.\"/* .\" * Copyright (C) 2016 Red Hat, Inc. .\" * .\" * All rights reserved. .\" * .\" * Author: Jan Friesse .\" * .\" * This software licensed under BSD license, the text of which follows: .\" * .\" * Redistribution and use in source and binary forms, with or without .\" * modification, are permitted provided that the following conditions are met: .\" * .\" * - Redistributions of source code must retain the above copyright notice, .\" * this list of conditions and the following disclaimer. .\" * - Redistributions in binary form must reproduce the above copyright notice, .\" * this list of conditions and the following disclaimer in the documentation .\" * and/or other materials provided with the distribution. .\" * - Neither the name of Red Hat, Inc. nor the names of its .\" * contributors may be used to endorse or promote products derived from this .\" * software without specific prior written permission. .\" * .\" * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" .\" * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE .\" * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" * THE POSSIBILITY OF SUCH DAMAGE. .\" */ .TH COROSYNC-QNETD-CERTUTIL 8 2016-06-28 .SH NAME corosync-qnetd-certutil - tool to generate qnetd TLS certificates .SH SYNOPSIS .B "corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]" .SH DESCRIPTION .B corosync-qnetd-certutil is a frontend for the NSS certutil, it is used for generating the QNetd CA (Certificate Authority), server certificate and signing cluster certificate used by .B corosync-qdevice when using the model 'net'. .SH OPTIONS .TP .B -i Initialize the QNetd NSS certificate database and generate the QNetd CA and server certificates. The default directory for the database is /etc/corosync/qnetd. This directory must be writeable by the current user. The QNetd CA certificate is also exported into the file /etc/corosync/qnetd/nssdb/qnetd-cacert.crt. .TP .B -s Sign the cluster certificate. It is necessary to pass the cluster name (as configured in corosync.conf) and the certificate request file - see options below. The signed certificate will be written to the file /etc/corosync/qnetd/nssdb/cluster-$ClusterName.crt .TP .B -c Certificate request file to sign. .TP .B -G Do not set group write bit for new files. This option has effect only when used together with .B -i option. It is useful when extended security is needed and it's viable to prohibit daemon to change its configuration. Expected usage is to first set owner of the /etc/corosync/qnetd directory to root:$COROQNETD with permissions 0750 and then create database (as a root): .nf # corosync-qnetd-certutil -i -G .fi .TP .B -n Name of the cluster. .SH NOTES If qnetd is executed by a non root user, /etc/corosync/qnetd and its subdirectories must be owned by (or have group access for) the given user. If .B corosync-qnetd-certutil is executed as root it tries to copy the owner and group of /etc/corosync/qnetd to all of the created files. .SH SEE ALSO .BR corosync-qnetd (8) .BR corosync-qdevice (8) .SH AUTHOR Jan Friesse .PP