1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
GRID-CA-CREATE(1)
=================
:doctype: manpage
:man source: Grid Community Toolkit
:man version: 6
:man manual: Grid Community Toolkit Manual
:man software: Grid Community Toolkit
NAME
----
grid-ca-create - Create a CA to sign certificates for use on a grid
[[grid-ca-create-SYNOPSIS]]
SYNOPSIS
--------
*grid-ca-create* [ -h | -help | -usage | -version | -versions ] [ -openssl-help]
*grid-ca-create* [ OPTIONS ] [ OPENSSL-OPTIONS ]
[[grid-ca-create-DESCRIPTION]]
DESCRIPTION
-----------
The *grid-ca-create* program creates a self-signed CA certificate and related
files needed to use the CA with other Globus tools. The *grid-ca-create*
program prompts for information to use to generate the CA certificate, but the
prompts may be avoided by using the command line options.
By default, the *grid-ca-create* program creates the self-signed CA
certificate, installs it on the current machine in its trusted certificate
directory, and creates a source tarball which can be used to generate an RPM
package for the CA. If the RPM package is installed on a machine, users on that
machine can create certificate requests for user, host, or service identity
certificates to be signed by the CA certificate generated by running
*grid-ca-create*.
If run as a privileged user, the *grid-ca-create* program creates the CA
certificate and support files in
+'${localstatedir}'/lib/globus/simple_ca+ and
the CA certificate and signing policy are installed in the
+/etc/grid-security+ directory. Otherwise, the files are
created in the +'${HOME}'/.globus/simpleCA+ directory.
[[grid-ca-create-OPTIONS]]
OPTIONS
-------
The full set of command-line options to *grid-ca-create* follows. In addition to
these, unknown options will be passed to the `openssl`
command when creating the self-signed certificate.
*-help, -h, -usage*::
Display the command-line options to *grid-ca-create* and exit.
*-version, -versions*::
Display the version number of the *grid-ca-create* command. The second form
includes more details.
*-force*::
Overwrite existing CA in the destination directory if one exists.
*-bits BITS*::
Create a CA certificate with a BITS long RSA key [4096]
*-noint*::
Run in non-interactive mode. This will choose defaults for parameters or
those specified on the command line without prompting. This option also
implies '-force'.
*-dir 'DIRECTORY'*::
Create the CA in 'DIRECTORY'. The 'DIRECTORY' must not exist prior to
running *grid-ca-create*.
*-subject 'SUBJECT'*::
Use 'SUBJECT' as the subject name of the self-signed CA to create. If this
is not specified on the command-line, *grid-ca-create* will default to
using the subject name +cn=Globus Simple CA, ou=$HOSTNAME, ou=GlobusTest, o=Grid+.
*-email 'ADDRESS'*::
Use 'ADDRESS' as the email address of the CA. The default instructions
generated by *grid-ca-create* tell users to mail the certificate request to
this address. If this is not specified on the command-line,
*grid-ca-create* will default to `$LOGNAME@$HOSTNAME`.
*-days 'DAYS'*::
Set the default lifetime of the self-signed CA certificate to
'DAYS'. If not set, the *grid-ca-create* program will default to
`1825` days (5 years).
*-pass 'PASSWORD'*::
Use the string 'PASSWORD' to protect the CA's private
key. This is useful for automating Simple CA, but may make it easier to
compromise the CA if someone obtains a shell on the machine storing the
CA's private key.
*-nobuild*::
Disable building a source tarball for distributing the CA's public
information to other machines. The source tarball can be created later by
using the *grid-ca-package* command.
[[grid-ca-create-EXAMPLES]]
EXAMPLES
--------
Create a simple CA in +$HOME/SimpleCA+:
% grid-ca-create -noint -dir $HOME/SimpleCA
C e r t i f i c a t e A u t h o r i t y S e t u p
This script will setup a Certificate Authority for signing Globus
users certificates. It will also generate a simple CA package
that can be distributed to the users of the CA.
The CA information about the certificates it distributes will
be kept in:
/home/juser/SimpleCA
The unique subject name for this CA is:
cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid
Insufficient permissions to install CA into the trusted certifiicate
directory (tried ${sysconfdir}/grid-security/certificates and
${datadir}/certificates)
Creating RPM source tarball... done
globus_simple_ca_0146c503.tar.gz
[[grid-ca-create-ENVIRONMENT]]
ENVIRONMENT
-----------
The following environment variables affect the execution of *grid-ca-create*:
`GLOBUS_LOCATION`::
Non-standard installation path of the Grid Community Toolkit.
[[grid-ca-create-SEEALSO]]
SEE ALSO
--------
grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)
[[grid-ca-create-AUTHOR]]
AUTHOR
------
Copyright (C) 1999-2014 University of Chicago
|
