1PT-TLS-CLIENT(1) strongSwan PT-TLS-CLIENT(1)
2
6 pt-tls-client - Simple client using PT-TLS to collect integrity infor‐
7 mation
8
10 pt-tls-client --connect hostname|address [--port port] [--certid
11 hex|--cert file]+ [--keyid hex|--key file] [--key-type
12 rsa|ecdsa] [--client client-id] [--secret password]
13 [--mutual] [--options filename] [--quiet] [--debug level]
14 pt-tls-client -h | --help
16
18 pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport
19 protocol to collect integrity measurements on the client platform. PT-
20 TLS does an initial TLS handshake with certificate-based server authen‐
21 tication and optional certificate-based client authentication. Alter‐
22 natively simple password-based SASL client authentication protected by
23 TLS can be used.
24 Attribute requests and integrity measurements are exchanged via the PA-
26 TNC (RFC 5792) message protocol between any number of Integrity Mea‐
27 surement Verifiers (IMVs) residing on the remote PT-TLS server and mul‐
28 tiple Integrity Measurement Collectors (IMCs) loaded dynamically by the
29 PT-TLS client according to a list defined by /etc/tnc_config. PA-TNC
30 messages that contain one or several PA-TNC attributes are multiplexed
31 into PB-TNC (RFC 5793) client or server data batches which in turn are
32 transported via PT-TLS.
33
35 -h, --help
36 Prints usage information and a short summary of the available
37 commands.
38 -c, --connect hostname|address
40 Set the hostname or IP address of the PT-TLS server.
41 -p, --port port
43 Set the port of the PT-TLS server, default: 271.
44 -x, --cert file
46 Set the path to an X.509 certificate file. This option can be
47 repeated to load multiple client and CA certificates.
48 -X, --certid hex
50 Set the handle of the certificate stored in a smartcard or a TPM
51 2.0 Trusted Platform Module.
52 -k, --key file
54 Set the path to the client's PKCS#1 or PKCS#8 private key file
55 -t, --key-type type
57 Define the type of the private key if stored in PKCS#1 format.
58 Can be omitted with PKCS#8 keys.
59 -K, --keyid hex
61 Set the keyid of the private key stored in a smartcard or a TPM
62 2.0 Trusted Platform Module.
63 -i, --client client-id
65 Set the username or client ID of the client required for pass‐
66 word-based SASL authentication.
67 -s, --secret password
69 Set the preshared secret or client password required for pass‐
70 word-based SASL authentication.
71 -q, --mutual
73 Enable mutual attestation between PT-TLS client and PT-TLS
74 server.
75 -v, --debug level
77 Set debug level, default: 1.
78 -q, --quiet
80 Disable debug output to stderr.
81 -+, --options file
83 Read command line options from file.
84
86 Connect to a PT-TLS server using certificate-based authentication,
87 storing the private ECDSA key in a file:
88 pt-tls-client --connect pdp.example.com --cert ca.crt \
90 --cert client.crt --key client.key --key-type ecdsa
91 Connect to a PT-TLS server using certificate-based authentication,
93 storing the private key in a smartcard or a TPM 2.0 Trusted Platform
94 Module:
95 pt-tls-client --connect pdp.example.com --cert ca.crt \
97 --cert client.crt --keyid 0x81010002
98 Connect to a PT-TLS server listening on port 443, using SASL password-
100 based authentication:
101 pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt \
103 --client jane --password p2Nl9trKlb
104
106 /etc/tnc_config
107
109 strongswan.conf(5)
1105.9.1 2018-11-20 PT-TLS-CLIENT(1)