1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!ENTITY cmdname "grid-ca-create">
<!ENTITY cmd "<command>grid-ca-create</command>">
]>
<!-- Canonical version of this document lives in
$Header$
-->
<refentry id="grid-ca-create" xreflabel="grid-ca-create">
<refentryinfo>
<corpauthor>University of Chicago</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>&cmdname;</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class="source">Globus Toolkit</refmiscinfo>
<refmiscinfo class="version"><replaceable role="entity">version</replaceable></refmiscinfo>
</refmeta>
<refnamediv>
<refname>&cmdname;</refname>
<refpurpose>Create a CA to sign certificates for use on a grid</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
&cmd;
<arg>-help</arg>
<arg>-h</arg>
<arg>-usage</arg>
<arg>-version</arg>
<arg>-versions</arg>
</cmdsynopsis>
<cmdsynopsis>
&cmd;
<arg>-force</arg>
<arg>-noint</arg>
<arg>-dir <replaceable>DIRECTORY</replaceable></arg>
<sbr/>
<arg>-subject <replaceable>SUBJECT</replaceable></arg>
<arg>-email <replaceable>ADDRESS</replaceable></arg>
<arg>-days <replaceable>DAYS</replaceable></arg>
<arg>-pass <replaceable>PASSWORD</replaceable></arg>
<sbr/>
<arg>-nobuild</arg>
<arg>-g</arg>
<arg>-b</arg>
<sbr/>
<arg>-openssl-help</arg>
<arg><replaceable>OPENSSL-OPTIONS</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>
The &cmd; program creates a self-signed CA certificate and related files
needed to use the CA with other Globus tools. The &cmd;
program prompts for information to use to generate the CA certificate,
but the prompts may be avoided by using the command line options.
</para>
<para>
By default, the &cmd; program creates the self-signed CA certificate,
installs it on the current machine in its trusted certificate directory,
and creates a source tarball which can be used to generate an RPM package
for the CA. If the RPM package is installed on a machine, users on that
machine can create certificate requests for user, host, or service
identity certificates to be signed by the CA certificate generated by
running &cmd;.
</para>
<para>
If run as a privileged user, the &cmd; program creates the CA certificate
and support files in
<filename><envar>${localstatedir}</envar>/lib/globus/simple_ca</filename>
and the CA certificate and signing policy are installed in the
<filename>/etc/grid-security</filename> directory. Otherwise,
the files are created in the
<filename><envar>${HOME}</envar>/.globus/simpleCA</filename> directory.
</para>
<para>
The full set of command-line options to &cmd; follows. In addition to
these, unknown options will be passed to the <command>openssl</command>
command when creating the self-signed certificate.
<variablelist>
<varlistentry>
<term><option>-help</option></term>
<term><option>-h</option></term>
<term><option>-usage</option></term>
<listitem><simpara>Display the command-line options to
&cmd; and exit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-version</option></term>
<term><option>-versions</option></term>
<listitem><simpara>Display the version number of the &cmd;
command. The second form includes more
details.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-force</option></term>
<listitem><simpara>Overwite existing CA in the destination directory if one exists</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-noint</option></term>
<listitem><simpara>Run in non-interactive mode. This will choose
defaults for parameters or those specified on the command line
without prompting. This option also implies
<option>-force</option>.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-dir <replaceable>DIRECTORY</replaceable></option></term>
<listitem><simpara>Create the CA in
<replaceable>DIRECTORY</replaceable>. The
<replaceable>DIRECTORY</replaceable> must not exist prior to
running &cmd;.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-subject <replaceable>SUBJECT</replaceable></option></term>
<listitem><simpara>Use <replaceable>SUBJECT</replaceable> as the
subject name of the self-signed CA to create. If this is not
specified on the command-line, &cmd; will default to using the
subject name
<emphasis>cn=Globus Simple CA, ou=<replaceable>$HOSTNAME</replaceable>, ou=GlobusTest, o=Grid</emphasis>.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-email <replaceable>ADDRESS</replaceable></option></term>
<listitem><simpara>Use <replaceable>ADDRESS</replaceable> as the
email address of the CA. The default instructions generated by
&cmd; tell users to mail the certificate request to this
address. If this is not specified on the command-line, &cmd; will
default to the <envar>$LOGNAME</envar><literal>@</literal><envar>$HOSTNAME</envar></simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-days <replaceable>DAYS</replaceable></option></term>
<listitem><simpara>Set the default lifetime of the self-signed CA
certificate to <replaceable>DAYS</replaceable>. If not set, the
&cmd; program will default to <literal>1825</literal> days (5
years).</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-pass <replaceable>PASSWORD</replaceable></option></term>
<listitem><simpara>Use the string
<replaceable>PASSWORD</replaceable> to protect the CA's private
key. This is useful for automating Simple CA, but may make it
easier to compromise the CA if someone obtains a shell on the
machine storing the CA's private key.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-nobuild</option></term>
<listitem><simpara>Disable building a source tarball for
distributing the CA's public information to other machines.
The source tarball can be created later by using the
<command>grid-ca-package</command> command.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-g</option></term>
<listitem><simpara>Create a binary GPT package containing the
new CA's public information. The package will be created in the
current working directory. This package can be deployed by
with the <command>gpt-install</command> tool.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-b</option></term>
<listitem><simpara>Create a binary GPT package containing the
new CA's public information that is backward-compatible with GPT
3.2. Packages created in this manner will work with Globus Toolkit
2.0.0-5.0.x.</simpara></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>Examples</title>
<para>Create a simple CA in <filename><envar>$HOME</envar>/SimpleCA</filename>
<screen><prompt>% </prompt>&cmd; <option>-noint</option> <option>-dir <envar>$HOME</envar>/SimpleCA</option>
<computeroutput>
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/home/juser/SimpleCA
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid
Insufficient permissions to install CA into the trusted certifiicate
directory (tried ${sysconfdir}/grid-security/certificates and
${datadir}/certificates)
Creating RPM source tarball... done
globus_simple_ca_0146c503.tar.gz
</computeroutput></screen>
</para>
</refsect1>
<refsect1>
<title>Environment Variables</title>
<para>
The following environment variables affect the execution of &cmd;:
<variablelist>
<varlistentry>
<term><envar>GLOBUS_LOCATION</envar></term>
<listitem><simpara>Non-standard installation path of the
Globus toolkit.</simpara></listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para><citerefentry><refentrytitle>grid-cert-request</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>grid-ca-sign</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>grid-default-ca</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>grid-ca-package</refentrytitle><manvolnum>1</manvolnum></citerefentry></para>
</refsect1>
</refentry>
|
