166 lines
5.4 KiB
Groff
166 lines
5.4 KiB
Groff
.TH IPSEC_OPENAC 8 "22 September 2007"
|
|
.SH NAME
|
|
ipsec openac \- Generation of X.509 attribute certificates
|
|
.SH SYNOPSIS
|
|
.B ipsec
|
|
.B openac
|
|
[
|
|
.B \-\-help
|
|
] [
|
|
.B \-\-version
|
|
] [
|
|
.B \-\-optionsfrom
|
|
\fIfilename\fP
|
|
]
|
|
.br
|
|
\ \ \ [
|
|
.B \-\-quiet
|
|
] [
|
|
.B \-\-debug
|
|
\fIlevel\fP
|
|
]
|
|
.br
|
|
\ \ \ [
|
|
.B \-\-days
|
|
\fIdays\fP
|
|
] [
|
|
.B \-\-hours
|
|
\fIhours\fP
|
|
]
|
|
.br
|
|
\ \ \ [
|
|
.B \-\-startdate
|
|
\fIYYYYMMDDHHMMSSZ\fP
|
|
] [
|
|
.B \-\-stopdate
|
|
\fIYYYYMMDDHHMMSSZ\fP
|
|
]
|
|
.br
|
|
.B \ \ \ \-\-cert
|
|
\fIcertfile\fP
|
|
.B \-\-key
|
|
\fIkeyfile\fP
|
|
[
|
|
.B \-\-password
|
|
\fIpassword\fP
|
|
]
|
|
.br
|
|
.B \ \ \ \-\-usercert
|
|
\fIcertfile\fP
|
|
.B \-\-groups
|
|
\fIattr1,attr2,...\fP
|
|
.B \-\-out
|
|
\fIfilename\fP
|
|
.SH DESCRIPTION
|
|
.BR openac
|
|
is intended to be used by an Authorization Authority (AA) to generate and sign
|
|
X.509 attribute certificates. Currently only the inclusion of one ore several group
|
|
attributes is supported. An attribute certificate is linked to a holder by
|
|
including the issuer and serial number of the holder's X.509 certificate.
|
|
.SH OPTIONS
|
|
.TP
|
|
\fB\-\-help\fP
|
|
display the usage message.
|
|
.TP
|
|
\fB\-\-version\fP
|
|
display the version of \fBopenac\fP.
|
|
.TP
|
|
\fB\-\-optionsfrom\fP\ \fIfilename\fP
|
|
adds the contents of the file to the argument list.
|
|
If \fIfilename\fP is a relative path then the file is searched in the directory
|
|
\fI/etc/openac\fP.
|
|
.TP
|
|
\fB\-\-quiet\fP
|
|
By default \fBopenac\fP logs all control output both to syslog and stderr.
|
|
With the \fB\-\-quiet\fP option no output is written to stderr.
|
|
.TP
|
|
\fB\-\-days\fP\ \fIdays\fP
|
|
Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor
|
|
the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed.
|
|
The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option.
|
|
.TP
|
|
\fB\-\-hours\fP\ \fIhours\fP
|
|
Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor
|
|
the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed.
|
|
The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option.
|
|
.TP
|
|
\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
|
|
defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid.
|
|
The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
|
|
If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default.
|
|
|
|
.TP
|
|
\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
|
|
defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire.
|
|
The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
|
|
If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed
|
|
by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options
|
|
to the \fBnotBefore\fP date.
|
|
.TP
|
|
\fB\-\-cert\fP\ \fIcertfile\fP
|
|
specifies the file containing the X.509 certificate of the Authorization Authority.
|
|
The certificate is stored either in PEM or DER format.
|
|
.TP
|
|
\fB\-\-key\fP\ \fIkeyfile\fP
|
|
specifies the encrypted file containing the private RSA key of the Authoritzation
|
|
Authority. The private key is stored in PKCS#1 format.
|
|
.TP
|
|
\fB\-\-password\fP\ \fIpassword\fP
|
|
specifies the password with which the private RSA keyfile defined by the
|
|
\fB\-\-key\fP option has been protected. If the option is missing then the
|
|
password is prompted for on the command line.
|
|
.TP
|
|
\fB\-\-usercert\fP\ \fIcertfile\fP
|
|
specifies file containing the X.509 certificate of the user to which the generated attribute
|
|
certificate will apply. The certificate file is stored either in PEM or DER format.
|
|
.TP
|
|
\fB\-\-groups\fP\ \fIattr1,attr2\fP
|
|
specifies a comma-separated list of group attributes that will go into the
|
|
X.509 attribute certificate.
|
|
.TP
|
|
\fB\-\-out\fP\ \fIfilename\fP
|
|
specifies the file where the generated X.509 attribute certificate will be stored to.
|
|
.SS Debugging
|
|
.LP
|
|
\fBopenac\fP produces a prodigious amount of debugging information. To do so,
|
|
it must be compiled with \-DDEBUG. There are several classes of debugging output,
|
|
and \fBopenac\fP may be directed to produce a selection of them. All lines of
|
|
debugging output are prefixed with ``|\ '' to distinguish them from error messages.
|
|
.LP
|
|
When \fBopenac\fP is invoked, it may be given arguments to specify
|
|
which classes to output. The current options are:
|
|
.TP
|
|
\fB\-\-debug\fP\ \fIlevel\fP
|
|
sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private),
|
|
the default level being 1.
|
|
.SH EXIT STATUS
|
|
.LP
|
|
The execution of \fBopenac\fP terminates with one of the following two exit codes:
|
|
.TP
|
|
0
|
|
means that the attribute certificate was successfully generated and stored.
|
|
.TP
|
|
1
|
|
means that something went wrong.
|
|
.SH FILES
|
|
\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate
|
|
.SH SEE ALSO
|
|
.LP
|
|
The X.509 attribute certificates generated with \fBopenac\fP can be used to
|
|
enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8)
|
|
to load and list X.509 attribute certificates.
|
|
.LP
|
|
For more information on X.509 attribute certificates, refer to the following
|
|
IETF RFC:
|
|
.IP
|
|
RFC 3281 An Internet Attribute Certificate Profile for Authorization
|
|
.SH HISTORY
|
|
The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi.
|
|
The software was recoded by Andreas Steffen using strongSwan's X.509 library and
|
|
the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen.
|
|
All authors were with the Zurich University of Applied Sciences in Winterthur,
|
|
Switzerland.
|
|
.LP
|
|
.SH BUGS
|
|
Bugs should be reported to the <users@lists.strongswan.org> mailing list.
|