certmonger [-s|-S] [-b TIMEOUT|-B] [-n|-f] [-d LEVEL] [-p FILE] [-F] [-C cmd]


The certmonger daemon monitors certificates for impending expiration, and can optionally refresh soon-to-be-expired certificates with the help of a CA. If told to, it can drive the entire enrollment process from key generation through enrollment and refresh.

The daemon provides a control interface via the org.fedorahosted.certmonger service, with which client tools such as getcert(1) interact.



Listen on the session bus rather than the system bus.


Listen on the system bus rather than the session bus. This is the default.


Behave as a bus-activated service: if there are no certificates to be monitored or obtained, and no requests received within TIMEOUT seconds, exit.


Don't behave as a bus-activated service. This is the default.


Don't fork, and log messages to stderr rather than syslog.


Do fork, and log messages to syslog rather than stderr. This is the default.


Set debugging level. Higher values produce more debugging output. Implies -n.


Store the daemon's process ID in the named file.


Force NSS to be initialized in FIPS mode. The default behavior is to heed the setting stored in /proc/sys/crypto/fips_enabled.

-C cmd

After the service has initialized, run the specified command, then shut down the service after the command exits.


The set of certificates being monitored or signed is tracked using files stored under /var/lib/certmonger/requests, or in a directory named by the CERTMONGER_REQUESTS_DIR environment variable.

The set of known CAs is tracked using files stored under /var/lib/certmonger/cas, or in a directory named by the CERTMONGER_CAS_DIR environment variable.

Temporary files will be stored in "/var/run/certmonger", or in the directory named by the CERTMONGER_TMPDIR environment variable if that value was not given at compile time.


Please file tickets for any that you find at

RELATED TO certmonger…