate, run the
- Certificate from the Dogtag Certificate System CA as part of Red Hat Enterprise Linux IdMTo obtain a certificate using an IdM server, run the
- Certificate signed by a local CA present on the systemThe software that is verifying a certificate signed by a local signer needs to be instructed to trust certificates from this local signer in order to verify them.To obtain a locally-signed certificate, run the
certmongerto manage certificates, but support must be added to
certmongerby creating special CA helpers. For more information on how to create CA helpers, see the
certmongerproject documentation at https://pagure.io/certmonger/blob/master/f/doc/submit.txt.