Hide Forgot
Description of problem: certmonger renews certificates just fine but in most, if not all, cases the server it renews a cert for will need to be restarted in order to see it. It would be handy if one could provide a command (or signal) for certmonger to send after successfully renewing a cert. For example, it could run: /sbin/service httpd reload This might raise some existential security questions, particularly with SELinux.
Emitting a signal is more common for services, and doesn't require any additional privileges to be granted in the SELinux policy.
If we implement properties, and one of them reflects the contents of the certificate associated with a given request, then the client can wait for a signal that the contents of that property have changed to a non-empty value.
Commands can be specified using the new -C flag when running getcert, and the service now emits a SavedCertificate signal on the request when the certificate is saved to the specified location. Note that certmonger needs sufficient privileges granted to it in the SELinux policy to run the specified command.