other versions
- jessie 2.5.3+dfsg-2+deb8u1
- jessie-backports 2.6.0+dfsg1-4+deb9u1~bpo8+1
- stretch 2.6.0+dfsg1-4+deb9u1
- testing 3.0.3+dfsg1-1
- stretch-backports 2.6.1+dfsg1-2~bpo9+1
- unstable 3.0.4+dfsg1-1
SHIB-KEYGEN(8) | Shibboleth | SHIB-KEYGEN(8) |
NAME¶
shib-keygen - Generate a key pair for a Shibboleth SPSYNOPSIS¶
shib-keygen [-bf] [-e entity-id] [-g group][ -h hostname] [-o output-dir] [-u user] [ -y years]
DESCRIPTION¶
Generate a self-signed X.509 certificate for a Shibboleth SP. By default, the certificate will be for the local fully-qualified (as returned by "hostname --fqdn") hostname. An entity ID can be specified with the -e flag. The openssl command-line client is used to generate the key pair. By default, the public certificate will be created in /etc/shibboleth/sp-cert.pem and the private key in /etc/shibboleth/sp-key.pem.OPTIONS¶
- -b
- Suppress all standard error output when creating the certificate. This option is normally only used by the package build.
- -e entity-id
- Add entity-id (which should be a URI) as an alternative name for the certificate.
- -f
- Remove /etc/shibboleth/sp-cert.pem and /etc/shibboleth/sp-key.pem before generating a new certificate. Without this option, if those files already exist, shib-keygen prints an error and exits rather than overwriting them.
- -g group
- After generating the key and certificate, change the group ownership of the key file to this group. By default, the group used is "_shibd".
- -h hostname
- Specify the fully-qualified domain name for which to generate a certificate. If this option isn't given, the hostname defaults to the result of "hostname --fqdn".
- -o output-dir
- Store sp-cert.pem and sp-key.pem in the directory output-dir rather than the default of /etc/shibboleth.
- -u user
- After generating the key and certificate, change the ownership of the key file to this user. This is used to allow the key to be read by a non-root user so that shibd can be run as a non-root user. By default, the key is owned by "_shibd".
- -y years
- The number of years for which the certificate should be valid. The default expiration time is ten years into the future.
FILES¶
- /etc/shibboleth/sp-cert.cnf
- The OpenSSL configuration file used for generating the self-signed certificate. This configuration file is generated when the script is run and deleted afterwards.
- /etc/shibboelth/sp-cert.pem
- The default location of the public certificate created by this script.
- /etc/shibboleth/sp-key.pem
- The default location of the private key for the certificate created by this script.
AUTHOR¶
This manual page was written by Russ Allbery for Debian GNU/Linux.COPYRIGHT¶
Copyright 2008, 2011 Russ Allbery. This manual page is hereby placed into the public domain by its author.2017-11-14 | 2.5.3 |