1GRID-CERT-REQUEST(1)     Grid Community Toolkit Manual    GRID-CERT-REQUEST(1)
2
3
4

NAME

6       grid-cert-request - Generate a X.509 certificate request and
7       corresponding private key
8

SYNOPSIS

10       grid-cert-request -help | -h | -? | -usage | -version | -versions
11
12       grid-cert-request [OPTIONS]
13

DESCRIPTION

15       The grid-cert-request program generates an X.509 Certificate Request
16       and corresponding private key for the specified name, host, or service.
17       It is intended to be used with a CA implemented using the
18       globus_simple_ca package.
19
20       The default behavior of grid-cert-request is to generate a certificate
21       request and private key for the user running the command. The subject
22       name is derived from the gecos information in the local system’s
23       password database, unless the -commonname, -cn, or -host command-line
24       options are used.
25
26       By default, grid-cert-request writes user certificate requests and keys
27       to the $HOME/.globus directory, and host and service certificate
28       requests and keys to /etc/grid-security. This can be overridden by
29       using the -dir command-line option.
30

OPTIONS

32       The full set of command-line options to grid-cert-request are:
33
34       -help, -h, -?, -usage
35           Display the command-line options to grid-cert-request and exit.
36
37       -version, -versions
38           Display the version number of the grid-cert-request command. The
39           second form includes more details.
40
41       -cn NAME, -commonname NAME
42           Create a certificate request with the common name component of the
43           subject set to NAME. This is used to create user identity
44           certificates.
45
46       -dir DIRECTORY
47           Write the certificate request and key to files in the directory
48           specified by DIRECTORY.
49
50       -prefix PREFIX
51           Use the string PREFIX as the base name of the certificate,
52           certificate_request, and key files instead of the default. For a
53           user certificate request, this would mean creating files
54           $HOME/.globus/'PREFIX’cert_request.pem,
55           $HOME/.globus/'PREFIX’cert.pem, and $HOME/.globus/'PREFIX’key.pem.
56
57       -ca CA-HASH
58           Use the certificate request configuration for the CA with the name
59           hash CA-HASH instead of the default CA chosen by running
60           grid-default-ca.
61
62       -verbose
63           Keep the output from the OpenSSL certificate request command
64           visible after it completes, instead of clearing the screen.
65
66       -interactive, -int
67           Prompt for each component of the subject name of the request,
68           instead of generating the common name from other command-line
69           options. Note that CAs may not sign certificates for subject names
70           that don’t match their signing policies.
71
72       -force
73           Overwrite any existing certificate request and private key with a
74           new one.
75
76       -nopw, -nodes, -nopassphrase
77           Create an unencrypted private key for the certificate instead of
78           prompting for a passphrase. This is the default behavior for host
79           or service certificates, but not recommended for user certificates.
80
81       -host FQDN
82           Create a certificate request for use on a particular host. This
83           option also causes the private key associated with the certificate
84           request to be unencrypted. The FQDN argument to this option should
85           be the fully qualified domain name of the host that will use this
86           certificate. The subject name of the certificate will be derived
87           from the FQDN and the service option if specified by the -service
88           command-line option. If the host for the certificate has multiple
89           names, then use either the -dns or -ip command-line options to add
90           alternate names or addresses to the certificates.
91
92       -service SERVICE
93           Create a certificate request for a particular service on a host.
94           The subject name of the certificate will be derived from the FQDN
95           passed as the argument to the -host command-line option and the
96           SERVICE string.
97
98       -dns FQDN,...
99           Create a certificate request containing a subjectAltName extension
100           containing one or more host names. This is used when a certificate
101           may be used by multiple virtual servers or if a host has different
102           names when contacted within or outside a private network. Multiple
103           DNS names can be included in the extension by separating then with
104           a comma.
105
106       -ip IP-ADDRESS,...
107           Create a certificate request containing a subjectAltName extension
108           containing the IP addresses named by the IP-ADDRESS strings. This
109           is used when a certificate may be used by services listening on
110           multiple networks. Multiple IP addresses can be included in the
111           extension by separating then with a comma.
112

EXAMPLES

114       Create a user certificate request: % grid-cert-request A certificate
115       request and private key is being created. You will be asked to enter a
116       PEM pass phrase. This pass phrase is akin to your account password, and
117       is used to protect your key file. If you forget your pass phrase, you
118       will need to obtain a new certificate. A private key and a certificate
119       request has been generated with the subject:
120
121           /O=org/OU=example/OU=grid/CN=Joe User
122
123           If the CN=Joe User is not appropriate, rerun this
124           script with the -force -cn "Common Name" options.
125
126           Your private key is stored in /home/juser/.globus/userkey.pem
127           Your request is stored in /home/juser/.globus/usercert_request.pem
128
129           Please e-mail the request to the Example CA ca@grid.example.org
130           You may use a command similar to the following:
131
132           cat /home/juser/.globus/usercert_request.pem | mail ca@grid.example.org
133
134           Only use the above if this machine can send AND receive e-mail. if not, please
135           mail using some other method.
136
137               Your certificate will be mailed to you within two working days.
138           If you receive no response, contact Example CA at ca@grid.example.org
139
140       Create a host certificate for a host with two names.
141
142           % *grid-cert-request -host grid.example.org -dns grid.example.org,grid-internal.example.org*
143           A private host key and a certificate request has been generated
144           with the subject:
145
146           /O=org/OU=example/OU=grid/CN=host/grid.example.org
147
148           ----------------------------------------------------------
149
150           The private key is stored in /etc/grid-security/hostkey.pem
151           The request is stored in /etc/grid-security/hostcert_request.pem
152
153           Please e-mail the request to the Example CA ca@grid.example.org
154           You may use a command similar to the following:
155
156           cat /etc/grid-security/hostcert_request.pem | mail ca@grid.example.org
157
158           Only use the above if this machine can send AND receive e-mail. if not, please
159           mail using some other method.
160
161           Your certificate will be mailed to you within two working days.
162           If you receive no response, contact Example CA at
163           ca@grid.example.org
164

ENVIRONMENT

166       The following environment variables affect the execution of
167       grid-cert-request:
168
169       X509_CERT_DIR
170           Path to the directory containing SSL configuration files for
171           generating certificate requests.
172
173       GRID_SECURITY_DIR
174           Path to the directory containing SSL configuration files for
175           generating certificate requests. This value is used if
176           X509_CERT_DIR is not set.
177
178       GLOBUS_LOCATION
179           Path to the directory containing the Grid Community Toolkit. This
180           is searched if neither the X509_CERT_DIR nor the GRID_SECURITY_DIR
181           environment variables are set.
182

FILES

184       $HOME/.globus/usercert_request.pem
185           Default path to write a user certificate request.
186
187       $HOME/.globus/usercert.pem
188           Default path to write a user certificate.
189
190       $HOME/.globus/userkey.pem
191           Default path to write a user private key.
192
193       /etc/grid-security/hostcert_request.pem
194           Default path to write a host certificate request.
195
196       /etc/grid-security/hostcert.pem
197           Default path to write a host certificate.
198
199       /etc/grid-security/hostkey.pem
200           Default path to write a host private key.
201
202       TRUSTED-CERT-DIR/globus-user-ssl.conf,
203       TRUSTED-CERT-DIR/globus-user-ssl.conf.CA-HASH
204           SSL configuration file for requesting a user certificate. The first
205           form is the default location, the second form is used when the -ca
206           command-line option is specified.
207
208       TRUSTED-CERT-DIR/globus-host-ssl.conf,
209       TRUSTED-CERT-DIR/globus-host-ssl.conf.CA-HASH
210           SSL configuration file for requesting a host or service
211           certificate. The first form is the default location, the second
212           form is used when the -ca command-line option is specified.
213

AUTHOR

215       Copyright © 1999-2014 University of Chicago
216
217
218
219Grid Community Toolkit 6          12/17/2018              GRID-CERT-REQUEST(1)
Impressum