diff options
Diffstat (limited to 'src/openac/openac.8')
| -rw-r--r-- | src/openac/openac.8 | 165 |
1 files changed, 0 insertions, 165 deletions
diff --git a/src/openac/openac.8 b/src/openac/openac.8 deleted file mode 100644 index ed1b8ed6c..000000000 --- a/src/openac/openac.8 +++ /dev/null @@ -1,165 +0,0 @@ -.TH IPSEC_OPENAC 8 "22 September 2007" -.SH NAME -ipsec openac \- Generation of X.509 attribute certificates -.SH SYNOPSIS -.B ipsec -.B openac -[ -.B \-\-help -] [ -.B \-\-version -] [ -.B \-\-optionsfrom -\fIfilename\fP -] -.br -\ \ \ [ -.B \-\-quiet -] [ -.B \-\-debug -\fIlevel\fP -] -.br -\ \ \ [ -.B \-\-days -\fIdays\fP -] [ -.B \-\-hours -\fIhours\fP -] -.br -\ \ \ [ -.B \-\-startdate -\fIYYYYMMDDHHMMSSZ\fP -] [ -.B \-\-stopdate -\fIYYYYMMDDHHMMSSZ\fP -] -.br -.B \ \ \ \-\-cert -\fIcertfile\fP -.B \-\-key -\fIkeyfile\fP -[ -.B \-\-password -\fIpassword\fP -] -.br -.B \ \ \ \-\-usercert -\fIcertfile\fP -.B \-\-groups -\fIattr1,attr2,...\fP -.B \-\-out -\fIfilename\fP -.SH DESCRIPTION -.BR openac -is intended to be used by an Authorization Authority (AA) to generate and sign -X.509 attribute certificates. Currently only the inclusion of one ore several group -attributes is supported. An attribute certificate is linked to a holder by -including the issuer and serial number of the holder's X.509 certificate. -.SH OPTIONS -.TP -\fB\-\-help\fP -display the usage message. -.TP -\fB\-\-version\fP -display the version of \fBopenac\fP. -.TP -\fB\-\-optionsfrom\fP\ \fIfilename\fP -adds the contents of the file to the argument list. -If \fIfilename\fP is a relative path then the file is searched in the directory -\fI/etc/openac\fP. -.TP -\fB\-\-quiet\fP -By default \fBopenac\fP logs all control output both to syslog and stderr. -With the \fB\-\-quiet\fP option no output is written to stderr. -.TP -\fB\-\-days\fP\ \fIdays\fP -Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor -the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed. -The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option. -.TP -\fB\-\-hours\fP\ \fIhours\fP -Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor -the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed. -The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option. -.TP -\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default. - -.TP -\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP -defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire. -The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). -If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed -by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options -to the \fBnotBefore\fP date. -.TP -\fB\-\-cert\fP\ \fIcertfile\fP -specifies the file containing the X.509 certificate of the Authorization Authority. -The certificate is stored either in PEM or DER format. -.TP -\fB\-\-key\fP\ \fIkeyfile\fP -specifies the encrypted file containing the private RSA key of the Authoritzation -Authority. The private key is stored in PKCS#1 format. -.TP -\fB\-\-password\fP\ \fIpassword\fP -specifies the password with which the private RSA keyfile defined by the -\fB\-\-key\fP option has been protected. If the option is missing then the -password is prompted for on the command line. -.TP -\fB\-\-usercert\fP\ \fIcertfile\fP -specifies file containing the X.509 certificate of the user to which the generated attribute -certificate will apply. The certificate file is stored either in PEM or DER format. -.TP -\fB\-\-groups\fP\ \fIattr1,attr2\fP -specifies a comma-separated list of group attributes that will go into the -X.509 attribute certificate. -.TP -\fB\-\-out\fP\ \fIfilename\fP -specifies the file where the generated X.509 attribute certificate will be stored to. -.SS Debugging -.LP -\fBopenac\fP produces a prodigious amount of debugging information. To do so, -it must be compiled with \-DDEBUG. There are several classes of debugging output, -and \fBopenac\fP may be directed to produce a selection of them. All lines of -debugging output are prefixed with ``|\ '' to distinguish them from error messages. -.LP -When \fBopenac\fP is invoked, it may be given arguments to specify -which classes to output. The current options are: -.TP -\fB\-\-debug\fP\ \fIlevel\fP -sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), -the default level being 1. -.SH EXIT STATUS -.LP -The execution of \fBopenac\fP terminates with one of the following two exit codes: -.TP -0 -means that the attribute certificate was successfully generated and stored. -.TP -1 -means that something went wrong. -.SH FILES -\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate -.SH SEE ALSO -.LP -The X.509 attribute certificates generated with \fBopenac\fP can be used to -enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8) -to load and list X.509 attribute certificates. -.LP -For more information on X.509 attribute certificates, refer to the following -IETF RFC: -.IP -RFC 3281 An Internet Attribute Certificate Profile for Authorization -.SH HISTORY -The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi. -The software was recoded by Andreas Steffen using strongSwan's X.509 library and -the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. -All authors were with the Zurich University of Applied Sciences in Winterthur, -Switzerland. -.LP -.SH BUGS -Bugs should be reported to the <users@lists.strongswan.org> mailing list. |