diff options
Diffstat (limited to 'src/pki/man')
| -rw-r--r-- | src/pki/man/Makefile.am | 1 | ||||
| -rw-r--r-- | src/pki/man/Makefile.in | 8 | ||||
| -rw-r--r-- | src/pki/man/pki---acert.1.in | 130 | ||||
| -rw-r--r-- | src/pki/man/pki---issue.1.in | 27 | ||||
| -rw-r--r-- | src/pki/man/pki---print.1.in | 5 | ||||
| -rw-r--r-- | src/pki/man/pki---self.1.in | 27 | ||||
| -rw-r--r-- | src/pki/man/pki---signcrl.1.in | 27 | ||||
| -rw-r--r-- | src/pki/man/pki.1.in | 4 |
8 files changed, 218 insertions, 11 deletions
diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 618bd4093..4c901ae3c 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -4,6 +4,7 @@ man1_MANS = \ pki---self.1 \ pki---issue.1 \ pki---signcrl.1 \ + pki---acert.1 \ pki---req.1 \ pki---pkcs7.1 \ pki---keyid.1 \ diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in index edbde85b5..5d901a87e 100644 --- a/src/pki/man/Makefile.in +++ b/src/pki/man/Makefile.in @@ -84,7 +84,7 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \ $(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \ $(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \ - $(srcdir)/pki---verify.1.in + $(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -102,7 +102,7 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \ pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \ - pki---self.1 pki---signcrl.1 pki---verify.1 + pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1 CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -325,7 +325,6 @@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ -openac_plugins = @openac_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ @@ -371,6 +370,7 @@ man1_MANS = \ pki---self.1 \ pki---issue.1 \ pki---signcrl.1 \ + pki---acert.1 \ pki---req.1 \ pki---pkcs7.1 \ pki---keyid.1 \ @@ -432,6 +432,8 @@ pki---self.1: $(top_builddir)/config.status $(srcdir)/pki---self.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---signcrl.1: $(top_builddir)/config.status $(srcdir)/pki---signcrl.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ +pki---acert.1: $(top_builddir)/config.status $(srcdir)/pki---acert.1.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ pki---verify.1: $(top_builddir)/config.status $(srcdir)/pki---verify.1.in cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in new file mode 100644 index 000000000..ec1d8be6e --- /dev/null +++ b/src/pki/man/pki---acert.1.in @@ -0,0 +1,130 @@ +.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-acert \- Issue an attribute certificate +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-acert +.OP \-\-in file +.OP \-\-group membership +.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex +.BI \-\-issuercert\~ file +.OP \-\-lifetime hours +.OP \-\-not-before datetime +.OP \-\-not-after datetime +.OP \-\-serial hex +.OP \-\-digest digest +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-acert +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-acert" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +is used to issue an attribute certificate using an issuer certificate with its +private key and the holder certificate. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-i, \-\-in " file +Holder certificate to issue an attribute certificate for. If not given the +certificate is read from \fISTDIN\fR. +.TP +.BI "\-m, \-\-group " membership +Group membership the attribute certificate shall certify. The specified group +is included as a string. To include multiple groups, the option can be repeated. +.TP +.BI "\-k, \-\-issuerkey " file +Issuer private key file. Either this or +.B \-\-issuerkeyid +is required. +.TP +.BI "\-x, \-\-issuerkeyid " hex +Key ID of a issuer private key on a smartcard. Either this or +.B \-\-issuerkey +is required. +.TP +.BI "\-c, \-\-issuercert " file +Issuer certificate file. Required. +.TP +.BI "\-l, \-\-lifetime " hours +Hours the attribute certificate is valid, default: 24. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the AC begins. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the AC ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T +.TP +.BI "\-s, \-\-serial " hex +Serial number in hex. It is randomly allocated by default. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, +\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to +\fIsha1\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +. +.SH "EXAMPLES" +. +To save repetitive typing, command line options can be stored in files. +Lets assume +.I acert.opt +contains the following contents: +.PP +.EX + --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4 +.EE +.PP +Then the following command can be used to issue an attribute certificate based +on a holder certificate and the options above: +.PP +.EX + pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1) diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 3fad1ae8a..375cb2fe4 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -14,6 +14,8 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key .OP \-\-dn subject-dn .OP \-\-san subjectAltName .OP \-\-lifetime days +.OP \-\-not-before datetime +.OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest @@ -88,7 +90,28 @@ Subject distinguished name (DN) of the issued certificate. subjectAltName extension to include in certificate. Can be used multiple times. .TP .BI "\-l, \-\-lifetime " days -Days the certificate is valid, default: 1095. +Days the certificate is valid, default: 1095. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the certificate begins. The datetime format +is defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the certificate ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T .TP .BI "\-s, \-\-serial " hex Serial number in hex. It is randomly allocated by default. @@ -176,4 +199,4 @@ given PKCS#10 certificate request and the options above: . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index 8d3345edc..434d4ea16 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -46,8 +46,9 @@ Input file. If not given the input is read from \fISTDIN\fR. .BI "\-t, \-\-type " type Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR -(Certificate Revocation List, CRL), defaults to \fIx509\fR. +(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), +defaults to \fIx509\fR. . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index ee42cf9a0..5e6e78bd0 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -14,6 +14,8 @@ pki \-\-self \- Create a self-signed certificate .BI \-\-dn\~ distinguished-name .OP \-\-san subjectAltName .OP \-\-lifetime days +.OP \-\-not-before datetime +.OP \-\-not-after datetime .OP \-\-serial hex .OP \-\-flag flag .OP \-\-digest digest @@ -75,7 +77,28 @@ Subject and issuer distinguished name (DN). Required. subjectAltName extension to include in certificate. Can be used multiple times. .TP .BI "\-l, \-\-lifetime " days -Days the certificate is valid, default: 1095. +Days the certificate is valid, default: 1095. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-not-before " datetime +Absolute time when the validity of the certificate begins. The datetime format +is defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-not-after " datetime +Absolute time when the validity of the certificate ends. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-not\-before +and +.B \-\-not\-after +options, default: +.B %d.%m.%y %T .TP .BI "\-s, \-\-serial " hex Serial number in hex. It is randomly allocated by default. @@ -145,4 +168,4 @@ Generate a self-signed certificate using the given RSA key: . .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index 6ba96f6bc..bd6cba547 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -10,6 +10,8 @@ pki \-\-signcrl \- Issue a Certificate Revocation List (CRL) using a CA certific .BI \-\-cakey\~ file |\-\-cakeyid\~ hex .BI \-\-cacert\~ file .OP \-\-lifetime days +.OP \-\-this-update datetime +.OP \-\-next-update datetime .OP \-\-lastcrl crl .OP \-\-basecrl crl .OP \-\-crluri uri @@ -62,7 +64,28 @@ is required. CA certificate file. Required. .TP .BI "\-l, \-\-lifetime " days -Days until the CRL gets a nextUpdate, default: 15. +Days until the CRL gets a nextUpdate, default: 15. Ignored if both +an absolute start and end time are given. +.TP +.BI "\-F, \-\-this-update " datetime +Absolute time when the validity of the CRL begins. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-T, \-\-next-update " datetime +Absolute time when the validity of the CRL end. The datetime format is +defined by the +.B \-\-dateform +option. +.TP +.BI "\-D, \-\-dateform " form +strptime(3) format for the +.B \-\-this\-update +and +.B \-\-next\-update +options, default: +.B %d.%m.%y %T .TP .BI "\-a, \-\-lastcrl " crl CRL of lastUpdate to copy revocations from. @@ -121,4 +144,4 @@ number, but no reason: .PP .SH "SEE ALSO" . -.BR pki (1)
\ No newline at end of file +.BR pki (1) diff --git a/src/pki/man/pki.1.in b/src/pki/man/pki.1.in index 8dfc53af3..f347031b4 100644 --- a/src/pki/man/pki.1.in +++ b/src/pki/man/pki.1.in @@ -49,6 +49,9 @@ Issue a certificate using a CA certificate and key. .B "\-c, \-\-signcrl" Issue a CRL using a CA certificate and key. .TP +.B "\-z, \-\-acert" +Issue an attribute certificate. +.TP .B "\-r, \-\-req" Create a PKCS#10 certificate request. .TP @@ -148,6 +151,7 @@ certificates with the \-\-crl option. .BR pki\ \-\-self (1), .BR pki\ \-\-issue (1), .BR pki\ \-\-signcrl (1), +.BR pki\ \-\-acert (1), .BR pki\ \-\-req (1), .BR pki\ \-\-pkcs7 (1), .BR pki\ \-\-keyid (1), |