shib−keygen − Generate a key pair for a Shibboleth SP
shib-keygen [−bf] [−e entity-id] [−g group] [−n prefix]
[−h hostname] [−o output-dir] [−u user] [−y years]
Generate a self-signed X.509 certificate for a Shibboleth SP. By default, the certificate will be for the local fully-qualified (as returned by "hostname −−fqdn") hostname. An entity ID can be specified with the −e flag. The openssl command-line client is used to generate the key pair. By default, the public certificate will be created in /etc/shibboleth/sp−cert.pem and the private key in /etc/shibboleth/sp−key.pem.
−b |
Batch mode: exit successfully without doing anything if sp−key.pem or sp−cert.pem already exists, unless −f was also specified. Suppress standard error output from openssl when creating the certificate. |
−e entity-id
Add entity-id (which should be a URI ) as an alternative name for the certificate.
−f |
Remove sp−cert.pem and sp−key.pem before generating a new certificate. Without this option, if those files already exist, shib-keygen prints an error and exits rather than overwriting them. |
−g group
After generating the key and certificate, change the group ownership of the key file to this group. By default, the group used is "_shibd".
−h hostname
Specify the fully-qualified domain name for which to generate a certificate. If this option isn’t given, the hostname defaults to the result of "hostname −−fqdn".
−o output-dir
Store sp−cert.pem and sp−key.pem in the directory output-dir rather than the default of /etc/shibboleth.
−n prefix
Use prefix instead of sp in the name of the generated certificate and private key file.
−u user
After generating the key and certificate, change the ownership of the key file to this user. This is used to allow the key to be read by a non-root user so that shibd can be run as a non-root user. By default, the key is owned by "_shibd".
−y years
The number of years for which the certificate should be valid. The default expiration time is ten years into the future.
/etc/shibboleth/sp−cert.cnf
The OpenSSL configuration file used for generating the self-signed certificate. This configuration file is generated when the script is run and deleted afterwards.
/etc/shibboelth/sp−cert.pem
The default location of the public certificate created by this script.
/etc/shibboleth/sp−key.pem
The default location of the private key for the certificate created by this script.
These three files are stored in the directory given with −o instead, if that option is given.
This manual page was written by Russ Allbery for Debian GNU/Linux.
Copyright 2008, 2011 Russ Allbery. This manual page is hereby placed into the public domain by its author.