SYNOPSISipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
[ --quiet ] [ --debug level ]
[ --days days ] [ --hours hours ]
[ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
--cert certfile --key keyfile [ --password password ]
--usercert certfile --groups attr1,attr2,... --out filename
DESCRIPTIONopenac is intended to be used by an Authorization Authority (AA) to generate and sign X.509 attribute certificates. Currently only the inclusion of one ore several group attributes is supported. An attribute certificate is linked to a holder by including the issuer and serial number of the holder's X.509 certificate.
- display the usage message.
- display the version of openac.
- --optionsfrom filename
- adds the contents of the file to the argument list. If filename is a relative path then the file is searched in the directory /etc/openac.
- By default openac logs all control output both to syslog and stderr. With the --quiet option no output is written to stderr.
- --days days
- Validity of the X.509 attribute certificate in days. If neiter the --days nor the --hours option is specified then a default validity interval of 1 day is assumed. The --days option can be combined with the --hours option.
- --hours hours
- Validity of the X.509 attribute certificate in hours. If neiter the --hours nor the --days option is specified then a default validity interval of 24 hours is assumed. The --hours option can be combined with the --days option.
- --startdate YYYYMMDDHHMMSSZ
defines the notBefore date when the X.509 attribute certificate becomes valid.
The date YYYYMMDDHHMMSS must be specified in UTC (Zulu time).
If the --startdate option is not specified then the current date is taken as a default.
- --stopdate YYYYMMDDHHMMSSZ
- defines the notAfter date when the X.509 attribute certificate will expire. The date YYYYMMDDHHMMSS must be specified in UTC (Zulu time). If the --stopdate option is not specified then the default notAfter value is computed by adding the validity interval specified by the --days and/or --days options to the notBefore date.
- --cert certfile
- specifies the file containing the X.509 certificate of the Authorization Authority. The certificate is stored either in PEM or DER format.
- --key keyfile
- specifies the encrypted file containing the private RSA key of the Authoritzation Authority. The private key is stored in PKCS#1 format.
- --password password
- specifies the password with which the private RSA keyfile defined by the --key option has been protected. If the option is missing then the password is prompted for on the command line.
- --usercert certfile
- specifies file containing the X.509 certificate of the user to which the generated attribute certificate will apply. The certificate file is stored either in PEM or DER format.
- --groups attr1,attr2
- specifies a comma-separated list of group attributes that will go into the X.509 attribute certificate.
- --out filename
- specifies the file where the generated X.509 attribute certificate will be stored to.
openac produces a prodigious amount of debugging information. To do so, it must be compiled with -DDEBUG. There are several classes of debugging output, and openac may be directed to produce a selection of them. All lines of debugging output are prefixed with ``| '' to distinguish them from error messages.
When openac is invoked, it may be given arguments to specify which classes to output. The current options are:
- --debug level
- sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), the default level being 1.
The execution of openac terminates with one of the following two exit codes:
- means that the attribute certificate was successfully generated and stored.
- means that something went wrong.
FILES/etc/openac/serial serial number of latest attribute certificate
HISTORYThe openac program was originally written by Ariane Seiler and Ueli Galizzi. The software was recoded by Andreas Steffen using strongSwan's X.509 library and the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. All authors were with the Zurich University of Applied Sciences in Winterthur, Switzerland.
BUGSBugs should be reported to the <[email protected]> mailing list.