1PKI --ACERT(1)                    strongSwan                    PKI --ACERT(1)
2
3
4

NAME

6       pki --acert - Issue an attribute certificate
7

SYNOPSIS

9       pki --acert [--in file] [--group membership]
10                   --issuerkey file|--issuerkeyid hex --issuercert file
11                   [--lifetime hours] [--not-before datetime] [--not-
12                   after datetime] [--serial hex] [--digest digest]
13                   [--outform encoding] [--debug level]
14
15       pki --acert --options file
16
17       pki --acert -h | --help
18

DESCRIPTION

20       This  sub-command  of  pki(1) is used to issue an attribute certificate
21       using an issuer certificate with its private key and  the  holder  cer‐
22       tificate.
23

OPTIONS

25       -h, --help
26              Print usage information with a summary of the available options.
27
28       -v, --debug level
29              Set debug level, default: 1.
30
31       -+, --options file
32              Read command line options from file.
33
34       -i, --in file
35              Holder certificate to issue an attribute certificate for. If not
36              given the certificate is read from STDIN.
37
38       -m, --group membership
39              Group membership the attribute certificate  shall  certify.  The
40              specified  group  is  included  as a string. To include multiple
41              groups, the option can be repeated.
42
43       -k, --issuerkey file
44              Issuer  private  key  file.  Either  this  or  --issuerkeyid  is
45              required.
46
47       -x, --issuerkeyid hex
48              Key  ID  of  a issuer private key on a smartcard. Either this or
49              --issuerkey is required.
50
51       -c, --issuercert file
52              Issuer certificate file. Required.
53
54       -l, --lifetime hours
55              Hours the attribute certificate is valid, default:  24.  Ignored
56              if both an absolute start and end time are given.
57
58       -F, --not-before datetime
59              Absolute  time  when the validity of the AC begins. The datetime
60              format is defined by the --dateform option.
61
62       -T, --not-after datetime
63              Absolute time when the validity of the  AC  ends.  The  datetime
64              format is defined by the --dateform option.
65
66       -D, --dateform form
67              strptime(3) format for the --not-before and --not-after options,
68              default: %d.%m.%y %T
69
70       -s, --serial hex
71              Serial number in hex. It is randomly allocated by default.
72
73       -g, --digest digest
74              Digest to use for signature creation. One of md5, sha1,  sha224,
75              sha256, sha384, or sha512. Defaults to sha1.
76
77       -f, --outform encoding
78              Encoding of the created certificate file. Either der (ASN.1 DER)
79              or pem (Base64 PEM), defaults to der.
80

EXAMPLES

82       To save repetitive typing, command line options can be stored in files.
83       Lets assume acert.opt contains the following contents:
84
85         --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
86
87       Then  the  following command can be used to issue an attribute certifi‐
88       cate based on a holder certificate and the options above:
89
90         pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
91

SEE ALSO

93       pki(1)
94
95
96
975.2.0                             2014-02-05                    PKI --ACERT(1)
Impressum