ipsec openac - Generation of X.509 attribute certificates
ipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
[ --quiet ] [ --debug level ]
[ --days days ] [ --hours hours ]
[ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
--cert certfile --key keyfile [ --password password ]
--usercert certfile --groups attr1,attr2,... --out filename
openac is intended to be used by an Authorization Authority (AA) to
generate and sign X.509 attribute certificates. Currently only the
inclusion of one ore several group attributes is supported. An
attribute certificate is linked to a holder by including the issuer and
serial number of the holder’s X.509 certificate.
--help display the usage message.
display the version of openac.
adds the contents of the file to the argument list. If filename
is a relative path then the file is searched in the directory
By default openac logs all control output both to syslog and
stderr. With the --quiet option no output is written to stderr.
Validity of the X.509 attribute certificate in days. If neiter
the --days nor the --hours option is specified then a default
validity interval of 1 day is assumed. The --days option can be
combined with the --hours option.
Validity of the X.509 attribute certificate in hours. If neiter
the --hours nor the --days option is specified then a default
validity interval of 24 hours is assumed. The --hours option
can be combined with the --days option.
defines the notBefore date when the X.509 attribute certificate
becomes valid. The date YYYYMMDDHHMMSS must be specified in UTC
(Zulu time). If the --startdate option is not specified then
the current date is taken as a default.
defines the notAfter date when the X.509 attribute certificate
will expire. The date YYYYMMDDHHMMSS must be specified in UTC
(Zulu time). If the --stopdate option is not specified then the
default notAfter value is computed by adding the validity
interval specified by the --days and/or --days options to the
specifies the file containing the X.509 certificate of the
Authorization Authority. The certificate is stored either in
PEM or DER format.
specifies the encrypted file containing the private RSA key of
the Authoritzation Authority. The private key is stored in
specifies the password with which the private RSA keyfile
defined by the --key option has been protected. If the option is
missing then the password is prompted for on the command line.
specifies file containing the X.509 certificate of the user to
which the generated attribute certificate will apply. The
certificate file is stored either in PEM or DER format.
specifies a comma-separated list of group attributes that will
go into the X.509 attribute certificate.
specifies the file where the generated X.509 attribute
certificate will be stored to.
openac produces a prodigious amount of debugging information. To do
so, it must be compiled with -DDEBUG. There are several classes of
debugging output, and openac may be directed to produce a selection of
them. All lines of debugging output are prefixed with ‘‘| ’’ to
distinguish them from error messages.
When openac is invoked, it may be given arguments to specify which
classes to output. The current options are:
sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw),
and 4 (private), the default level being 1.
The execution of openac terminates with one of the following two exit
0 means that the attribute certificate was successfully generated
1 means that something went wrong.
/etc/openac/serial serial number of latest attribute certificate
The X.509 attribute certificates generated with openac can be used to
enforce group policies defined by ipsec.conf(5). Use ipsec_auto(8) to
load and list X.509 attribute certificates.
For more information on X.509 attribute certificates, refer to the
following IETF RFC:
RFC 3281 An Internet Attribute Certificate Profile for
The openac program was originally written by Ariane Seiler and Ueli
Galizzi. The software was recoded by Andreas Steffen using
strongSwan’s X.509 library and the ASN.1 code synthesis functions
written by Christoph Gysin and Christoph Zwahlen. All authors were
with the Zurich University of Applied Sciences in Winterthur,
Bugs should be reported to the <email@example.com> mailing
22 September 2007 IPSEC_OPENAC(8)