File: grid-ca-create.xml

package info (click to toggle)
globus-simple-ca 4.14-3~bpo70+1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy-backports
  • size: 560 kB
  • sloc: sh: 5,160; xml: 500; perl: 231; makefile: 100
file content (240 lines) | stat: -rw-r--r-- 9,867 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
    <!ENTITY cmdname "grid-ca-create">
    <!ENTITY cmd "<command>grid-ca-create</command>">
]>
<!-- Canonical version of this document lives in 
$Header$
-->

<refentry id="grid-ca-create" xreflabel="grid-ca-create">
  <refentryinfo>
    <corpauthor>University of Chicago</corpauthor>
  </refentryinfo>
  <refmeta>
    <refentrytitle>&cmdname;</refentrytitle>
    <manvolnum>1</manvolnum>
    <refmiscinfo class="source">Globus Toolkit</refmiscinfo>
    <refmiscinfo class="version"><replaceable role="entity">version</replaceable></refmiscinfo>
  </refmeta>
  <refnamediv>
    <refname>&cmdname;</refname>
    <refpurpose>Create a CA to sign certificates for use on a grid</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      &cmd;
      <arg>-help</arg>
      <arg>-h</arg>
      <arg>-usage</arg>
      <arg>-version</arg>
      <arg>-versions</arg>
    </cmdsynopsis>
    <cmdsynopsis>
      &cmd;
      <arg>-force</arg>
      <arg>-noint</arg>
      <arg>-dir <replaceable>DIRECTORY</replaceable></arg>
      <sbr/>
      <arg>-subject <replaceable>SUBJECT</replaceable></arg>
      <arg>-email <replaceable>ADDRESS</replaceable></arg>
      <arg>-days <replaceable>DAYS</replaceable></arg>
      <arg>-pass <replaceable>PASSWORD</replaceable></arg>
      <sbr/>
      <arg>-nobuild</arg>
      <arg>-g</arg>
      <arg>-b</arg>
      <sbr/>
      <arg>-openssl-help</arg>
      <arg><replaceable>OPENSSL-OPTIONS</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>
    The &cmd; program creates a self-signed CA certificate and related files
    needed to use the CA with other Globus tools. The &cmd;
    program prompts for information to use to generate the CA certificate,
    but the prompts may be avoided by using the command line options.
    </para>

    <para>
    By default, the &cmd; program creates the self-signed CA certificate,
    installs it on the current machine in its trusted certificate directory,
    and creates a source tarball which can be used to generate an RPM package
    for the CA. If the RPM package is installed on a machine, users on that
    machine can create certificate requests for user, host, or service
    identity certificates to be signed by the CA certificate generated by
    running &cmd;.
    </para>

    <para>
    If run as a privileged user, the &cmd; program creates the CA certificate
    and support files in
    <filename><envar>${localstatedir}</envar>/lib/globus/simple_ca</filename>
    and the CA certificate and signing policy are installed in the
    <filename>/etc/grid-security</filename> directory. Otherwise,
    the files are created in the
    <filename><envar>${HOME}</envar>/.globus/simpleCA</filename> directory.
    </para>

    <para>
    The full set of command-line options to &cmd; follows. In addition to
    these, unknown options will be passed to the <command>openssl</command>
    command when creating the self-signed certificate. 

    <variablelist>
        <varlistentry>
            <term><option>-help</option></term>
            <term><option>-h</option></term>
            <term><option>-usage</option></term>
            <listitem><simpara>Display the command-line options to 
            &cmd; and exit.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-version</option></term>
            <term><option>-versions</option></term>
            <listitem><simpara>Display the version number of the &cmd;
            command. The second form includes more
            details.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-force</option></term>
            <listitem><simpara>Overwite existing CA in the destination directory if one exists</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-noint</option></term>
            <listitem><simpara>Run in non-interactive mode. This will choose
            defaults for parameters or those specified on  the command line
            without prompting. This option also implies
            <option>-force</option>.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-dir <replaceable>DIRECTORY</replaceable></option></term>
            <listitem><simpara>Create the CA in
            <replaceable>DIRECTORY</replaceable>. The
            <replaceable>DIRECTORY</replaceable> must not exist prior to
            running &cmd;.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-subject <replaceable>SUBJECT</replaceable></option></term>
            <listitem><simpara>Use <replaceable>SUBJECT</replaceable> as the
            subject name of the self-signed CA to create. If this is not
            specified on the command-line, &cmd; will default to using the
            subject name
            <emphasis>cn=Globus Simple CA, ou=<replaceable>$HOSTNAME</replaceable>, ou=GlobusTest, o=Grid</emphasis>.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-email <replaceable>ADDRESS</replaceable></option></term>
            <listitem><simpara>Use <replaceable>ADDRESS</replaceable> as the
            email address of the CA. The default instructions generated by
            &cmd; tell users to mail the certificate request to this
            address. If this is not specified on the command-line, &cmd; will
            default to the <envar>$LOGNAME</envar><literal>@</literal><envar>$HOSTNAME</envar></simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-days <replaceable>DAYS</replaceable></option></term>
            <listitem><simpara>Set the default lifetime of the self-signed CA
            certificate to <replaceable>DAYS</replaceable>. If not set, the
            &cmd; program will default to <literal>1825</literal> days (5
            years).</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-pass <replaceable>PASSWORD</replaceable></option></term>
            <listitem><simpara>Use the string
            <replaceable>PASSWORD</replaceable> to protect the CA's private
            key. This is useful for automating Simple CA, but may make it
            easier to compromise the CA if someone obtains a shell on the
            machine storing the CA's private key.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-nobuild</option></term>
            <listitem><simpara>Disable building a source tarball for
            distributing the CA's public information to other machines.
            The source tarball can be created later by using the
            <command>grid-ca-package</command> command.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-g</option></term>
            <listitem><simpara>Create a binary GPT package containing the
            new CA's public information. The package will be created in the
            current working directory. This package can be deployed by
            with the <command>gpt-install</command> tool.</simpara></listitem>
        </varlistentry>

        <varlistentry>
            <term><option>-b</option></term>
            <listitem><simpara>Create a binary GPT package containing the
            new CA's public information that is backward-compatible with GPT
            3.2. Packages created in this manner will work with Globus Toolkit
            2.0.0-5.0.x.</simpara></listitem>
        </varlistentry>
    </variablelist>

    </para>
  </refsect1>

  <refsect1>
    <title>Examples</title>
    <para>Create a simple CA in <filename><envar>$HOME</envar>/SimpleCA</filename>
    
    <screen><prompt>% </prompt>&cmd; <option>-noint</option> <option>-dir <envar>$HOME</envar>/SimpleCA</option>
<computeroutput> 
    C e r t i f i c a t e    A u t h o r i t y    S e t u p
    
    This script will setup a Certificate Authority for signing Globus
    users certificates.  It will also generate a simple CA package
    that can be distributed to the users of the CA.
    
    The CA information about the certificates it distributes will
    be kept in:
    
    /home/juser/SimpleCA
    
    The unique subject name for this CA is:
    
    cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid
    
    Insufficient permissions to install CA into the trusted certifiicate
    directory (tried ${sysconfdir}/grid-security/certificates and
    ${datadir}/certificates)
    Creating RPM source tarball... done
      globus_simple_ca_0146c503.tar.gz
      </computeroutput></screen>
    </para>
  </refsect1>

  <refsect1>
    <title>Environment Variables</title>

    <para>
    The following environment variables affect the execution of &cmd;:
    <variablelist>
        <varlistentry>
            <term><envar>GLOBUS_LOCATION</envar></term>
            <listitem><simpara>Non-standard installation path of the
            Globus toolkit.</simpara></listitem>
        </varlistentry>
    </variablelist>
    </para>
  </refsect1>
  <refsect1>
    <title>See Also</title>

    <para><citerefentry><refentrytitle>grid-cert-request</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>grid-ca-sign</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>grid-default-ca</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
    <citerefentry><refentrytitle>grid-ca-package</refentrytitle><manvolnum>1</manvolnum></citerefentry></para>
  </refsect1>
</refentry>