# a brief man-page for create-cert.sh # $Id: create-cert.txt 2660 2009-07-24 18:49:52Z alexeb $ NAME create-cert.sh - generate a signed X.509 certificate SYNOPSIS create-cert.sh -t server [options] create-cert.sh -t client [options] create-cert.sh -t user [options] DESCRIPTION The create-cert.sh script creates the configuration files necessary for generating a signed X.509 certificate, creates a certificate signing request using these configuration files, and signs that request using the root CA key so that it is trusted by anything that has imported the CA certificate. OPTIONS -h, --help Prints out a short synopsis of the arguments that this script takes. -t, --type {server|client|user} This argument is mandatory. create-cert.sh can create three types of X.509 certificate: server, client, and user. These differ in the X.509v3 extensions present, and in the uses the certificate is trusted for. Server certificates are used for securing SSL/TLS services, such as TLS-encrypted LDAP connections or SSL HTTP. In this case the argument is used for the Common Name in the certificate, and any additional alternative names supplied by -n are added to the X.509v3 "SubjectAltName" extension. Client certificates are used for authenticating to SSL/TLS services. For the most part they will be used by automated systems to identify and authenticate to services they interact with. User certificates are for individuals to authenticate themselves to SSL/TLS services in the same manner as client certificates, but they may also be used for S/MIME e-mail encryption and code signing. -c, --comment "COMMENT" This argument sets the "Netscape Comment" X.509 extension. -n, --alt-name HOSTNAME This argument adds an alternative hostname to the "SubjectAltName" X.509v3 extension. It may be supplied multiple times to add more than one additional hostname. -l, --location LOCATION This argument sets the "Location" field of the certificate's distinguished name. Syggested values are "Maybrook House" and "Jackson House", but the field is freeform text. -o, --org-unit TEAMNAME This argument sets the "Organisational Unit" field of the certificate's distinguished name. Ideally this should begin with "Manchester STG Lab" for consistency's sake, for example: Manchester STG Lab Systems and Network Infrastructure Manchester STG Lab Testing Manchester STG Lab Starlight Development -e, --email EMAIL This argument sets the "E-Mail Address" field of the certificate's distinguished name. As per current X.509 standards this is actually removed from the DN of the CSR and placed into the "SubjectAltName" extension in the signed certificate. In general it should be a team alias rather than an individual's address for server and client certs. -r, --csr-only This argument causes create-cert.sh to only generate a new CSR. It will not generate the request configuration files in cfg/ unless --tpl-only is also passed; in this case it will just create the configuration files instead. This allows you to re-generate a CSR after manually tweaking the configuration files. -s, --crt-only This argument causes create-cert.sh to only sign an existing CSR. As with --csr-only, it will not generate extension configuration files unless --tpl-only is also passed; again in this case it will just create the configuration files so that you can re-sign the same CSR with new extensions. -t, --tpl-only This argument modifies the behaviour of the previous two options when passed with them, as described above. On it's own it causes create-cert.sh to generate both sets of configuration files, but not generate either the signing request or the signed certificate. DEFAULTS * The LOCATION defaults to "Maybrook House" * The TEAM defaults to "Manchester STG Lab Systems and Network Infrastructure" * The EMAIL defaults to "mcr_lab_lsni@wwpdl.vnet.ibm.com" * There is no COMMENT set by default