certmonger.conf(5)certmonger.conf(5)NAMEcertmonger.conf - configuration file for certmonger
DESCRIPTION
The certmonger.conf file contains default settings used by certmonger.
Its format is more or less that of a typical INI-style file. The only
sections currently of note are named defaults and selfsign.
DEFAULTS
Within the defaults section, these variables and values are recognized:
notify_ttls
This is the list of times, given in seconds, before a certifi‐
cate's not-after validity date (often referred to as its expira‐
tion time) when certmonger should warn that the certificate will
soon no longer be valid. If this value is not specified, cert‐
monger will attempt to use the value of the ttls setting. The
default list of values is "2419200, 604800, 259200, 172800,
86400".
enroll_ttls
This is the list of times, given in seconds, before a certifi‐
cate's not-after validity date (often referred to as its expira‐
tion time) when certmonger should attempt to automatically renew
the certificate, if it is configured to do so. If this value is
not specified, certmonger will attempt to use the value of the
ttls setting. The default list of values is "2419200, 604800,
259200, 172800, 86400".
notification_method
This is the method by which certmonger will notify the system
administrator that a certificate will soon become invalid. The
recognized values are syslog, mail, and command. The default is
syslog. When sending mail, the notification message will be the
mail message subject. When invoking a command, the notification
message will be available in the "CERTMONGER_NOTIFICATION" envi‐
ronment variable.
notification_destination
This is the destination to which certmonger will send notifica‐
tions. It can be a syslog priority and/or facility, separated
by a period, it can be an email address, or it can be a command
to run. The default value is daemon.notice.
symmetric_cipher
This is the symmetric cipher which will be used to encrypt pri‐
vate keys stored in OpenSSL's PEM format. Recognized values
include aes128 and aes256. The default is aes128. It is not
recommended that this value be changed except in cases where the
default is incompatible with other software.
digest This is the digest algorithm which will be used when signing
certificate signing requests and self-signed certificates. Rec‐
ognized values include sha1, sha256, sha384, and sha512. The
default is sha256. It is not recommended that this value be
changed except in cases where the default is incompatible with
other software.
SELFSIGN
Within the selfsign section, these variables and values are recognized:
validity_period
This is the validity period given to self-signed certificates.
The value is specified as a combination of years (y), months
(M), weeks (w), days (d), hours (h), minutes (m), and/or seconds
(s). If no unit of time is specified, seconds are assumed. The
default value is 1y.
populate_unique_id
This controls whether or not self-signed certificates will have
their subjectUniqueID and issuerUniqueID fields populated.
While RFC5280 prohibits their use, they may be needed and/or
used by older applications. The default value is no.
BUGS
Please file tickets for any that you find at https://fedora‐
hosted.org/certmonger/
SEE ALSOcertmonger(8)certmonger Manual 19 April 2012 certmonger.conf(5)