1.ds VE LPRng-3.9.0 2.TH LPRNG_CERTS 1 \*(VE "LPRng" 3.ig 4lpbanner.1,v 3.33 1998/03/29 18:37:49 papowell Exp 5.. 6.SH NAME 7lprng_certs \- lprng SSL certificate management 8.SH SYNOPSIS 9.B 10.nf 11lprng_certs option 12 Options: 13 init - make directory structure 14 newca - make new root CA 15 defaults - set new default values for certs 16 gen - generate user, server, or signing cert 17 index [dir] - index cert files 18 verify [cert] - verify cert file 19 encrypt keyfile 20 - set or change keyfile password 21.nf 22.SH DESCRIPTION 23.PP 24The 25.B lprng_certs 26program is used to manage SSL certificates for the LPRng software. 27There SSL certificate structure consists of a hierarchy of 28certificates. 29The LPRng software assumes that the following types of certificates 30will be used: 31.IP "CA or root" 32A top level or self-signed certificate. 33.IP "signing" 34A certificate that can be used to sign other certificates. 35This is signed by the root CA or another signing certificate. 36.IP "user" 37A certificate used by a user to identify themselves to the 38lpd server. 39.IP "server" 40A certificate used by the 41.I lpd 42server to identify themselves to the 43user or other 44.I lpd 45servers. 46.SH "Signing Certificates" 47.PP 48All of the signing certificates, 49including the root certificate (root CA), 50_SSL_CA_FILE_, 51are in the same directory as the root CA file. 52Alternately, 53all of the signing certs can be concatenated and put into a single file, 54which by convention is assumed to have the same name as the root CA 55file, 56_SSL_CA_FILE_. 57The 58.BR ssl_ca_file , 59.BR ssl_ca_path , 60and 61.BR ssl_ca_key 62printcap and configuration options can be used to specify 63the locations of the root CA files, 64a directory containing the signing certificate files, 65and the private key file for the root CA file respectively. 66.PP 67The root certificate (root CA file) 68_SSL_CA_FILE_ 69has a private key file 70_SSL_CA_KEY_ 71as well. 72By convention, 73the private keys for the other signing certificate files are stored in the 74certificate file. 75.PP 76The OpenSSL software requires that this directory 77also contain a set of hash files which are, 78in effect, 79links to these files. 80.PP 81By default, all signing certificates are assumed to be 82in the same directory as the root certificate. 83.SH "Server Certificates" 84.PP 85The certificate used by the 86.I lpd 87server are kept in another 88directory. 89These files do not need to have hash links to them. 90By convention, 91the private keys for these certificate files are stored in the 92certificate file. 93The server certificate file 94is specified by the 95.B ssl_server_cert 96and has the default value 97_SSL_SERVER_CERT_. 98This file contains the cert and private key. 99The server certificate password file is specified by the 100.B ssl_server_password 101option with the default value 102_SSL_SERVER_PASSWORD_ 103and 104contains the password used to decrypt the servers private key and use it 105for authentication. 106This key file should be read only by the 107.I lpd 108server. 109.SH "User Certificates" 110.PP 111The certificates used by users are kept in a separate directory 112in the users home directory. 113By convention, 114the private keys for these certificate files are stored in the 115certificate file. 116.PP 117The user certificate file is specified by the 118.B LPR_SSL_FILE 119environment variable, 120otherwise the 121.B "${HOME}/.lpr/client.crt" 122is used. 123The password is taken from the file specified by the 124.B LPR_SSL_PASSWORD 125environment variable, 126otherwise the 127.B "${HOME}/.lpr/client.pwd" 128file is read. 129.PP 130.SH "USING LPRNG_CERTS" 131.PP 132The organization of the SSL certificates used by LPRng is 133similar to that used by other programs such as the 134.B Apache 135.B mod_ssl 136support. 137The 138.B lprng_certs 139program is used to create the directory structure, 140create certificates for the root CA, 141signing, 142user and servers. 143In order to make managment simple, 144the following support is provided. 145.SH "lprng_certs init" 146.PP 147This command creates the directories used by the 148lpd 149server. 150It is useful when setting up a new 151.B lpd 152server. 153.SH "lprng_certs newca" 154.PP 155This command creates a self-signed certificate, 156suitable for use as a root CA certificate. 157It also sets up a set of default values for other certificate creation. 158.SH "lprng_certs defaults" 159.PP 160This command is used to modify the set of default values. 161.PP 162The default values are listed and should be self-explanatory, 163except for the value of the 164.B signer 165certificate. 166By default, 167the root CA can be used to sign certificates. 168However, 169a signing certificate can be used as well. 170This allows delegation of signing authority without 171compromising the security of the root CA. 172.SH "lprng_certs gen" 173.PP 174This is used to generate a user, server, or signing certificate. 175.SH "lprng_certs index" 176.PP 177This is used to create the indexes for the signing certificates. 178.SH "lprng_certs verify [cert]" 179.PP 180This checks the certificate file using the Openssl 181.B "openssl verify" 182command. 183.SH "lprng_certs encrypt keyfile" 184.PP 185This removes all key information from the key file, 186reencrypts the key information, 187and the puts the encrypted key information in the file. 188.SH "LPRng OPTIONS" 189.nf 190.ta \w'${HOME}/.lpr/client.crt 'u 191Option Purpose 192ssl_ca_path directory holding the SSL signing certs 193ssl_ca_file file holding the root CA or all SSL signing certs 194ssl_server_cert cert file for the server 195ssl_server_password file containing password for server server 196${HOME}/.lpr/client.crt client certificate file 197${HOME}/.lpr/client.pwd client certificate private key password 198.SH "ENVIRONMENT VARIABLES" 199.nf 200.ta \w'${HOME}/.lpr/client.crt 'u 201LPR_SSL_FILE client certificate file 202LPR_SSL_PASSWORD client certificate private key password 203 204.SH "EXIT STATUS" 205.PP 206The following exit values are returned: 207.TP 15 208.B "zero (0)" 209Successful completion. 210.TP 211.B "non-zero (!=0)" 212An error occurred. 213.SH "SEE ALSO" 214.LP 215lpd.conf(5), 216lpc(8), 217lpd(8), 218checkpc(8), 219lpr(1), 220lpq(1), 221lprm(1), 222printcap(5), 223lpd.conf(5), 224pr(1), lprng_certs(1), lprng_index_certs(1). 225.SH "HISTORY" 226LPRng is a enhanced printer spooler system 227with functionality similar to the Berkeley LPR software. 228The LPRng mailing list is lprng@lprng.com; 229subscribe by sending mail to lprng-request@lprng.com with 230the word subscribe in the body. 231The software is available from ftp://ftp.lprng.com/pub/LPRng. 232.SH "AUTHOR" 233Patrick Powell <papowell@lprng.com>. 234