3.2.2. RHN SSL Maintenance Tool Options
The RHN SSL Maintenance Tool offers a plethora of command line options for generating your Certificate Authority SSL key pair and managing your server SSL certificates and keys. The tool offers essentially three command line option help listings:
rhn-ssl-tool --help (general), rhn-ssl-tool --gen-ca --help (Certificate Authority), and rhn-ssl-tool --gen-server --help (Web server). The manual page for rhn-ssl-tool is also quite detailed and available to assist: man rhn-ssl-tool.
The two tables below break down the options by their related task, either CA or Web server SSL key set generation.
This set of options must be preceded by the
--gen-ca argument:
| Option | Description |
|---|---|
--gen-ca | Generate a Certificate Authority (CA) key pair and public RPM. This must be issued with any of the remaining options in this table. |
-h, --help | Display the help screen with a list of base options specific to generating and managing a Certificate Authority. |
-f, --force | Forcibly create a new CA private key and/or public certificate. |
-p=, --password=PASSWORD | The CA password. You will be prompted for this if it's missing. Record it in a safe manner. |
-d=, --dir=BUILD_DIRECTORY | Required for most commands - The directory where certificates and RPMs are built. The default is ./ssl-build. |
--ca-key=FILENAME | The CA private key filename. The default is RHN-ORG-PRIVATE-SSL-KEY. |
--ca-cert=FILENAME | The CA public certificate filename. The default is RHN-ORG-TRUSTED-SSL-CERT. |
--cert-expiration=CA_CERT_EXPIRE | The expiration date of the public CA certificate. The default is the number of days until one day prior to epoch rollover (or 01-18-2038). |
--set-country=COUNTRY_CODE | The two-letter country code. The default is US. |
--set-state=STATE_OR_PROVINCE | The state or province of the CA. The default is ''. |
--set-city=CITY_OR_LOCALITY | The city or locality. The default is ''. |
--set-org=ORGANIZATION | The company or organization, such as Red Hat. The default is Example Corp. Inc. |
--set-org-unit=SET_ORG_UNIT | The organizational unit, such as RHN. The default is ''. |
--set-common-name=HOSTNAME | Not typically set for the CA. - The common name. |
--set-email=EMAIL | Not typically set for the CA. - The email address. |
--rpm-packager=PACKAGER | Packager of the generated RPM, such as "RHN Admin (rhn-admin@example.com)." |
--rpm-vendor=VENDOR | Vendor of the generated RPM, such as "IS/IT Example Corp." |
-v, --verbose | Display verbose messaging. Accumulative - added "v"s result in increasing detail. |
--ca-cert-rpm=CA_CERT_RPM | Rarely changed - RPM name that houses the CA certificate (the base filename, not filename-version-release.noarch.rpm). |
--key-only | Rarely used - Generate only a CA private key. Review --gen-ca --key-only --help for more information. |
--cert-only | Rarely used - Generate only a CA public certificate. Review --gen-ca --cert-only --help for more information. |
--rpm-only | Rarely used - Generate only an RPM for deployment. Review --gen-ca --rpm-only --help for more information. |
--no-rpm | Rarely used - Conduct all CA-related steps except RPM generation. |
The following set of options must be preceded by the
--gen-server argument:
| Option | Description |
|---|---|
--gen-server | Generate the Web server's SSL key set, RPM and tar archive. This must be issued with any of the remaining options in this table. |
-h, --help | Display the help screen with a list of base options specific to generating and managing a server key-pair. |
-p=, --password=PASSWORD | The CA password. You will be prompted for this if it's missing. Record it in a safe manner. |
-d=, --dir=BUILD_DIRECTORY | Required for most commands - The directory where certificates and RPMs are built. The default is ./ssl-build. |
--server-key=FILENAME | The Web server's SSL private key filename. The default is server.key. |
--server-cert-req=FILENAME | The Web server's SSL certificate request filename. The default is server.csr. |
--server-cert=FILENAME | The Web server's SSL certificate filename. The default is server.crt. |
--startdate=YYMMDDHHMMSSZ | The start date for server certificate validity in the example format: year, month, date, hour, minute, second (two characters per value). Z stands for Zulu and is required. The default is one week before generation. |
--cert-expiration=SERVER_CERT_EXPIRE | The expiration date of the server certificate. The default is the number of days until one day prior to epoch rollover (or 01-18-2038). |
--set-country=COUNTRY_CODE | The two-letter country code. The default is US. |
--set-state=STATE_OR_PROVINCE | The state or province. The default is North Carolina. |
--set-city=CITY_OR_LOCALITY | The city or locality. The default is Raleigh. |
--set-org=ORGANIZATION | The company or organization, such as Red Hat. The default is Example Corp. Inc. |
--set-org-unit=SET_ORG_UNIT | The organizational unit, such as RHN. The default is unit. |
--set-hostname=HOSTNAME | The hostname of the RHN Server to receive the key. The default is dynamically set to the build machine's hostname. |
--set-email=EMAIL | The email address of the certificate contact. The default is admin@example.corp. |
--rpm-packager=PACKAGER | Packager of the generated RPM, such as "RHN Admin (rhn-admin@example.com)." |
--rpm-vendor=VENDOR | Vendor of the generated RPM, such as "IS/IT Example Corp." |
-v, --verbose | Display verbose messaging. Accumulative - added "v"s result in increasing detail. |
--key-only | Rarely used - Generate only a server private key. Review --gen-server --key-only --help for more information. |
--cert-req-only | Rarely used - Generate only a server certificate request. Review --gen-server --cert-req-only --help for more information. |
--cert-only | Rarely used - Generate only a server certificate. Review --gen-server --cert-only --help for more information. |
--rpm-only | Rarely used - Generate only an RPM for deployment. Review --gen-server --rpm-only --help for more information. |
--no-rpm | Rarely used - Conduct all server-related steps except RPM generation. |
--server-rpm=SERVER_RPM | Rarely changed - RPM name that houses the Web server's SSL key set (the base filename, not filename-version-release.noarch.rpm). |
--server-tar=SERVER_TAR | Rarely changed - Name of .tar archive of the Web server's SSL key set and CA public certificate that is used solely by the hosted RHN Proxy Server installation routines (the base filename, not filename-version-release.tar). |
