shib-keygen - Generate a key pair for a Shibboleth SP
shib-keygen [-bf] [-e entity-id] [-g
group] [-n prefix]
[-h hostname] [-o output-dir] [-u
user] [-y years]
Generate a self-signed X.509 certificate for a Shibboleth SP. By default, the
certificate will be for the local fully-qualified (as returned by
"hostname --fqdn") hostname. An entity ID
can be specified with the -e flag. The openssl command-line
client is used to generate the key pair. By default, the public certificate
will be created in /etc/shibboleth/sp-cert.pem and the private key in
- Batch mode: exit successfully without doing anything if sp-key.pem
or sp-cert.pem already exists, unless -f was also specified.
Suppress standard error output from openssl when creating the
- -e entity-id
- Add entity-id (which should be a URI) as an alternative name for
- Remove sp-cert.pem and sp-key.pem before generating a new
certificate. Without this option, if those files already exist,
shib-keygen prints an error and exits rather than overwriting
- -g group
- After generating the key and certificate, change the group ownership of
the key file to this group. By default, the group used is
- -h hostname
- Specify the fully-qualified domain name for which to generate a
certificate. If this option isn't given, the hostname defaults to the
result of "hostname --fqdn".
- -o output-dir
- Store sp-cert.pem and sp-key.pem in the directory
output-dir rather than the default of /etc/shibboleth.
- -n prefix
- Use prefix instead of sp in the name of the generated
certificate and private key file.
- -u user
- After generating the key and certificate, change the ownership of the key
file to this user. This is used to allow the key to be read by a non-root
user so that shibd can be run as a non-root user. By default, the
key is owned by "_shibd".
- -y years
- The number of years for which the certificate should be valid. The default
expiration time is ten years into the future.
- The OpenSSL configuration file used for generating the self-signed
certificate. This configuration file is generated when the script is run
and deleted afterwards.
- The default location of the public certificate created by this
- The default location of the private key for the certificate created by
These three files are stored in the directory given with -o
instead, if that option is given.
This manual page was written by Russ Allbery for Debian GNU/Linux.
Copyright 2008, 2011 Russ Allbery. This manual page is hereby placed into the
public domain by its author.