.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "SHIB-KEYGEN.8 8"
.TH SHIB-KEYGEN.8 8 2024-03-29 3.4.1 Shibboleth
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
shib\-keygen \- Generate a key pair for a Shibboleth SP
.SH SYNOPSIS
.IX Header "SYNOPSIS"
\&\fBshib-keygen\fR [\fB\-bf\fR] [\fB\-e\fR \fIentity-id\fR] [\fB\-g\fR \fIgroup\fR] [\fB\-n\fR \fIprefix\fR]
    [\fB\-h\fR \fIhostname\fR] [\fB\-o\fR \fIoutput-dir\fR] [\fB\-u\fR \fIuser\fR] [\fB\-y\fR \fIyears\fR]
.SH DESCRIPTION
.IX Header "DESCRIPTION"
Generate a self-signed X.509 certificate for a Shibboleth SP.  By default,
the certificate will be for the local fully-qualified (as returned by
\&\f(CW\*(C`hostname \-\-fqdn\*(C'\fR) hostname.  An entity ID can be specified with the
\&\fB\-e\fR flag.  The \fBopenssl\fR command-line client is used to generate the
key pair.  By default, the public certificate will be created in
\&\fI/etc/shibboleth/sp\-cert.pem\fR and the private key in
\&\fI/etc/shibboleth/sp\-key.pem\fR.
.SH OPTIONS
.IX Header "OPTIONS"
.IP \fB\-b\fR 4
.IX Item "-b"
Batch mode: exit successfully without doing anything if \fIsp\-key.pem\fR or
\&\fIsp\-cert.pem\fR already exists, unless \fB\-f\fR was also specified.
Suppress standard error output from \fBopenssl\fR when creating the certificate.
.IP "\fB\-e\fR \fIentity-id\fR" 4
.IX Item "-e entity-id"
Add \fIentity-id\fR (which should be a URI) as an alternative name for the
certificate.
.IP \fB\-f\fR 4
.IX Item "-f"
Remove \fIsp\-cert.pem\fR and \fIsp\-key.pem\fR
before generating a new certificate.  Without this option, if those files
already exist, \fBshib-keygen\fR prints an error and exits rather than
overwriting them.
.IP "\fB\-g\fR \fIgroup\fR" 4
.IX Item "-g group"
After generating the key and certificate, change the group ownership of
the key file to this group.  By default, the group used is \f(CW\*(C`_shibd\*(C'\fR.
.IP "\fB\-h\fR \fIhostname\fR" 4
.IX Item "-h hostname"
Specify the fully-qualified domain name for which to generate a
certificate.  If this option isn't given, the hostname defaults to the
result of \f(CW\*(C`hostname \-\-fqdn\*(C'\fR.
.IP "\fB\-o\fR \fIoutput-dir\fR" 4
.IX Item "-o output-dir"
Store \fIsp\-cert.pem\fR and \fIsp\-key.pem\fR in the directory \fIoutput-dir\fR
rather than the default of \fI/etc/shibboleth\fR.
.IP "\fB\-n\fR \fIprefix\fR" 4
.IX Item "-n prefix"
Use \fIprefix\fR instead of \fIsp\fR in the name of the generated certificate
and private key file.
.IP "\fB\-u\fR \fIuser\fR" 4
.IX Item "-u user"
After generating the key and certificate, change the ownership of the key
file to this user.  This is used to allow the key to be read by a non-root
user so that \fBshibd\fR can be run as a non-root user.  By default, the
key is owned by \f(CW\*(C`_shibd\*(C'\fR.
.IP "\fB\-y\fR \fIyears\fR" 4
.IX Item "-y years"
The number of years for which the certificate should be valid.  The
default expiration time is ten years into the future.
.SH FILES
.IX Header "FILES"
.IP \fI/etc/shibboleth/sp\-cert.cnf\fR 4
.IX Item "/etc/shibboleth/sp-cert.cnf"
The OpenSSL configuration file used for generating the self-signed
certificate.  This configuration file is generated when the script is run
and deleted afterwards.
.IP \fI/etc/shibboelth/sp\-cert.pem\fR 4
.IX Item "/etc/shibboelth/sp-cert.pem"
The default location of the public certificate created by this script.
.IP \fI/etc/shibboleth/sp\-key.pem\fR 4
.IX Item "/etc/shibboleth/sp-key.pem"
The default location of the private key for the certificate created by
this script.
.PP
These three files are stored in the directory given with \fB\-o\fR instead, if
that option is given.
.SH AUTHOR
.IX Header "AUTHOR"
This manual page was written by Russ Allbery for Debian GNU/Linux.
.SH COPYRIGHT
.IX Header "COPYRIGHT"
Copyright 2008, 2011 Russ Allbery.  This manual page is hereby placed into
the public domain by its author.