.TH certmonger.conf 5 "12 May 2015" "certmonger Manual" .SH NAME certmonger.conf - configuration file for certmonger .SH DESCRIPTION The \fIcertmonger.conf\fR file contains default settings used by certmonger. Its format is more or less that of a typical INI-style file. The only sections currently of note are named \fIdefaults\fR and \fIselfsign\fR. .SH DEFAULTS Within the \fIdefaults\fR section, these variables and values are recognized: .IP notify_ttls This is the list of times, given in seconds, before a certificate's not-after validity date (often referred to as its expiration time) when \fIcertmonger\fR should warn that the certificate will soon no longer be valid. If this value is not specified, \fIcertmonger\fR will attempt to use the value of the \fIttls\fR setting. The default list of values is "2419200, 604800, 259200, 172800, 86400, 43200, 21600, 7200, 3600". .IP enroll_ttls This is the list of times, given in seconds, before a certificate's not-after validity date (often referred to as its expiration time) when \fIcertmonger\fR should attempt to automatically renew the certificate, if it is configured to do so. If this value is not specified, \fIcertmonger\fR will attempt to use the value of the \fIttls\fR setting. The default list of values is "2419200, 604800, 259200, 172800, 86400, 43200, 21600, 7200, 3600". .IP notification_method This is the method by which \fIcertmonger\fP will notify the system administrator that a certificate will soon become invalid. The recognized values are \fIsyslog\fP, \fImail\fP, and \fIcommand\fP. The default is \fIsyslog\fP. When sending mail, the notification message will be the mail message subject. When invoking a command, the notification message will be available in the "CERTMONGER_NOTIFICATION" environment variable. .IP notification_destination This is the destination to which \fIcertmonger\fP will send notifications. It can be a syslog priority and/or facility, separated by a period, it can be an email address, or it can be a command to run. The default value is \fIdaemon.notice\fP. .IP key_type This is the type of key pair which will be generated, used in certificate signing requests, and used when self-signing certificates. .\" \fIRSA\fR is supported. \fIRSA\fR and \fIDSA\fR are supported. \fIEC\fR (also known as \fIECDSA\fR) is also supported. The default is \fIRSA\fP. .IP symmetric_cipher This is the symmetric cipher which will be used to encrypt private keys stored in OpenSSL's PEM format. Recognized values include \fIaes128\fP and \fIaes256\fP. The default is \fIaes128\fP. It is not recommended that this value be changed except in cases where the default is incompatible with other software. .IP digest This is the digest algorithm which will be used when signing certificate signing requests and self-signed certificates. Recognized values include \fIsha1\fP, \fIsha256\fP, \fIsha384\fP, and \fIsha512\fP. The default is \fIsha256\fP. It is not recommended that this value be changed except in cases where the default is incompatible with other software. .IP nss_ca_trust These are the trust attributes which are applied to CA certificates which should be trusted, when they are saved to NSS databases. The default is \fICT,C,C\fP. .IP nss_other_trust These are the trust attributes which are applied to certificates which are not necessarily to be trusted, when they are saved to NSS databases. The default is \fI,,\fP. .IP max_key_use_count When attempting to replace a certificate, if \fIcertmonger\fR has previously obtained at least this number of certificates using the current key pair, it will generate a new key pair to use before proceeding. There is effectively no default for this setting. .IP max_key_lifetime The amount of time after a key was first generated when \fIcertmonger\fR will attempt to generate a new key pair to replace it, as part of the process of replacing a certificate. The value is specified as a combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is specified, seconds are assumed. The date when a key was generated is not recorded if the key was not generated by \fIcertmonger\fR, or if the key was generated with a version of \fIcertmonger\fR older than 0.78, and for those cases, this option has no effect. There is effectively no default for this setting. .SH SELFSIGN Within the \fIselfsign\fR section, these variables and values are recognized: .IP validity_period This is the validity period given to self-signed certificates. The value is specified as a combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is specified, seconds are assumed. The default value is \fI1y\fR. .IP populate_unique_id This controls whether or not self-signed certificates will have their subjectUniqueID and issuerUniqueID fields populated. While RFC5280 prohibits their use, they may be needed and/or used by older applications. The default value is \fIno\fR. .SH LOCAL Within the \fIlocal\fR section, these variables and values are recognized: .IP validity_period This is the validity period given to the locally-signed CA's certificate when it is generated. The value is specified as a combination of years (y), months (M), weeks (w), days (d), hours (h), minutes (m), and/or seconds (s). If no unit of time is specified, seconds are assumed. If not set, the value of the \fIvalidity_period\fR setting from the \fIselfsign\fR section, if one is set there, will be used. The default value is \fI1y\fR. .SH BUGS Please file tickets for any that you find at https://fedorahosted.org/certmonger/ .SH SEE ALSO \fBcertmonger\fR(8) \fBcertmonger_selinux\fR(8)