NAME

       grid-ca-create - Create a CA to sign certificates for use on a grid

SYNOPSIS

       grid-ca-create [-help] [-h] [-usage] [-version] [-versions]

       grid-ca-create [-force] [-noint] [-dir DIRECTORY]
                      [-subject SUBJECT] [-email ADDRESS] [-days DAYS] [-pass PASSWORD]
                      [-nobuild] [-g] [-b]
                      [-openssl-help] [OPENSSL-OPTIONS]

DESCRIPTION

       The grid-ca-create program creates a self-signed CA certificate and related files needed
       to use the CA with other Globus tools. The grid-ca-create program prompts for information
       to use to generate the CA certificate, but the prompts may be avoided by using the command
       line options.

       By default, the grid-ca-create program creates the self-signed CA certificate, installs it
       on the current machine in its trusted certificate directory, and creates a source tarball
       which can be used to generate an RPM package for the CA. If the RPM package is installed
       on a machine, users on that machine can create certificate requests for user, host, or
       service identity certificates to be signed by the CA certificate generated by running
       grid-ca-create.

       If run as a privileged user, the grid-ca-create program creates the CA certificate and
       support files in ${localstatedir}/lib/globus/simple_ca and the CA certificate and signing
       policy are installed in the /etc/grid-security directory. Otherwise, the files are created
       in the ${HOME}/.globus/simpleCA directory.

       The full set of command-line options to grid-ca-create follows. In addition to these,
       unknown options will be passed to the openssl command when creating the self-signed
       certificate.

       -help, -h, -usage
           Display the command-line options to grid-ca-create and exit.

       -version, -versions
           Display the version number of the grid-ca-create command. The second form includes
           more details.

       -force
           Overwite existing CA in the destination directory if one exists

       -noint
           Run in non-interactive mode. This will choose defaults for parameters or those
           specified on the command line without prompting. This option also implies -force.

       -dir DIRECTORY
           Create the CA in DIRECTORY. The DIRECTORY must not exist prior to running
           grid-ca-create.

       -subject SUBJECT
           Use SUBJECT as the subject name of the self-signed CA to create. If this is not
           specified on the command-line, grid-ca-create will default to using the subject name
           cn=Globus Simple CA, ou=$HOSTNAME, ou=GlobusTest, o=Grid.

       -email ADDRESS
           Use ADDRESS as the email address of the CA. The default instructions generated by
           grid-ca-create tell users to mail the certificate request to this address. If this is
           not specified on the command-line, grid-ca-create will default to the
           $LOGNAME@$HOSTNAME

       -days DAYS
           Set the default lifetime of the self-signed CA certificate to DAYS. If not set, the
           grid-ca-create program will default to 1825 days (5 years).

       -pass PASSWORD
           Use the string PASSWORD to protect the CA´s private key. This is useful for automating
           Simple CA, but may make it easier to compromise the CA if someone obtains a shell on
           the machine storing the CA´s private key.

       -nobuild
           Disable building a source tarball for distributing the CA´s public information to
           other machines. The source tarball can be created later by using the grid-ca-package
           command.

       -g
           Create a binary GPT package containing the new CA´s public information. The package
           will be created in the current working directory. This package can be deployed by with
           the gpt-install tool.

       -b
           Create a binary GPT package containing the new CA´s public information that is
           backward-compatible with GPT 3.2. Packages created in this manner will work with
           Globus Toolkit 2.0.0-5.0.x.

EXAMPLES

       Create a simple CA in $HOME/SimpleCA

           % grid-ca-create -noint -dir $HOME/SimpleCA

               C e r t i f i c a t e    A u t h o r i t y    S e t u p

               This script will setup a Certificate Authority for signing Globus
               users certificates.  It will also generate a simple CA package
               that can be distributed to the users of the CA.

               The CA information about the certificates it distributes will
               be kept in:

               /home/juser/SimpleCA

               The unique subject name for this CA is:

               cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid

               Insufficient permissions to install CA into the trusted certifiicate
               directory (tried ${sysconfdir}/grid-security/certificates and
               ${datadir}/certificates)
               Creating RPM source tarball... done
                 globus_simple_ca_0146c503.tar.gz

ENVIRONMENT VARIABLES

       The following environment variables affect the execution of grid-ca-create:

       GLOBUS_LOCATION
           Non-standard installation path of the Globus toolkit.

SEE ALSO

       grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)

AUTHOR

       University of Chicago