1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
pki \-\-acert \- Issue an attribute certificate
.
.SH "SYNOPSIS"
.
.SY pki\ \-\-acert
.OP \-\-in file
.OP \-\-group membership
.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex
.BI \-\-issuercert\~ file
.OP \-\-lifetime hours
.OP \-\-not-before datetime
.OP \-\-not-after datetime
.OP \-\-serial hex
.OP \-\-digest digest
.OP \-\-outform encoding
.OP \-\-debug level
.YS
.
.SY pki\ \-\-acert
.BI \-\-options\~ file
.YS
.
.SY "pki \-\-acert"
.B \-h
|
.B \-\-help
.YS
.
.SH "DESCRIPTION"
.
This sub-command of
.BR pki (1)
is used to issue an attribute certificate using an issuer certificate with its
private key and the holder certificate.
.
.SH "OPTIONS"
.
.TP
.B "\-h, \-\-help"
Print usage information with a summary of the available options.
.TP
.BI "\-v, \-\-debug " level
Set debug level, default: 1.
.TP
.BI "\-+, \-\-options " file
Read command line options from \fIfile\fR.
.TP
.BI "\-i, \-\-in " file
Holder certificate to issue an attribute certificate for. If not given the
certificate is read from \fISTDIN\fR.
.TP
.BI "\-m, \-\-group " membership
Group membership the attribute certificate shall certify. The specified group
is included as a string. To include multiple groups, the option can be repeated.
.TP
.BI "\-k, \-\-issuerkey " file
Issuer private key file. Either this or
.B \-\-issuerkeyid
is required.
.TP
.BI "\-x, \-\-issuerkeyid " hex
Key ID of a issuer private key on a smartcard. Either this or
.B \-\-issuerkey
is required.
.TP
.BI "\-c, \-\-issuercert " file
Issuer certificate file. Required.
.TP
.BI "\-l, \-\-lifetime " hours
Hours the attribute certificate is valid, default: 24. Ignored if both
an absolute start and end time are given.
.TP
.BI "\-F, \-\-not-before " datetime
Absolute time when the validity of the AC begins. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-T, \-\-not-after " datetime
Absolute time when the validity of the AC ends. The datetime format is
defined by the
.B \-\-dateform
option.
.TP
.BI "\-D, \-\-dateform " form
strptime(3) format for the
.B \-\-not\-before
and
.B \-\-not\-after
options, default:
.B %d.%m.%y %T
.TP
.BI "\-s, \-\-serial " hex
Serial number in hex. It is randomly allocated by default.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
.
.SH "EXAMPLES"
.
To save repetitive typing, command line options can be stored in files.
Lets assume
.I acert.opt
contains the following contents:
.PP
.EX
--issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
.EE
.PP
Then the following command can be used to issue an attribute certificate based
on a holder certificate and the options above:
.PP
.EX
pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
.EE
.PP
.
.SH "SEE ALSO"
.
.BR pki (1)
|