local-submit [-d state-directory] [-v] [csrfile]
is the helper which certmonger
uses to implement its
local signer. It is not normally run interactively, but it can be for
troubleshooting purposes. The signing request which is to be submitted should
either be in a file whose name is given as an argument, or fed into
The local signer is currently hard-coded to generate and use a 2048-bit RSA key
and a name and initial serial number based on a UUID, replacing that key and
certificate at roughly the midpoint of their useful lifetime.
supports retrieving the list of current and previously-used
local CA certificates. See getcert-request
(1) for information about specifying where those
certificates should be stored.
- -d state-directory
- Identifies the directory which contains the local signer's
private key, certificates, and other data used by the local signer.
- Increases the verbosity of the tool's diagnostic logging.
- if the certificate was issued. The new certificate will be
- if the helper needs to be called again. An error message
may be printed.
- if critical configuration information is missing. An error
message may be printed.
- is currently a PKCS#12 bundle containing the local signer's
current signing key and current and previously-used signer certificates.
It should not be modified except by the local signer. A new key is
currently generated when ever a new signer certificate is needed.
- currently contains the serial number which will be used for
the next issued certificate. It should not be modified except by the local
Please file tickets for any that you find at