1GRID-CERT-REQUEST(1) Globus Commands GRID-CERT-REQUEST(1)
2
6 grid-cert-request - Generate a X.509 certificate request and
7 corresponding private key
8
10 grid-cert-request [-help] [-h] [-?] [-usage]
11 [-version] [-versions]
12 grid-cert-request [-cn NAME | -commonname NAME]
14 [-dir DIRECTORY] [-prefix PREFIX]
15 [-nopw | -nodes | -nopassphrase]
16 [-nopw | -nodes | -nopassphrase]
17 [-ca [HASH]] [-verbose] [-interactive | -int]
18 [-force]
19 grid-cert-request -host FQDN [-service SERVICE] [-dns FQDN...]
21 [-ip IP-ADDRESS...]
22 [-dir DIRECTORY] [-prefix PREFIX]
23 [-ca [HASH]] [-verbose] [-interactive | -int]
24 [-force]
25
27 The grid-cert-request program generates an X.509 Certificate Request
28 and corresponding private key for the specified name, host, or service.
29 It is intended to be used with a CA implemented using the
30 globus_simple_ca package.
31 The default behavior of grid-cert-request is to generate a certificate
33 request and private key for the user running the command. The subject
34 name is derived from the gecos information in the local system´s
35 password database, unless the -commonname, -cn, or -host command-line
36 options are used.
37 By default, grid-cert-request writes user certificate requests and keys
39 to the $HOME/.globus directory, and host and service certificate
40 requests and keys to /etc/grid-security. This can be overridden by
41 using the -dir command-line option.
42 The full set of command-line options to grid-cert-request are:
44 -help, -h, -?, -usage
46 Display the command-line options to grid-cert-request and exit.
47 -version, -versions
49 Display the version number of the grid-cert-request command. The
50 second form includes more details.
51 -cn NAME, -commonname NAME
53 Create a certificate request with the common name component of the
54 subject set to NAME. This is used to create user identity
55 certificates.
56 -dir DIRECTORY
58 Write the certificate request and key to files in the directory
59 specified by DIRECTORY.
60 -prefix PREFIX
62 Use the string PREFIX as the base name of the certificate,
63 certificate_request, and key files instead of the default. For a
64 user certificate request, this would mean creating files
65 $HOME/.globus/PREFIXcert_request.pem, $HOME/.globus/PREFIXcert.pem,
66 and $HOME/.globus/PREFIXkey.pem.
67 -ca CA-HASH
69 Use the certificate request configuration for the CA with the name
70 hash CA-HASH instead of the default CA chosen by running
71 grid-default-ca.
72 -verbose
74 Keep the output from the OpenSSL certificate request command
75 visible after it completes, instead of clearing the screen..
76 -interactive, -int
78 Prompt for each component of the subject name of the request,
79 instead of generating the common name from other command-line
80 options. Note that CAs may not sign certificates for subject names
81 that don´t match their signing policies.
82 -force
84 Overwrite any existing certificate request and private key with a
85 new one.
86 -nopw, -nodes, -nopassphrase
88 Create an unencrypted private key for the certificate instead of
89 prompting for a passphrase. This is the default behavior for host
90 or service certificates, but not recommended for user certificates.
91 -host FQDN
93 Create a certificate request for use on a particular host. This
94 option also causes the private key assoicated with the certificate
95 request to be unencrypted. The FQDN argument to this option should
96 be the fully qualified domain name of the host that will use this
97 certificate. The subject name of the certificate will be derived
98 from the FQDN and the service option if specified by the -service
99 command-line option. If the host for the certificate has multiple
100 names, then use either the -dns or -ip command-line options to add
101 alternate names or addresses to the certificates.
102 -service SERVICE
104 Create a certificate request for a particular service on a host.
105 The subject name of the certificate will be derived from the FQDN
106 passed as the argument to the -host command-line option and the
107 SERVICE string.
108 -dns FQDN,...
110 Create a certificate request containing a subjectAltName extension
111 containing one or more host names. This is used when a certificate
112 may be used by multiple virtual servers or if a host has different
113 names when contacted within or outside a private network. Multiple
114 DNS names can be included in the extension by separating then with
115 a comma.
116 -ip IP-ADDRESS,...
118 Create a certificate request containing a subjectAltName extension
119 containing the IP addresses named by the IP-ADDRESS strings. This
120 is used when a certificate may be used by services listening on
121 multiple networks. Multiple IP addresses can be included in the
122 extension by separating then with a comma.
123
125 Create a user certificate request:
126 % grid-cert-request
128 A certificate request and private key is being created.
129 You will be asked to enter a PEM pass phrase.
130 This pass phrase is akin to your account password,
131 and is used to protect your key file.
132 If you forget your pass phrase, you will need to
133 obtain a new certificate.
134 A private key and a certificate request has been generated with the subject:
135 /O=org/OU=example/OU=grid/CN=Joe User
137 If the CN=Joe User is not appropriate, rerun this
139 script with the -force -cn "Common Name" options.
140 Your private key is stored in /home/juser/.globus/userkey.pem
142 Your request is stored in /home/juser/.globus/usercert_request.pem
143 Please e-mail the request to the Example CA ca@grid.example.org
145 You may use a command similar to the following:
146 cat /home/juser/.globus/usercert_request.pem | mail ca@grid.example.org
148 Only use the above if this machine can send AND receive e-mail. if not, please
150 mail using some other method.
151 Your certificate will be mailed to you within two working days.
153 If you receive no response, contact Example CA at ca@grid.example.org
154 Create a host certificate for a host with two names.
156 % grid-cert-request -host grid.example.org -dns grid.example.org,grid-internal.example.org
158 A private host key and a certificate request has been generated
160 with the subject:
161 /O=org/OU=example/OU=grid/CN=host/grid.example.org
163 ----------------------------------------------------------
165 The private key is stored in /etc/grid-security/hostkey.pem
167 The request is stored in /etc/grid-security/hostcert_request.pem
168 Please e-mail the request to the Example CA ca@grid.example.org
170 You may use a command similar to the following:
171 cat /etc/grid-security/hostcert_request.pem | mail ca@grid.example.org
173 Only use the above if this machine can send AND receive e-mail. if not, please
175 mail using some other method.
176 Your certificate will be mailed to you within two working days.
178 If you receive no response, contact Example CA at
179 ca@grid.example.org
180
183 The following environment variables affect the execution of
184 grid-cert-request:
185 X509_CERT_DIR
187 Path to the directory containing SSL configuration files for
188 generating certificate requests.
189 GRID_SECURITY_DIR
191 Path to the directory containing SSL configuration files for
192 generating certificate requests. This value is used if
193 X509_CERT_DIR is not set.
194 GLOBUS_LOCATION
196 Path to the directory containing the Globus Toolkit. This is
197 searched if neither the X509_CERT_DIR nor the GRID_SECURITY_DIR
198 environment variables are set.
199
201 $HOME/.globus/usercert_request.pem
202 Default path to write a user certificate request.
203 $HOME/.globus/usercert.pem
205 Default path to write a user certificate.
206 $HOME/.globus/userkey.pem
208 Default path to write a user private key.
209 /etc/grid-security/hostcert_request.pem
211 Default path to write a host certificate request.
212 /etc/grid-security/hostcert.pem
214 Default path to write a host certificate.
215 /etc/grid-security/hostkey.pem
217 Default path to write a host private key.
218 TRUSTED-CERT-DIR/globus-user-ssl.conf,
220 TRUSTED-CERT-DIR/globus-user-ssl.conf.CA-HASH
221 SSL configuration file for requesting a user certificate. The first
222 form is the default location, the second form is used when the -ca
223 command-line option is specified.
224 TRUSTED-CERT-DIR/globus-host-ssl.conf,
226 TRUSTED-CERT-DIR/globus-host-ssl.conf.CA-HASH
227 SSL configuration file for requesting a host or service
228 certificate. The first form is the default location, the second
229 form is used when the -ca command-line option is specified.
230
232 University of Chicago
233Globus Toolkit 5.0.1 03/22/2010 GRID-CERT-REQUEST(1)