1COROSYNC-QNETD-CERTUTIL(8)  System Manager's Manual COROSYNC-QNETD-CERTUTIL(8)
2
3
4

NAME

6       corosync-qnetd-certutil - tool to generate qnetd TLS certificates
7

SYNOPSIS

9       corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]
10

DESCRIPTION

12       corosync-qnetd-certutil  is a frontend for the NSS certutil, it is used
13       for generating the QNetd CA (Certificate Authority), server certificate
14       and signing cluster certificate used by corosync-qdevice when using the
15       model 'net'.
16

OPTIONS

18       -i     Initialize the QNetd NSS certificate database and  generate  the
19              QNetd CA and server certificates.  The default directory for the
20              database is /etc/corosync/qnetd. This directory must  be  write‐
21              able  by  the  current  user.  The  QNetd CA certificate is also
22              exported  into  the  file   /etc/corosync/qnetd/nssdb/qnetd-cac‐
23              ert.crt.
24
25       -s     Sign  the cluster certificate. It is necessary to pass the clus‐
26              ter name (as configured in corosync.conf)  and  the  certificate
27              request  file  - see options below.  The signed certificate will
28              be written to the file  /etc/corosync/qnetd/nssdb/cluster-$Clus‐
29              terName.crt
30
31       -c     Certificate request file to sign.
32
33       -G     Do not set group write bit for new files. This option has effect
34              only when used together  with  -i  option.  It  is  useful  when
35              extended  security  is needed and it's viable to prohibit daemon
36              to change its configuration. Expected  usage  is  to  first  set
37              owner  of  the  /etc/corosync/qnetd directory to root:$COROQNETD
38              with permissions 0750 and then create database (as a root):
39
40              # corosync-qnetd-certutil -i -G
41
42
43       -n     Name of the cluster.
44

NOTES

46       If qnetd is executed by a non root user,  /etc/corosync/qnetd  and  its
47       subdirectories  must  be  owned by (or have group access for) the given
48       user. If corosync-qnetd-certutil is executed as root it tries  to  copy
49       the owner and group of /etc/corosync/qnetd to all of the created files.
50

SEE ALSO

52       corosync-qnetd(8) corosync-qdevice(8)
53

AUTHOR

55       Jan Friesse
56
57                                  2016-06-28        COROSYNC-QNETD-CERTUTIL(8)
Impressum