1GRID-CERT-REQUEST(1) Grid Community Toolkit Manual GRID-CERT-REQUEST(1)
2
3
4
6 grid-cert-request - Generate a X.509 certificate request and
7 corresponding private key
8
10 grid-cert-request -help | -h | -? | -usage | -version | -versions
11
12 grid-cert-request [OPTIONS]
13
15 The grid-cert-request program generates an X.509 Certificate Request
16 and corresponding private key for the specified name, host, or service.
17 It is intended to be used with a CA implemented using the
18 globus_simple_ca package.
19
20 The default behavior of grid-cert-request is to generate a certificate
21 request and private key for the user running the command. The subject
22 name is derived from the gecos information in the local system’s
23 password database, unless the -commonname, -cn, or -host command-line
24 options are used.
25
26 By default, grid-cert-request writes user certificate requests and keys
27 to the $HOME/.globus directory, and host and service certificate
28 requests and keys to /etc/grid-security. This can be overridden by
29 using the -dir command-line option.
30
32 The full set of command-line options to grid-cert-request are:
33
34 -help, -h, -?, -usage
35 Display the command-line options to grid-cert-request and exit.
36
37 -version, -versions
38 Display the version number of the grid-cert-request command. The
39 second form includes more details.
40
41 -cn NAME, -commonname NAME
42 Create a certificate request with the common name component of the
43 subject set to NAME. This is used to create user identity
44 certificates.
45
46 -dir DIRECTORY
47 Write the certificate request and key to files in the directory
48 specified by DIRECTORY.
49
50 -prefix PREFIX
51 Use the string PREFIX as the base name of the certificate,
52 certificate_request, and key files instead of the default. For a
53 user certificate request, this would mean creating files
54 $HOME/.globus/'PREFIX’cert_request.pem,
55 $HOME/.globus/'PREFIX’cert.pem, and $HOME/.globus/'PREFIX’key.pem.
56
57 -ca CA-HASH
58 Use the certificate request configuration for the CA with the name
59 hash CA-HASH instead of the default CA chosen by running
60 grid-default-ca.
61
62 -verbose
63 Keep the output from the OpenSSL certificate request command
64 visible after it completes, instead of clearing the screen.
65
66 -interactive, -int
67 Prompt for each component of the subject name of the request,
68 instead of generating the common name from other command-line
69 options. Note that CAs may not sign certificates for subject names
70 that don’t match their signing policies.
71
72 -force
73 Overwrite any existing certificate request and private key with a
74 new one.
75
76 -nopw, -nodes, -nopassphrase
77 Create an unencrypted private key for the certificate instead of
78 prompting for a passphrase. This is the default behavior for host
79 or service certificates, but not recommended for user certificates.
80
81 -host FQDN
82 Create a certificate request for use on a particular host. This
83 option also causes the private key associated with the certificate
84 request to be unencrypted. The FQDN argument to this option should
85 be the fully qualified domain name of the host that will use this
86 certificate. The subject name of the certificate will be derived
87 from the FQDN and the service option if specified by the -service
88 command-line option. If the host for the certificate has multiple
89 names, then use either the -dns or -ip command-line options to add
90 alternate names or addresses to the certificates.
91
92 -service SERVICE
93 Create a certificate request for a particular service on a host.
94 The subject name of the certificate will be derived from the FQDN
95 passed as the argument to the -host command-line option and the
96 SERVICE string.
97
98 -dns FQDN,...
99 Create a certificate request containing a subjectAltName extension
100 containing one or more host names. This is used when a certificate
101 may be used by multiple virtual servers or if a host has different
102 names when contacted within or outside a private network. Multiple
103 DNS names can be included in the extension by separating then with
104 a comma.
105
106 -ip IP-ADDRESS,...
107 Create a certificate request containing a subjectAltName extension
108 containing the IP addresses named by the IP-ADDRESS strings. This
109 is used when a certificate may be used by services listening on
110 multiple networks. Multiple IP addresses can be included in the
111 extension by separating then with a comma.
112
114 Create a user certificate request: % grid-cert-request A certificate
115 request and private key is being created. You will be asked to enter a
116 PEM pass phrase. This pass phrase is akin to your account password, and
117 is used to protect your key file. If you forget your pass phrase, you
118 will need to obtain a new certificate. A private key and a certificate
119 request has been generated with the subject:
120
121 /O=org/OU=example/OU=grid/CN=Joe User
122
123 If the CN=Joe User is not appropriate, rerun this
124 script with the -force -cn "Common Name" options.
125
126 Your private key is stored in /home/juser/.globus/userkey.pem
127 Your request is stored in /home/juser/.globus/usercert_request.pem
128
129 Please e-mail the request to the Example CA ca@grid.example.org
130 You may use a command similar to the following:
131
132 cat /home/juser/.globus/usercert_request.pem | mail ca@grid.example.org
133
134 Only use the above if this machine can send AND receive e-mail. if not, please
135 mail using some other method.
136
137 Your certificate will be mailed to you within two working days.
138 If you receive no response, contact Example CA at ca@grid.example.org
139
140 Create a host certificate for a host with two names.
141
142 % *grid-cert-request -host grid.example.org -dns grid.example.org,grid-internal.example.org*
143 A private host key and a certificate request has been generated
144 with the subject:
145
146 /O=org/OU=example/OU=grid/CN=host/grid.example.org
147
148 ----------------------------------------------------------
149
150 The private key is stored in /etc/grid-security/hostkey.pem
151 The request is stored in /etc/grid-security/hostcert_request.pem
152
153 Please e-mail the request to the Example CA ca@grid.example.org
154 You may use a command similar to the following:
155
156 cat /etc/grid-security/hostcert_request.pem | mail ca@grid.example.org
157
158 Only use the above if this machine can send AND receive e-mail. if not, please
159 mail using some other method.
160
161 Your certificate will be mailed to you within two working days.
162 If you receive no response, contact Example CA at
163 ca@grid.example.org
164
166 The following environment variables affect the execution of
167 grid-cert-request:
168
169 X509_CERT_DIR
170 Path to the directory containing SSL configuration files for
171 generating certificate requests.
172
173 GRID_SECURITY_DIR
174 Path to the directory containing SSL configuration files for
175 generating certificate requests. This value is used if
176 X509_CERT_DIR is not set.
177
178 GLOBUS_LOCATION
179 Path to the directory containing the Grid Community Toolkit. This
180 is searched if neither the X509_CERT_DIR nor the GRID_SECURITY_DIR
181 environment variables are set.
182
184 $HOME/.globus/usercert_request.pem
185 Default path to write a user certificate request.
186
187 $HOME/.globus/usercert.pem
188 Default path to write a user certificate.
189
190 $HOME/.globus/userkey.pem
191 Default path to write a user private key.
192
193 /etc/grid-security/hostcert_request.pem
194 Default path to write a host certificate request.
195
196 /etc/grid-security/hostcert.pem
197 Default path to write a host certificate.
198
199 /etc/grid-security/hostkey.pem
200 Default path to write a host private key.
201
202 TRUSTED-CERT-DIR/globus-user-ssl.conf,
203 TRUSTED-CERT-DIR/globus-user-ssl.conf.CA-HASH
204 SSL configuration file for requesting a user certificate. The first
205 form is the default location, the second form is used when the -ca
206 command-line option is specified.
207
208 TRUSTED-CERT-DIR/globus-host-ssl.conf,
209 TRUSTED-CERT-DIR/globus-host-ssl.conf.CA-HASH
210 SSL configuration file for requesting a host or service
211 certificate. The first form is the default location, the second
212 form is used when the -ca command-line option is specified.
213
215 Copyright © 1999-2014 University of Chicago
216
217
218
219Grid Community Toolkit 6 12/17/2018 GRID-CERT-REQUEST(1)