Product SiteDocumentation Site

Chapter 18. Working with certmonger

18.1. Requesting a Certificate with certmonger
18.2. Storing Certificates in NSS Databases
18.3. Tracking Certificates with certmonger
Part of managing machine authentication is managing machine certificates. On clients, FreeIPA manages the certificate lifecycle with the certmonger service, which works together with the certificate authority (CA) provided by FreeIPA.
The certmonger daemon and its command-line clients simplify the process of generating public/private key pairs, creating certificate requests, and submitting requests to the CA for signing. As part of managing certificates, the certmonger daemon monitors certificates for expiration and can renew certificates that are about to expire. The certificates that certmonger monitors are tracked in files stored in a configurable directory. The default location is /var/lib/certmonger/requests.
certmonger uses the FreeIPA getcert command to manage all certificates. As covered in Section, “Using Different CA Configurations”, an FreeIPA server can be configured to use different types of certificate authorities. The most common (and recomended) configuration is to use a full CA server, but it is also possible to use a much more limited, self-signed CA. The exact getcert command used by certmonger to communicate with the FreeIPA backend depends on which type of CA is used. The ipa-getcert command is used with a full CA, while the selfsign-getcert command is used with a self-signed CA.


Because of general security issues, self-signed certificates are not typically used in production, but can be used for development and testing.

18.1. Requesting a Certificate with certmonger

With the FreeIPA CA, certmonger uses the ipa-getcert command.
Certificates and keys are stored locally in plaintext files (.pem) or in an NSS database, identified by the certificate nickname. When requesting a certificate, then, the request should identify the location where the certificate will be stored and the nickname of the certificate. For example:
# ipa-getcert request -d /etc/pki/nssdb -n Server-Cert
The /etc/pki/nssdb file is the global NSS database, and Server-Cert is the nickname of this certificate. The certificate nickname must be unique within this database.
When requesting a certificate to be used with a FreeIPA service, the -K option is required to specify the service principal. Otherwise, certmonger assumes the certificate is for a host. The -N option must specify the certificate subject DN, and the subject base DN must match the base DN for the FreeIPA server, or the request is rejected.
$ ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K HTTP/ -N ',O=EXAMPLE.COM'
Example 18.1. Using certmonger for a Service
$ ipa-getcert request -r -f /etc/httpd/conf/ssl.crt/server.crt -k /etc/httpd/conf/ssl.key/server.key -N CN=`hostname --fqdn` -D `hostname` -U id-kp-serverAuth

The options vary depending on whether you are using a self-signed certificate (selfsign-getcert) and the desired configuration for the final certificate, as well as other settings. In Example 18.1, “Using certmonger for a Service”, these are common options:
  • The -r option will automatically renew the certificate if the key pair already exists. This is used by default.
  • The -f option stores the certificate in the given file.
  • The -k option either stores the key in the given file or, if the key file already exists, uses the key in the file.
  • The -N option gives the subject name.
  • The -D option gives the DNS domain name.
  • The -U option sets the extended key usage flag.