ecp-get-cert
Create an X.509 certificate using ECP authentication.
ecp-get-cert enables you to authenticate using SAML/ECP against any identity provider registered with CILogon, and create an X.509 credential for use in querying services under the same identity and access management domain.
Usage: ecp-get-cert [-i IDENTITY_PROVIDER] [-k] [-u USERNAME] [-h] [-l] [-V]
[-d] [-f FILE] [-H HOURS] [-p] [-r [HOURS]] [-v] [-X]
Authentication options
- -i, --identity-provider
name of institution providing the identity (e.g. ‘Cardiff University’), or domain name of IdP host (e.g. idp.cf.ac.uk), see –list-idps for a list of Identity Provider (IdPs) and their IdP URL. Shortened institution names (e.g. ‘Cardiff’) can be given as long as they uniquely match a full institution name known by CILogon
- -k, --kerberos
enable kerberos negotiation
Default: False
- -u, --username
authentication username, will be prompted for if not given and not using –kerberos
Other options
- -d, --debug
write debug output (uses both stderr and stdout, implies –verbose)
Default: False
- -f, --file
certificate file to create/reuse/destroy
Default: “/tmp/x509up_u1005”
- -H, --hours
lifetime of the certificate
Default: 277
- -p, --proxy
create RFC 3820 compliant impersonation proxy
Default: False
- -r, --reuse
reuse an existing certificate if valid for more than 1.0 hours, or pass a number of hours to specify
Default: False
- -v, --verbose
write verbose output to stdout
Default: False
- -X, --destroy
destroy existing certificate
Default: False
Helper arguments
- -l, --list-idps
show IdP names and URLs and exit
- -V, --version
show program’s version number and exit
Examples:
$ ecp-get-cert -i ‘My Institution’
to authenticate with a username and password prompt, or
$ ecp-get-cert -u user.name -i ‘My Institution’
to authenticate with only a password prompt, or
$ ecp-get-cert -i ‘My Institution’ -k
to reuse an existing kerberos (kinit) credential.
The identitity provider name can be given in a number of ways, so long as the argument uniquely identifies a provider. For example, the following are all equivalent:
$ ecp-get-cert -i ‘Cardiff University’ $ ecp-get-cert -i Cardiff $ ecp-get-cert -i idp.cf.ac.uk $ ECP_IDP=”Cardiff” ecp-get-cert
Environment:
- X509_USER_PROXY:
the default path for the credential file
- ECP_IDP:
the name/url of the default Identity Provider (–institution)