3.2.2. RHN SSL Maintenance Tool Options

The RHN SSL Maintenance Tool offers a plethora of command line options for generating your Certificate Authority SSL key pair and managing your server SSL certificates and keys. The tool offers essentially three command line option help listings: rhn-ssl-tool --help (general), rhn-ssl-tool --gen-ca --help (Certificate Authority), and rhn-ssl-tool --gen-server --help (Web server). The manual page for rhn-ssl-tool is also quite detailed and available to assist: man rhn-ssl-tool.
The two tables below break down the options by their related task, either CA or Web server SSL key set generation.
This set of options must be preceded by the --gen-ca argument:

Table 3.1. SSL Certificate Authority (CA) Options (rhn-ssl-tool --gen-ca --help)

Option Description
--gen-ca Generate a Certificate Authority (CA) key pair and public RPM. This must be issued with any of the remaining options in this table.
-h, --help Display the help screen with a list of base options specific to generating and managing a Certificate Authority.
-f, --force Forcibly create a new CA private key and/or public certificate.
-p=, --password=PASSWORD The CA password. You will be prompted for this if it's missing. Record it in a safe manner.
-d=, --dir=BUILD_DIRECTORY Required for most commands - The directory where certificates and RPMs are built. The default is ./ssl-build.
--ca-key=FILENAME The CA private key filename. The default is RHN-ORG-PRIVATE-SSL-KEY.
--ca-cert=FILENAME The CA public certificate filename. The default is RHN-ORG-TRUSTED-SSL-CERT.
--cert-expiration=CA_CERT_EXPIRE The expiration date of the public CA certificate. The default is the number of days until one day prior to epoch rollover (or 01-18-2038).
--set-country=COUNTRY_CODE The two-letter country code. The default is US.
--set-state=STATE_OR_PROVINCE The state or province of the CA. The default is ''.
--set-city=CITY_OR_LOCALITY The city or locality. The default is ''.
--set-org=ORGANIZATION The company or organization, such as Red Hat. The default is Example Corp. Inc.
--set-org-unit=SET_ORG_UNIT The organizational unit, such as RHN. The default is ''.
--set-common-name=HOSTNAME Not typically set for the CA. - The common name.
--set-email=EMAIL Not typically set for the CA. - The email address.
--rpm-packager=PACKAGER Packager of the generated RPM, such as "RHN Admin (rhn-admin@example.com)."
--rpm-vendor=VENDOR Vendor of the generated RPM, such as "IS/IT Example Corp."
-v, --verbose Display verbose messaging. Accumulative - added "v"s result in increasing detail.
--ca-cert-rpm=CA_CERT_RPM Rarely changed - RPM name that houses the CA certificate (the base filename, not filename-version-release.noarch.rpm).
--key-only Rarely used - Generate only a CA private key. Review --gen-ca --key-only --help for more information.
--cert-only Rarely used - Generate only a CA public certificate. Review --gen-ca --cert-only --help for more information.
--rpm-only Rarely used - Generate only an RPM for deployment. Review --gen-ca --rpm-only --help for more information.
--no-rpm Rarely used - Conduct all CA-related steps except RPM generation.
The following set of options must be preceded by the --gen-server argument:

Table 3.2. SSL Web Server Options (rhn-ssl-tool --gen-server --help)

Option Description
--gen-server Generate the Web server's SSL key set, RPM and tar archive. This must be issued with any of the remaining options in this table.
-h, --help Display the help screen with a list of base options specific to generating and managing a server key-pair.
-p=, --password=PASSWORD The CA password. You will be prompted for this if it's missing. Record it in a safe manner.
-d=, --dir=BUILD_DIRECTORY Required for most commands - The directory where certificates and RPMs are built. The default is ./ssl-build.
--server-key=FILENAME The Web server's SSL private key filename. The default is server.key.
--server-cert-req=FILENAME The Web server's SSL certificate request filename. The default is server.csr.
--server-cert=FILENAME The Web server's SSL certificate filename. The default is server.crt.
--startdate=YYMMDDHHMMSSZ The start date for server certificate validity in the example format: year, month, date, hour, minute, second (two characters per value). Z stands for Zulu and is required. The default is one week before generation.
--cert-expiration=SERVER_CERT_EXPIRE The expiration date of the server certificate. The default is the number of days until one day prior to epoch rollover (or 01-18-2038).
--set-country=COUNTRY_CODE The two-letter country code. The default is US.
--set-state=STATE_OR_PROVINCE The state or province. The default is North Carolina.
--set-city=CITY_OR_LOCALITY The city or locality. The default is Raleigh.
--set-org=ORGANIZATION The company or organization, such as Red Hat. The default is Example Corp. Inc.
--set-org-unit=SET_ORG_UNIT The organizational unit, such as RHN. The default is unit.
--set-hostname=HOSTNAME The hostname of the RHN Server to receive the key. The default is dynamically set to the build machine's hostname.
--set-email=EMAIL The email address of the certificate contact. The default is admin@example.corp.
--rpm-packager=PACKAGER Packager of the generated RPM, such as "RHN Admin (rhn-admin@example.com)."
--rpm-vendor=VENDOR Vendor of the generated RPM, such as "IS/IT Example Corp."
-v, --verbose Display verbose messaging. Accumulative - added "v"s result in increasing detail.
--key-only Rarely used - Generate only a server private key. Review --gen-server --key-only --help for more information.
--cert-req-only Rarely used - Generate only a server certificate request. Review --gen-server --cert-req-only --help for more information.
--cert-only Rarely used - Generate only a server certificate. Review --gen-server --cert-only --help for more information.
--rpm-only Rarely used - Generate only an RPM for deployment. Review --gen-server --rpm-only --help for more information.
--no-rpm Rarely used - Conduct all server-related steps except RPM generation.
--server-rpm=SERVER_RPM Rarely changed - RPM name that houses the Web server's SSL key set (the base filename, not filename-version-release.noarch.rpm).
--server-tar=SERVER_TAR Rarely changed - Name of .tar archive of the Web server's SSL key set and CA public certificate that is used solely by the hosted RHN Proxy Server installation routines (the base filename, not filename-version-release.tar).