ca-scripts/doc/create-cert.txt

98 lines
4.4 KiB
Text
Raw Normal View History

# a brief man-page for create-cert.sh
# $Id: create-cert.txt 2660 2009-07-24 18:49:52Z alexeb $
NAME
create-cert.sh - generate a signed X.509 certificate
SYNOPSIS
create-cert.sh -t server [options] <hostname>
create-cert.sh -t client [options] <hostname>
create-cert.sh -t user [options] <username>
DESCRIPTION
The create-cert.sh script creates the configuration files necessary
for generating a signed X.509 certificate, creates a certificate
signing request using these configuration files, and signs that request
using the root CA key so that it is trusted by anything that has
imported the CA certificate.
OPTIONS
-h, --help
Prints out a short synopsis of the arguments that this script takes.
-t, --type {server|client|user}
This argument is mandatory. create-cert.sh can create three types of
X.509 certificate: server, client, and user. These differ in the
X.509v3 extensions present, and in the uses the certificate is trusted
for.
Server certificates are used for securing SSL/TLS services, such as
TLS-encrypted LDAP connections or SSL HTTP. In this case the <hostname>
argument is used for the Common Name in the certificate, and any
additional alternative names supplied by -n are added to the X.509v3
"SubjectAltName" extension.
Client certificates are used for authenticating to SSL/TLS services.
For the most part they will be used by automated systems to identify
and authenticate to services they interact with.
User certificates are for individuals to authenticate themselves to
SSL/TLS services in the same manner as client certificates, but they
may also be used for S/MIME e-mail encryption and code signing.
-c, --comment "COMMENT"
This argument sets the "Netscape Comment" X.509 extension.
-n, --alt-name HOSTNAME
This argument adds an alternative hostname to the "SubjectAltName"
X.509v3 extension. It may be supplied multiple times to add more than
one additional hostname.
-l, --location LOCATION
This argument sets the "Location" field of the certificate's
distinguished name. Syggested values are "Maybrook House" and
"Jackson House", but the field is freeform text.
-o, --org-unit TEAMNAME
This argument sets the "Organisational Unit" field of the certificate's
distinguished name. Ideally this should begin with "Manchester STG Lab"
for consistency's sake, for example:
Manchester STG Lab Systems and Network Infrastructure
Manchester STG Lab Testing
Manchester STG Lab Starlight Development
-e, --email EMAIL
This argument sets the "E-Mail Address" field of the certificate's
distinguished name. As per current X.509 standards this is actually
removed from the DN of the CSR and placed into the "SubjectAltName"
extension in the signed certificate. In general it should be a team
alias rather than an individual's address for server and client certs.
-r, --csr-only
This argument causes create-cert.sh to only generate a new CSR. It will
not generate the request configuration files in cfg/ unless --tpl-only
is also passed; in this case it will just create the configuration
files instead. This allows you to re-generate a CSR after manually
tweaking the configuration files.
-s, --crt-only
This argument causes create-cert.sh to only sign an existing CSR. As
with --csr-only, it will not generate extension configuration files
unless --tpl-only is also passed; again in this case it will just
create the configuration files so that you can re-sign the same CSR
with new extensions.
-t, --tpl-only
This argument modifies the behaviour of the previous two options when
passed with them, as described above. On it's own it causes
create-cert.sh to generate both sets of configuration files, but
not generate either the signing request or the signed certificate.
DEFAULTS
* The LOCATION defaults to "Maybrook House"
* The TEAM defaults to "Manchester STG Lab Systems and Network Infrastructure"
* The EMAIL defaults to "mcr_lab_lsni@wwpdl.vnet.ibm.com"
* There is no COMMENT set by default