1.ds VE LPRng-3.9.0
2.TH LPRNG_CERTS 1 \*(VE "LPRng"
3.ig
4lpbanner.1,v 3.33 1998/03/29 18:37:49 papowell Exp
5..
6.SH NAME
7lprng_certs \- lprng SSL certificate management
8.SH SYNOPSIS
9.B
10.nf
11lprng_certs option
12 Options:
13  init     - make directory structure
14  newca    - make new root CA
15  defaults - set new default values for certs
16  gen      - generate user, server, or signing cert
17  index [dir] - index cert files
18  verify [cert] - verify cert file
19  encrypt keyfile
20           - set or change keyfile password
21.nf
22.SH DESCRIPTION
23.PP
24The
25.B lprng_certs
26program is used to manage SSL certificates for the LPRng software.
27There SSL certificate structure consists of a hierarchy of
28certificates.
29The LPRng software assumes that the following types of certificates
30will be used:
31.IP "CA or root"
32A top level or self-signed certificate.
33.IP "signing"
34A certificate that can be used to sign other certificates.
35This is signed by the root CA or another signing certificate.
36.IP "user"
37A certificate used by a user to identify themselves to the
38lpd server.
39.IP "server"
40A certificate used by the
41.I lpd
42server to identify themselves to the
43user or other
44.I lpd
45servers.
46.SH "Signing Certificates"
47.PP
48All of the signing certificates,
49including the root certificate (root CA),
50_SSL_CA_FILE_,
51are in the same directory as the root CA file.
52Alternately,
53all of the signing certs can be concatenated and put into a single file,
54which by convention is assumed to have the same name as the root CA
55file,
56_SSL_CA_FILE_.
57The
58.BR ssl_ca_file ,
59.BR ssl_ca_path ,
60and
61.BR ssl_ca_key
62printcap and configuration options can be used to specify
63the locations of the root CA files,
64a directory containing the signing certificate files,
65and the private key file for the root CA file respectively.
66.PP
67The root certificate (root CA file)
68_SSL_CA_FILE_
69has a private key file
70_SSL_CA_KEY_
71as well.
72By convention,
73the private keys for the other signing certificate files are stored in the
74certificate file.
75.PP
76The OpenSSL software requires that this directory
77also contain a set of hash files which are,
78in effect,
79links to these files.
80.PP
81By default, all signing certificates are assumed to be
82in the same directory as the root certificate.
83.SH "Server Certificates"
84.PP
85The certificate used by the
86.I lpd
87server are kept in another
88directory.
89These files do not need to have hash links to them.
90By convention,
91the private keys for these certificate files are stored in the
92certificate file.
93The server certificate file
94is specified by the
95.B ssl_server_cert
96and has the default value
97_SSL_SERVER_CERT_.
98This file contains the cert and private key.
99The server certificate password  file is specified by the
100.B ssl_server_password
101option with the default value
102_SSL_SERVER_PASSWORD_
103and
104contains the password used to decrypt the servers private key and use it
105for authentication.
106This key file should be read only by the
107.I lpd
108server.
109.SH "User Certificates"
110.PP
111The certificates used by users are kept in a separate directory
112in the users home directory.
113By convention,
114the private keys for these certificate files are stored in the
115certificate file.
116.PP
117The user certificate file is specified by the
118.B LPR_SSL_FILE
119environment variable,
120otherwise the
121.B "${HOME}/.lpr/client.crt"
122is used.
123The password is taken from the file specified by the
124.B LPR_SSL_PASSWORD
125environment variable,
126otherwise the
127.B "${HOME}/.lpr/client.pwd"
128file is read.
129.PP
130.SH "USING LPRNG_CERTS" 
131.PP
132The organization of the SSL certificates used by LPRng is
133similar to that used by other programs such as the
134.B Apache
135.B mod_ssl
136support.
137The
138.B lprng_certs
139program is used to create the directory structure,
140create certificates for the root CA,
141signing,
142user and servers.
143In order to make managment simple,
144the following support is provided.
145.SH "lprng_certs init"
146.PP
147This command creates the directories used by the
148lpd
149server.
150It is useful when setting up a new 
151.B lpd
152server.
153.SH "lprng_certs newca"
154.PP
155This command creates a self-signed certificate,
156suitable for use as a root CA certificate.
157It also sets up a set of default values for other certificate creation.
158.SH "lprng_certs defaults"
159.PP
160This command is used to modify the set of default values.
161.PP
162The default values are listed and should be self-explanatory,
163except for the value of the
164.B signer
165certificate.
166By default,
167the root CA can be used to sign certificates.
168However,
169a signing certificate can be used as well.
170This allows delegation of signing authority without
171compromising the security of the root CA.
172.SH "lprng_certs gen"
173.PP
174This is used to generate a user, server, or signing certificate.
175.SH "lprng_certs index"
176.PP
177This is used to create the indexes for the signing certificates.
178.SH "lprng_certs verify [cert]"
179.PP
180This checks the certificate file using the Openssl
181.B "openssl verify"
182command.
183.SH "lprng_certs encrypt keyfile"
184.PP
185This removes all key information from the key file,
186reencrypts the key information, 
187and the puts the encrypted key information in the file.
188.SH "LPRng OPTIONS"
189.nf
190.ta \w'${HOME}/.lpr/client.crt  'u
191Option	Purpose
192ssl_ca_path	directory holding the SSL signing certs
193ssl_ca_file	file holding the root CA or all SSL signing certs
194ssl_server_cert	cert file for the server
195ssl_server_password	file containing password for server server
196${HOME}/.lpr/client.crt	client certificate file
197${HOME}/.lpr/client.pwd	client certificate private key password
198.SH "ENVIRONMENT VARIABLES"
199.nf
200.ta \w'${HOME}/.lpr/client.crt  'u
201LPR_SSL_FILE	client certificate file
202LPR_SSL_PASSWORD	client certificate private key password
203
204.SH "EXIT STATUS"
205.PP
206The following exit values are returned:
207.TP 15
208.B "zero (0)"
209Successful completion.
210.TP
211.B "non-zero (!=0)"
212An error occurred.
213.SH "SEE ALSO"
214.LP
215lpd.conf(5),
216lpc(8),
217lpd(8),
218checkpc(8),
219lpr(1),
220lpq(1),
221lprm(1),
222printcap(5),
223lpd.conf(5),
224pr(1), lprng_certs(1), lprng_index_certs(1).
225.SH "HISTORY"
226LPRng is a enhanced printer spooler system
227with functionality similar to the Berkeley LPR software.
228The LPRng mailing list is lprng@lprng.com;
229subscribe by sending mail to lprng-request@lprng.com with
230the word subscribe in the body.
231The software is available from ftp://ftp.lprng.com/pub/LPRng.
232.SH "AUTHOR"
233Patrick Powell <papowell@lprng.com>.
234