diff options
Diffstat (limited to 'programs/openac/openac.8')
| -rw-r--r-- | programs/openac/openac.8 | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/programs/openac/openac.8 b/programs/openac/openac.8 new file mode 100644 index 000000000..8e609a1b1 --- /dev/null +++ b/programs/openac/openac.8 @@ -0,0 +1,180 @@ +.TH IPSEC_OPENAC 8 "29 September 2005" +.SH NAME +ipsec openac \- Generation of X.509 attribute certificates +.SH SYNOPSIS +.B ipsec +.B openac +[ +.B \-\-help +] [ +.B \-\-version +] [ +.B \-\-optionsfrom +\fIfilename\fP +] [ +.B \-\-quiet +] +.br +\ \ \ [ +.B \-\-debug\(hyall +] [ +.B \-\-debug\(hyparsing +] [ +.B \-\-debug\(hyraw +] [ +.B \-\-debug\(hyprivate +] +.br +\ \ \ [ +.B \-\-days +\fIdays\fP +] [ +.B \-\-hours +\fIhours\fP +] +.br +\ \ \ [ +.B \-\-startdate +\fIYYYYMMDDHHMMSSZ\fP +] [ +.B \-\-stopdate +\fIYYYYMMDDHHMMSSZ\fP +] +.br +.B \ \ \ \-\-cert +\fIcertfile\fP +.B \-\-key +\fIkeyfile\fP +[ +.B \-\-password +\fIpassword\fP +] +.br +.B \ \ \ \-\-usercert +\fIcertfile\fP +.B \-\-groups +\fIattr1,attr2,...\fP +.B \-\-out +\fIfilename\fP +.SH DESCRIPTION +.BR openac +is intended to be used by an Authorization Authority (AA) to generate and sign +X.509 attribute certificates. Currently only the inclusion of one ore several group +attributes is supported. An attribute certificate is linked to a holder by +including the issuer and serial number of the holder's X.509 certificate. +.SH OPTIONS +.TP +\fB\-\-help\fP +display the usage message. +.TP +\fB\-\-version\fP +display the version of \fBopenac\fP. +.TP +\fB\-\-optionsfrom\fP\ \fIfilename\fP +adds the contents of the file to the argument list. +If \fIfilename\fP is a relative path then the file is searched in the directory +\fI/etc/openac\fP. +.TP +\fB\-\-quiet\fP +By default \fBopenac\fP logs all control output both to syslog and stderr. +With the \fB\-\-quiet\fP option no output is written to stderr. +.TP +\fB\-\-days\fP\ \fIdays\fP +Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor +the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed. +The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option. +.TP +\fB\-\-hours\fP\ \fIhours\fP +Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor +the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed. +The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option. +.TP +\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP +defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid. +The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). +If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default. + +.TP +\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP +defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire. +The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). +If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed +by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options +to the \fBnotBefore\fP date. +.TP +\fB\-\-cert\fP\ \fIcertfile\fP +specifies the file containing the X.509 certificate of the Authorization Authority. +The certificate is stored either in PEM or DER format. +.TP +\fB\-\-key\fP\ \fIkeyfile\fP +specifies the encrypted file containing the private RSA key of the Authoritzation +Authority. The private key is stored in PKCS#1 format. +.TP +\fB\-\-password\fP\ \fIpassword\fP +specifies the password with which the private RSA keyfile defined by the +\fB\-\-key\fP option has been protected. If the option is missing then the +password is prompted for on the command line. +.TP +\fB\-\-usercert\fP\ \fIcertfile\fP +specifies file containing the X.509 certificate of the user to which the generated attribute +certificate will apply. The certificate file is stored either in PEM or DER format. +.TP +\fB\-\-groups\fP\ \fIattr1,attr2\fP +specifies a comma-separated list of group attributes that will go into the +X.509 attribute certificate. +.TP +\fB\-\-out\fP\ \fIfilename\fP +specifies the file where the generated X.509 attribute certificate will be stored to. +.SS Debugging +.LP +\fBopenac\fP produces a prodigious amount of debugging information. To do so, +it must be compiled with \-DDEBUG. There are several classes of debugging output, +and \fBopenac\fP may be directed to produce a selection of them. All lines of +debugging output are prefixed with ``|\ '' to distinguish them from error messages. +.LP +When \fBopenac\fP is invoked, it may be given arguments to specify +which classes to output. The current options are: +.TP +\fB\-\-debug-raw\fP +show the raw bytes of the parsed user and authorization authority certificates +as well as of the generated X.509 attribute certificate. +.TP +\fB\-\-debug-parsing\fP +show the parsed structure of user and authorization authority certificats +as well as of the generated X.509 attribute certificate. +.TP +\fB\-\-debug-all\fP +all of the above. +.TP +\fB\-\-debug-private\fP +enables debugging output of the authorization authority's private key. +.SH EXIT STATUS +.LP +The execution of \fBopenac\fP terminates with one of the following two exit codes: +.TP +0 +means that the attribute certificate was successfully generated and stored. +.TP +1 +means that something went wrong. +.SH FILES +\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate +.SH SEE ALSO +.LP +The X.509 attribute certificates generated with \fBopenac\fP can be used to +enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8) +to load and list X.509 attribute certificates. +.LP +For more information on X.509 attribute certificates, refer to the following +IETF RFC: +.IP +RFC 3281 An Internet Attribute Certificate Profile for Authorization +.SH HISTORY +The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi. +The software was recoded by Andreas Steffen using strongSwan's X.509 library and +the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. +All authors were with the Zurich University of Applied Sciences in Winterthur, +Switzerland. +.LP +.SH BUGS +Bugs should be reported to the <users@lists.strongswan.org> mailing list. |