Man Linux: Main Page and Category List

NAME

       ipsec openac - Generation of X.509 attribute certificates

SYNOPSIS

       ipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
          [ --quiet ] [ --debug level ]
          [ --days days ] [ --hours hours ]
          [ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
          --cert certfile --key keyfile [ --password password ]
          --usercert certfile --groups attr1,attr2,...  --out filename

DESCRIPTION

       openac  is  intended  to  be used by an Authorization Authority (AA) to
       generate and sign X.509  attribute  certificates.  Currently  only  the
       inclusion  of  one  ore  several  group  attributes  is  supported.  An
       attribute certificate is linked to a holder by including the issuer and
       serial number of the holder’s X.509 certificate.

OPTIONS

       --help display the usage message.

       --version
              display the version of openac.

       --optionsfrom filename
              adds the contents of the file to the argument list.  If filename
              is a relative path then the file is searched  in  the  directory
              /etc/openac.

       --quiet
              By  default  openac  logs  all control output both to syslog and
              stderr.  With the --quiet option no output is written to stderr.

       --days days
              Validity  of  the X.509 attribute certificate in days. If neiter
              the --days nor the --hours option is specified  then  a  default
              validity interval of 1 day is assumed.  The --days option can be
              combined with the --hours option.

       --hours hours
              Validity of the X.509 attribute certificate in hours. If  neiter
              the  --hours nor  the  --days option is specified then a default
              validity interval of 24 hours is  assumed.   The  --hours option
              can be combined with the --days option.

       --startdate YYYYMMDDHHMMSSZ
              defines  the notBefore date when the X.509 attribute certificate
              becomes valid.  The date YYYYMMDDHHMMSS must be specified in UTC
              (Zulu  time).   If  the --startdate option is not specified then
              the current date is taken as a default.

       --stopdate YYYYMMDDHHMMSSZ
              defines the notAfter date when the X.509  attribute  certificate
              will  expire.   The date YYYYMMDDHHMMSS must be specified in UTC
              (Zulu time).  If the --stopdate option is not specified then the
              default  notAfter  value  is  computed  by  adding  the validity
              interval specified by the --days and/or  --days options  to  the
              notBefore date.

       --cert certfile
              specifies  the  file  containing  the  X.509  certificate of the
              Authorization Authority.  The certificate is  stored  either  in
              PEM or DER format.

       --key keyfile
              specifies  the  encrypted file containing the private RSA key of
              the Authoritzation Authority.  The  private  key  is  stored  in
              PKCS#1 format.

       --password password
              specifies  the  password  with  which  the  private  RSA keyfile
              defined by the --key option has been protected. If the option is
              missing then the password is prompted for on the command line.

       --usercert certfile
              specifies  file  containing the X.509 certificate of the user to
              which  the  generated  attribute  certificate  will  apply.  The
              certificate file is stored either in PEM or DER format.

       --groups attr1,attr2
              specifies  a  comma-separated list of group attributes that will
              go into the X.509 attribute certificate.

       --out filename
              specifies  the  file  where  the   generated   X.509   attribute
              certificate will be stored to.

   Debugging
       openac  produces  a  prodigious amount of debugging information.  To do
       so, it must be compiled with -DDEBUG.  There  are  several  classes  of
       debugging  output, and openac may be directed to produce a selection of
       them.  All lines of  debugging  output  are  prefixed  with  ‘‘| ’’  to
       distinguish them from error messages.

       When  openac  is  invoked,  it  may be given arguments to specify which
       classes to output.  The current options are:

       --debug level
              sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw),
              and 4 (private), the default level being 1.

EXIT STATUS

       The  execution  of openac terminates with one of the following two exit
       codes:

       0      means that the attribute certificate was successfully  generated
              and stored.

       1      means that something went wrong.

FILES

       /etc/openac/serial   serial number of latest attribute certificate

SEE ALSO

       The  X.509  attribute certificates generated with openac can be used to
       enforce group policies defined by ipsec.conf(5). Use  ipsec_auto(8)  to
       load and list X.509 attribute certificates.

       For  more  information  on  X.509  attribute certificates, refer to the
       following IETF RFC:

              RFC  3281  An  Internet  Attribute   Certificate   Profile   for
              Authorization

HISTORY

       The  openac  program  was  originally written by Ariane Seiler and Ueli
       Galizzi.   The  software  was  recoded   by   Andreas   Steffen   using
       strongSwan’s  X.509  library  and  the  ASN.1  code synthesis functions
       written by Christoph Gysin and Christoph  Zwahlen.   All  authors  were
       with   the   Zurich  University  of  Applied  Sciences  in  Winterthur,
       Switzerland.

BUGS

       Bugs should be reported  to  the  <users@lists.strongswan.org>  mailing
       list.

                               22 September 2007               IPSEC_OPENAC(8)