1COROSYNC-QNETD-CERTUTIL(8) System Manager's Manual COROSYNC-QNETD-CERTUTIL(8)
2
6 corosync-qnetd-certutil - tool to generate qnetd TLS certificates
7
9 corosync-qnetd-certutil [-i|-s] [-c certificate] [-n cluster_name]
10
12 corosync-qnetd-certutil is a frontend for the NSS certutil, it is used
13 for generating the QNetd CA (Certificate Authority), server certificate
14 and signing cluster certificate used by corosync-qdevice when using the
15 model 'net'.
16
18 -i Initialize the QNetd NSS certificate database and generate the
19 QNetd CA and server certificates. The default directory for the
20 database is /etc/corosync/qnetd. This directory must be write‐
21 able by the current user. The QNetd CA certificate is also
22 exported into the file /etc/corosync/qnetd/nssdb/qnetd-cac‐
23 ert.crt.
24 -s Sign the cluster certificate. It is necessary to pass the clus‐
26 ter name (as configured in corosync.conf) and the certificate
27 request file - see options below. The signed certificate will
28 be written to the file /etc/corosync/qnetd/nssdb/cluster-$Clus‐
29 terName.crt
30 -c Certificate request file to sign.
32 -G Do not set group write bit for new files. This option has effect
34 only when used together with -i option. It is useful when
35 extended security is needed and it's viable to prohibit daemon
36 to change its configuration. Expected usage is to first set
37 owner of the /etc/corosync/qnetd directory to root:$COROQNETD
38 with permissions 0750 and then create database (as a root):
39 # corosync-qnetd-certutil -i -G
41 -n Name of the cluster.
44
46 If qnetd is executed by a non root user, /etc/corosync/qnetd and its
47 subdirectories must be owned by (or have group access for) the given
48 user. If corosync-qnetd-certutil is executed as root it tries to copy
49 the owner and group of /etc/corosync/qnetd to all of the created files.
50
52 corosync-qnetd(8) corosync-qdevice(8)
53
55 Jan Friesse
56 2016-06-28 COROSYNC-QNETD-CERTUTIL(8)