table of contents
GRID-CA-CREATE(1) | Globus Commands | GRID-CA-CREATE(1) |
NAME¶
grid-ca-create - Create a CA to sign certificates for use on a gridSYNOPSIS¶
grid-ca-create [-help] [-h] [-usage] [-version]
[-versions]
grid-ca-create [-force] [-noint]
[-dir DIRECTORY]
[-subject SUBJECT] [-email ADDRESS]
[-days DAYS] [-pass PASSWORD]
[-nobuild] [-g] [-b]
[-openssl-help] [ OPENSSL-OPTIONS]
DESCRIPTION¶
The grid-ca-create program creates a self-signed CA certificate and related files needed to use the CA with other Globus tools. The grid-ca-create program prompts for information to use to generate the CA certificate, but the prompts may be avoided by using the command line options. By default, the grid-ca-create program creates the self-signed CA certificate, installs it on the current machine in its trusted certificate directory, and creates a source tarball which can be used to generate an RPM package for the CA. If the RPM package is installed on a machine, users on that machine can create certificate requests for user, host, or service identity certificates to be signed by the CA certificate generated by running grid-ca-create. If run as a privileged user, the grid-ca-create program creates the CA certificate and support files in ${localstatedir}/lib/globus/simple_ca and the CA certificate and signing policy are installed in the /etc/grid-security directory. Otherwise, the files are created in the ${HOME}/.globus/simpleCA directory. The full set of command-line options to grid-ca-create follows. In addition to these, unknown options will be passed to the openssl command when creating the self-signed certificate. -help, -h, -usageDisplay the command-line options to grid-ca-create
and exit.
-version, -versions
Display the version number of the grid-ca-create
command. The second form includes more details.
-force
Overwite existing CA in the destination directory if one
exists
-noint
Run in non-interactive mode. This will choose defaults
for parameters or those specified on the command line without prompting. This
option also implies -force.
-dir DIRECTORY
Create the CA in DIRECTORY. The DIRECTORY
must not exist prior to running grid-ca-create.
-subject SUBJECT
Use SUBJECT as the subject name of the self-signed
CA to create. If this is not specified on the command-line,
grid-ca-create will default to using the subject name cn=Globus
Simple CA, ou= $HOSTNAME, ou=GlobusTest,
o=Grid.
-email ADDRESS
Use ADDRESS as the email address of the CA. The
default instructions generated by grid-ca-create tell users to mail the
certificate request to this address. If this is not specified on the
command-line, grid-ca-create will default to the
$LOGNAME@$HOSTNAME
-days DAYS
Set the default lifetime of the self-signed CA
certificate to DAYS. If not set, the grid-ca-create program will
default to 1825 days (5 years).
-pass PASSWORD
Use the string PASSWORD to protect the CA´s
private key. This is useful for automating Simple CA, but may make it easier
to compromise the CA if someone obtains a shell on the machine storing the
CA´s private key.
-nobuild
Disable building a source tarball for distributing the
CA´s public information to other machines. The source tarball can be
created later by using the grid-ca-package command.
-g
Create a binary GPT package containing the new
CA´s public information. The package will be created in the current
working directory. This package can be deployed by with the gpt-install
tool.
-b
Create a binary GPT package containing the new
CA´s public information that is backward-compatible with GPT 3.2.
Packages created in this manner will work with Globus Toolkit
2.0.0-5.0.x.
EXAMPLES¶
Create a simple CA in $HOME/SimpleCA% grid-ca-create -noint -dir $HOME/SimpleCA C e r t i f i c a t e A u t h o r i t y S e t u p This script will setup a Certificate Authority for signing Globus users certificates. It will also generate a simple CA package that can be distributed to the users of the CA. The CA information about the certificates it distributes will be kept in: /home/juser/SimpleCA The unique subject name for this CA is: cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid Insufficient permissions to install CA into the trusted certifiicate directory (tried ${sysconfdir}/grid-security/certificates and ${datadir}/certificates) Creating RPM source tarball... done globus_simple_ca_0146c503.tar.gz
ENVIRONMENT VARIABLES¶
The following environment variables affect the execution of grid-ca-create: GLOBUS_LOCATIONNon-standard installation path of the Globus
toolkit.
SEE ALSO¶
grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)AUTHOR¶
University of Chicago07/22/2011 | Globus Toolkit 5.2.0 |