Scroll to navigation

GRID-CA-CREATE(1) Globus Commands GRID-CA-CREATE(1)

NAME

grid-ca-create - Create a CA to sign certificates for use on a grid

SYNOPSIS

grid-ca-create [-help] [-h] [-usage] [-version] [-versions]
grid-ca-create [-force] [-noint] [-dir DIRECTORY]
 
[-subject  SUBJECT] [-email ADDRESS] [-days DAYS] [-pass PASSWORD]
 
[-nobuild] [-g] [-b]
 
[-openssl-help] [ OPENSSL-OPTIONS]

DESCRIPTION

The grid-ca-create program creates a self-signed CA certificate and related files needed to use the CA with other Globus tools. The grid-ca-create program prompts for information to use to generate the CA certificate, but the prompts may be avoided by using the command line options.
By default, the grid-ca-create program creates the self-signed CA certificate, installs it on the current machine in its trusted certificate directory, and creates a source tarball which can be used to generate an RPM package for the CA. If the RPM package is installed on a machine, users on that machine can create certificate requests for user, host, or service identity certificates to be signed by the CA certificate generated by running grid-ca-create.
If run as a privileged user, the grid-ca-create program creates the CA certificate and support files in ${localstatedir}/lib/globus/simple_ca and the CA certificate and signing policy are installed in the /etc/grid-security directory. Otherwise, the files are created in the ${HOME}/.globus/simpleCA directory.
The full set of command-line options to grid-ca-create follows. In addition to these, unknown options will be passed to the openssl command when creating the self-signed certificate.
-help, -h, -usage
Display the command-line options to grid-ca-create and exit.
-version, -versions
Display the version number of the grid-ca-create command. The second form includes more details.
-force
Overwite existing CA in the destination directory if one exists
-noint
Run in non-interactive mode. This will choose defaults for parameters or those specified on the command line without prompting. This option also implies -force.
-dir DIRECTORY
Create the CA in DIRECTORY. The DIRECTORY must not exist prior to running grid-ca-create.
-subject SUBJECT
Use SUBJECT as the subject name of the self-signed CA to create. If this is not specified on the command-line, grid-ca-create will default to using the subject name cn=Globus Simple CA, ou= $HOSTNAME, ou=GlobusTest, o=Grid.
-email ADDRESS
Use ADDRESS as the email address of the CA. The default instructions generated by grid-ca-create tell users to mail the certificate request to this address. If this is not specified on the command-line, grid-ca-create will default to the $LOGNAME@$HOSTNAME
-days DAYS
Set the default lifetime of the self-signed CA certificate to DAYS. If not set, the grid-ca-create program will default to 1825 days (5 years).
-pass PASSWORD
Use the string PASSWORD to protect the CA´s private key. This is useful for automating Simple CA, but may make it easier to compromise the CA if someone obtains a shell on the machine storing the CA´s private key.
-nobuild
Disable building a source tarball for distributing the CA´s public information to other machines. The source tarball can be created later by using the grid-ca-package command.
-g
Create a binary GPT package containing the new CA´s public information. The package will be created in the current working directory. This package can be deployed by with the gpt-install tool.
-b
Create a binary GPT package containing the new CA´s public information that is backward-compatible with GPT 3.2. Packages created in this manner will work with Globus Toolkit 2.0.0-5.0.x.

EXAMPLES

Create a simple CA in $HOME/SimpleCA 
%  grid-ca-create -noint -dir $HOME/SimpleCA
 
    C e r t i f i c a t e    A u t h o r i t y    S e t u p
    
    This script will setup a Certificate Authority for signing Globus
    users certificates.  It will also generate a simple CA package
    that can be distributed to the users of the CA.
    
    The CA information about the certificates it distributes will
    be kept in:
    
    /home/juser/SimpleCA
    
    The unique subject name for this CA is:
    
    cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid
    
    Insufficient permissions to install CA into the trusted certifiicate
    directory (tried ${sysconfdir}/grid-security/certificates and
    ${datadir}/certificates)
    Creating RPM source tarball... done
      globus_simple_ca_0146c503.tar.gz

ENVIRONMENT VARIABLES

The following environment variables affect the execution of grid-ca-create:
GLOBUS_LOCATION
Non-standard installation path of the Globus toolkit.

SEE ALSO

grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)

AUTHOR

University of Chicago
07/22/2011 Globus Toolkit 5.2.0