logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

shib-keygen - Generate a key pair for a Shibboleth SP

Contents

Author

       This manual page was written by Russ Allbery for Debian GNU/Linux.

Description

       Generate a self-signed X.509 certificate for a Shibboleth SP.  By default, the certificate will be for
       the local fully-qualified (as returned by "hostname --fqdn") hostname.  An entity ID can be specified
       with the -e flag.  The openssl command-line client is used to generate the key pair.  By default, the
       public certificate will be created in /etc/shibboleth/sp-cert.pem and the private key in
       /etc/shibboleth/sp-key.pem.

Files

/etc/shibboleth/sp-cert.cnf
           The OpenSSL configuration file used for generating the self-signed certificate.   This  configuration
           file is generated when the script is run and deleted afterwards.

       /etc/shibboelth/sp-cert.pem
           The default location of the public certificate created by this script.

       /etc/shibboleth/sp-key.pem
           The default location of the private key for the certificate created by this script.

       These three files are stored in the directory given with -o instead, if that option is given.

Name

       shib-keygen - Generate a key pair for a Shibboleth SP

Options

-b  Batch  mode:  exit  successfully  without doing anything if sp-key.pem or sp-cert.pem already exists,
           unless -f was also specified.   Suppress  standard  error  output  from  openssl  when  creating  the
           certificate.

       -eentity-id
           Add entity-id (which should be a URI) as an alternative name for the certificate.

       -f  Remove sp-cert.pem and sp-key.pem before generating a new certificate.  Without this option, if those
           files already exist, shib-keygen prints an error and exits rather than overwriting them.

       -ggroup
           After  generating  the key and certificate, change the group ownership of the key file to this group.
           By default, the group used is "_shibd".

       -hhostname
           Specify the fully-qualified domain name for which to generate a certificate.  If  this  option  isn't
           given, the hostname defaults to the result of "hostname --fqdn".

       -ooutput-dir
           Store   sp-cert.pem   and  sp-key.pem  in  the  directory  output-dir  rather  than  the  default  of
           /etc/shibboleth.

       -nprefix
           Use prefix instead of sp in the name of the generated certificate and private key file.

       -uuser
           After generating the key and certificate, change the ownership of the key file to this user.  This is
           used to allow the key to be read by a non-root user so that shibd can be run as a non-root user.   By
           default, the key is owned by "_shibd".

       -yyears
           The  number  of  years for which the certificate should be valid.  The default expiration time is ten
           years into the future.

Synopsis

shib-keygen [-bf] [-eentity-id] [-ggroup] [-nprefix]
           [-hhostname] [-ooutput-dir] [-uuser] [-yyears]

See Also

Certificate
Certificate PNG Icons
Man Pages
defaults Man Pages
Man Pages
shibd Man Pages
Man Pages
cert Man Pages
Man Pages
booth Man Pages
Filing
Filing PNG Icons
Man Pages
shib Man Pages
Man Pages
generate Man Pages
✳️
Eight Spoked Asterisk Emojis
← View System admin Category← Back to Network service daemons🙏  Credits & Acknowledgments