certmonger 用来管理、跟踪和续订LInux系统中的证书
certmonger
certmonger 由两个主要组成部分:
certmonger 守护进程
用来跟踪证书列表,并支持续订
getcert 命令行CLI
通过命令行的方式向 certmonger 发送命令,管理证书
安装
apt install -y certmonger
systemctl enable certmonger.service
getcert 使用
$ getcert
getcert - client certificate enrollment tool
Usage: getcert command [options]
request request a new certificate from a CA
start-tracking begin monitoring an already-issued certificate
stop-tracking stop monitoring a certificate
resubmit resubmit an in-progress enrollment request, or start a new one
rekey generate a new private key and replace a certificate
refresh check on the status of an in-progress enrollment request
list list certificates being monitored and requested
status check the status of a certificate being monitored or requested
add-ca add a CA configuration
add-scep-ca add an SCEP CA configuration
list-cas list known CA configurations
modify-ca modify a CA configuration
refresh-ca refresh cache of all information obtained from a CA
remove-ca remove a CA configuration
# 请求新证书
$ getcert request -K HTTP/domain.xiexianbin.cn -k /etc/pki/tls/private/httpd.key -f /etc/pki/tls/certs/httpd.crt -g 2048 -D domain.xiexianbin.cn -C "systemctl restart httpd"
# 查看 certmonger 跟踪的证书列表
$ getcert list
$ getcert list -i <name> -v
# 启动或停止跟踪证书
$ getcert stop-tracking -i <name>
$ getcert start-tracking -c IPA -k /etc/pki/tls/private/httpd.key -f /etc/pki/tls/certs/httpd.crt
# 续订证书,跟踪的证书自动更新
$ getcert resubmit -i <name>