Provided by: shibboleth-sp2-utils_2.5.3+dfsg-2.1build1_amd64 bug

NAME
       shib-keygen - Generate a key pair for a Shibboleth SP


SYNOPSIS
       shib-keygen [-bf] [-e entity-id] [-g group]
           [-h hostname] [-o output-dir] [-u user] [-y years]


DESCRIPTION
       Generate a self-signed X.509 certificate for a Shibboleth SP.  By default, the certificate will be for
       the local fully-qualified (as returned by "hostname --fqdn") hostname.  An entity ID can be specified
       with the -e flag.  The openssl command-line client is used to generate the key pair.  By default, the
       public certificate will be created in /etc/shibboleth/sp-cert.pem and the private key in
       /etc/shibboleth/sp-key.pem.


OPTIONS
       -b  Suppress  all standard error output when creating the certificate.  This option is normally only used
           by the package build.

       -e entity-id
           Add entity-id (which should be a URI) as an alternative name for the certificate.

       -f  Remove  /etc/shibboleth/sp-cert.pem  and   /etc/shibboleth/sp-key.pem   before   generating   a   new
           certificate.   Without  this  option,  if  those files already exist, shib-keygen prints an error and
           exits rather than overwriting them.

       -g group
           After generating the key and certificate, change the group ownership of the key file to  this  group.
           By default, the group used is "_shibd".

       -h hostname
           Specify  the  fully-qualified  domain name for which to generate a certificate.  If this option isn't
           given, the hostname defaults to the result of "hostname --fqdn".

       -o output-dir
           Store  sp-cert.pem  and  sp-key.pem  in  the  directory  output-dir  rather  than  the   default   of
           /etc/shibboleth.

       -u user
           After generating the key and certificate, change the ownership of the key file to this user.  This is
           used  to allow the key to be read by a non-root user so that shibd can be run as a non-root user.  By
           default, the key is owned by "_shibd".

       -y years
           The number of years for which the certificate should be valid.  The default expiration  time  is  ten
           years into the future.


FILES
       /etc/shibboleth/sp-cert.cnf
           The  OpenSSL  configuration file used for generating the self-signed certificate.  This configuration
           file is generated when the script is run and deleted afterwards.

       /etc/shibboelth/sp-cert.pem
           The default location of the public certificate created by this script.

       /etc/shibboleth/sp-key.pem
           The default location of the private key for the certificate created by this script.

       These three files are stored in the directory given with -o instead, if that option is given.


AUTHOR
       This manual page was written by Russ Allbery for Debian GNU/Linux.


COPYRIGHT
       Copyright 2008, 2011 Russ Allbery.  This manual page is hereby placed  into  the  public  domain  by  its
       author.

2.5.3                                              2015-03-20                                     SHIB-KEYGEN(8)