GRID-CA-CREATE(1)
=================
:doctype:      manpage
:man source:   Globus Toolkit
:man version:  6
:man manual:   Globus Toolkit Manual
:man software: Globus Toolkit

NAME
----
grid-ca-create - Create a CA to sign certificates for use on a grid

[[grid-ca-create-SYNOPSIS]]
SYNOPSIS
--------
*grid-ca-create* [ -h | -help | -usage | -version | -versions ] [ -openssl-help]

*grid-ca-create* [ OPTIONS ] [ OPENSSL-OPTIONS ]

[[grid-ca-create-DESCRIPTION]]
DESCRIPTION
-----------
The *grid-ca-create* program creates a self-signed CA certificate and related
files needed to use the CA with other Globus tools. The *grid-ca-create*
program prompts for information to use to generate the CA certificate, but the
prompts may be avoided by using the command line options.

By default, the *grid-ca-create* program creates the self-signed CA
certificate, installs it on the current machine in its trusted certificate
directory, and creates a source tarball which can be used to generate an RPM
package for the CA. If the RPM package is installed on a machine, users on that
machine can create certificate requests for user, host, or service identity
certificates to be signed by the CA certificate generated by running
*grid-ca-create*.

If run as a privileged user, the *grid-ca-create* program creates the CA
certificate and support files in
+'${localstatedir}'/lib/globus/simple_ca+ and
the CA certificate and signing policy are installed in the
+/etc/grid-security+ directory. Otherwise, the files are
created in the +'${HOME}'/.globus/simpleCA+ directory.

[[grid-ca-create-OPTIONS]]
OPTIONS
-------
The full set of command-line options to *grid-ca-create* follows. In addition to
these, unknown options will be passed to the `openssl`
command when creating the self-signed certificate. 

*-help, -h, -usage*::
    Display the command-line options to *grid-ca-create* and exit.

*-version, -versions*::
    Display the version number of the *grid-ca-create* command. The second form
    includes more details.

*-force*::
    Overwite existing CA in the destination directory if one exists.

*-bits BITS*::
    Create a CA certificate with a BITS long RSA key [4096]

*-noint*::
    Run in non-interactive mode. This will choose defaults for parameters or
    those specified on  the command line without prompting. This option also
    implies '-force'.

*-dir 'DIRECTORY'*::
    Create the CA in 'DIRECTORY'. The 'DIRECTORY' must not exist prior to
    running *grid-ca-create*.

*-subject 'SUBJECT'*::
    Use 'SUBJECT' as the subject name of the self-signed CA to create. If this
    is not specified on the command-line, *grid-ca-create* will default to
    using the subject name +cn=Globus Simple CA, ou=$HOSTNAME, ou=GlobusTest, o=Grid+.

*-email 'ADDRESS'*::
    Use 'ADDRESS' as the email address of the CA. The default instructions
    generated by *grid-ca-create* tell users to mail the certificate request to
    this address. If this is not specified on the command-line,
    *grid-ca-create* will default to `$LOGNAME@$HOSTNAME`.

*-days 'DAYS'*::
    Set the default lifetime of the self-signed CA certificate to
    'DAYS'. If not set, the *grid-ca-create* program will default to 
    `1825` days (5 years).

*-pass 'PASSWORD'*::
    Use the string 'PASSWORD' to protect the CA's private
    key. This is useful for automating Simple CA, but may make it easier to
    compromise the CA if someone obtains a shell on the machine storing the
    CA's private key.

*-nobuild*::
    Disable building a source tarball for distributing the CA's public
    information to other machines. The source tarball can be created later by
    using the *grid-ca-package* command.

*-g*::
    Create a binary GPT package containing the new CA's public information. The
    package will be created in the current working directory. This package can
    be deployed by with the *gpt-install* tool.

*-b*::
    Create a binary GPT package containing the new CA's public information that
    is backward-compatible with GPT 3.2. Packages created in this manner will
    work with Globus Toolkit 2.0.0-5.0.x.

[[grid-ca-create-EXAMPLES]]
EXAMPLES
--------
Create a simple CA in +$HOME/SimpleCA+:

    % grid-ca-create -noint -dir $HOME/SimpleCA

    C e r t i f i c a t e    A u t h o r i t y    S e t u p
    
    This script will setup a Certificate Authority for signing Globus
    users certificates.  It will also generate a simple CA package
    that can be distributed to the users of the CA.
    
    The CA information about the certificates it distributes will
    be kept in:
    
    /home/juser/SimpleCA
    
    The unique subject name for this CA is:
    
    cn=Globus Simple CA, ou=simpleCA-grid.example.org, ou=GlobusTest, o=Grid
    
    Insufficient permissions to install CA into the trusted certifiicate
    directory (tried ${sysconfdir}/grid-security/certificates and
    ${datadir}/certificates)
    Creating RPM source tarball... done
      globus_simple_ca_0146c503.tar.gz

[[grid-ca-create-ENVIRONMENT]]
ENVIRONMENT
-----------
The following environment variables affect the execution of *grid-ca-create*:

`GLOBUS_LOCATION`::
    Non-standard installation path of the Globus toolkit.

[[grid-ca-create-SEEALSO]]
SEE ALSO
--------
grid-cert-request(1), grid-ca-sign(1), grid-default-ca(1), grid-ca-package(1)

[[grid-ca-create-AUTHOR]]
AUTHOR
------
Copyright (C) 1999-2014 University of Chicago
