Scroll to navigation

GRID-CA-CREATE(1) Grid Community Toolkit Manual GRID-CA-CREATE(1)

NAME

grid-ca-create - Create a CA to sign certificates for use on a grid

SYNOPSIS

grid-ca-create [ -h | -help | -usage | -version | -versions ] [ -openssl-help]

grid-ca-create [ OPTIONS ] [ OPENSSL-OPTIONS ]

DESCRIPTION

The grid-ca-create program creates a self-signed CA certificate and related files needed to use the CA with other Globus tools. The grid-ca-create program prompts for information to use to generate the CA certificate, but the prompts may be avoided by using the command line options.

By default, the grid-ca-create program creates the self-signed CA certificate, installs it on the current machine in its trusted certificate directory, and creates a source tarball which can be used to generate an RPM package for the CA. If the RPM package is installed on a machine, users on that machine can create certificate requests for user, host, or service identity certificates to be signed by the CA certificate generated by running grid-ca-create.

If run as a privileged user, the grid-ca-create program creates the CA certificate and support files in the CA certificate and signing policy are installed in the /etc/grid-security directory. Otherwise, the files are

OPTIONS

The full set of command-line options to grid-ca-create follows. In addition to these, unknown options will be passed to the openssl command when creating the self-signed certificate.

-help, -h, -usage

Display the command-line options to grid-ca-create and exit.

-version, -versions

Display the version number of the grid-ca-create command. The second form includes more details.

-force

Overwrite existing CA in the destination directory if one exists.

-bits BITS

Create a CA certificate with a BITS long RSA key [4096]

-noint

Run in non-interactive mode. This will choose defaults for parameters or those specified on the command line without prompting. This option also implies -force.

-dir DIRECTORY

Create the CA in DIRECTORY. The DIRECTORY must not exist prior to running grid-ca-create.

-subject SUBJECT

Use SUBJECT as the subject name of the self-signed CA to create. If this is not specified on the command-line, grid-ca-create will default to using the subject name cn=Globus Simple CA, ou=$HOSTNAME, ou=GlobusTest, o=Grid.

-email ADDRESS

Use ADDRESS as the email address of the CA. The default instructions generated by grid-ca-create tell users to mail the certificate request to this address. If this is not specified on the command-line, grid-ca-create will default to $LOGNAME@$HOSTNAME.

-days DAYS

Set the default lifetime of the self-signed CA certificate to DAYS. If not set, the grid-ca-create program will default to 1825 days (5 years).

-pass PASSWORD

Use the string PASSWORD to protect the CA’s private key. This is useful for automating Simple CA, but may make it easier to compromise the CA if someone obtains a shell on the machine storing the CA’s private key.

-nobuild

Disable building a source tarball for distributing the CA’s public information to other machines. The source tarball can be created later by using the grid-ca-package command.

EXAMPLES

Create a simple CA in $HOME/SimpleCA:

% grid-ca-create -noint -dir $HOME/SimpleCA

C e r t i f i c a t e    A u t h o r i t y    S e t u p

This script will setup a Certificate Authority for signing Globus
users certificates.  It will also generate a simple CA package
that can be distributed to the users of the CA.

The CA information about the certificates it distributes will
be kept in:

/home/juser/SimpleCA

The unique subject name for this CA is:

cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid

Insufficient permissions to install CA into the trusted certifiicate
directory (tried ${sysconfdir}/grid-security/certificates and
${datadir}/certificates)
Creating RPM source tarball... done


  globus_simple_ca_0146c503.tar.gz

ENVIRONMENT

The following environment variables affect the execution of grid-ca-create:

GLOBUS_LOCATION

Non-standard installation path of the Grid Community Toolkit.

SEE ALSO

grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)

AUTHOR

Copyright © 1999-2014 University of Chicago

06/03/2020 Grid Community Toolkit 6