remove outdated create-cert doc now it has been rewritten
This commit is contained in:
parent
a560f2e713
commit
a8ae2ea085
1 changed files with 0 additions and 97 deletions
|
@ -1,97 +0,0 @@
|
|||
# a brief man-page for create-cert.sh
|
||||
# $Id: create-cert.txt 2660 2009-07-24 18:49:52Z alexeb $
|
||||
|
||||
NAME
|
||||
create-cert.sh - generate a signed X.509 certificate
|
||||
|
||||
SYNOPSIS
|
||||
create-cert.sh -t server [options] <hostname>
|
||||
create-cert.sh -t client [options] <hostname>
|
||||
create-cert.sh -t user [options] <username>
|
||||
|
||||
DESCRIPTION
|
||||
The create-cert.sh script creates the configuration files necessary
|
||||
for generating a signed X.509 certificate, creates a certificate
|
||||
signing request using these configuration files, and signs that request
|
||||
using the root CA key so that it is trusted by anything that has
|
||||
imported the CA certificate.
|
||||
|
||||
OPTIONS
|
||||
-h, --help
|
||||
Prints out a short synopsis of the arguments that this script takes.
|
||||
|
||||
-t, --type {server|client|user}
|
||||
This argument is mandatory. create-cert.sh can create three types of
|
||||
X.509 certificate: server, client, and user. These differ in the
|
||||
X.509v3 extensions present, and in the uses the certificate is trusted
|
||||
for.
|
||||
|
||||
Server certificates are used for securing SSL/TLS services, such as
|
||||
TLS-encrypted LDAP connections or SSL HTTP. In this case the <hostname>
|
||||
argument is used for the Common Name in the certificate, and any
|
||||
additional alternative names supplied by -n are added to the X.509v3
|
||||
"SubjectAltName" extension.
|
||||
|
||||
Client certificates are used for authenticating to SSL/TLS services.
|
||||
For the most part they will be used by automated systems to identify
|
||||
and authenticate to services they interact with.
|
||||
|
||||
User certificates are for individuals to authenticate themselves to
|
||||
SSL/TLS services in the same manner as client certificates, but they
|
||||
may also be used for S/MIME e-mail encryption and code signing.
|
||||
|
||||
-c, --comment "COMMENT"
|
||||
This argument sets the "Netscape Comment" X.509 extension.
|
||||
|
||||
-n, --alt-name HOSTNAME
|
||||
This argument adds an alternative hostname to the "SubjectAltName"
|
||||
X.509v3 extension. It may be supplied multiple times to add more than
|
||||
one additional hostname.
|
||||
|
||||
-l, --location LOCATION
|
||||
This argument sets the "Location" field of the certificate's
|
||||
distinguished name. Syggested values are "Maybrook House" and
|
||||
"Jackson House", but the field is freeform text.
|
||||
|
||||
-o, --org-unit TEAMNAME
|
||||
This argument sets the "Organisational Unit" field of the certificate's
|
||||
distinguished name. Ideally this should begin with "Manchester STG Lab"
|
||||
for consistency's sake, for example:
|
||||
|
||||
Manchester STG Lab Systems and Network Infrastructure
|
||||
Manchester STG Lab Testing
|
||||
Manchester STG Lab Starlight Development
|
||||
|
||||
-e, --email EMAIL
|
||||
This argument sets the "E-Mail Address" field of the certificate's
|
||||
distinguished name. As per current X.509 standards this is actually
|
||||
removed from the DN of the CSR and placed into the "SubjectAltName"
|
||||
extension in the signed certificate. In general it should be a team
|
||||
alias rather than an individual's address for server and client certs.
|
||||
|
||||
-r, --csr-only
|
||||
This argument causes create-cert.sh to only generate a new CSR. It will
|
||||
not generate the request configuration files in cfg/ unless --tpl-only
|
||||
is also passed; in this case it will just create the configuration
|
||||
files instead. This allows you to re-generate a CSR after manually
|
||||
tweaking the configuration files.
|
||||
|
||||
-s, --crt-only
|
||||
This argument causes create-cert.sh to only sign an existing CSR. As
|
||||
with --csr-only, it will not generate extension configuration files
|
||||
unless --tpl-only is also passed; again in this case it will just
|
||||
create the configuration files so that you can re-sign the same CSR
|
||||
with new extensions.
|
||||
|
||||
-t, --tpl-only
|
||||
This argument modifies the behaviour of the previous two options when
|
||||
passed with them, as described above. On it's own it causes
|
||||
create-cert.sh to generate both sets of configuration files, but
|
||||
not generate either the signing request or the signed certificate.
|
||||
|
||||
DEFAULTS
|
||||
* The LOCATION defaults to "Maybrook House"
|
||||
* The TEAM defaults to "Manchester STG Lab Systems and Network Infrastructure"
|
||||
* The EMAIL defaults to "mcr_lab_lsni@wwpdl.vnet.ibm.com"
|
||||
* There is no COMMENT set by default
|
||||
|
Loading…
Reference in a new issue