1PKI --ACERT(1) strongSwan PKI --ACERT(1)
2
3
4
6 pki --acert - Issue an attribute certificate
7
9 pki --acert [--in file] [--group membership]
10 --issuerkey file|--issuerkeyid hex --issuercert file
11 [--lifetime hours] [--not-before datetime] [--not-
12 after datetime] [--serial hex] [--digest digest]
13 [--rsa-padding padding] [--outform encoding]
14 [--debug level]
15
16 pki --acert --options file
17
18 pki --acert -h | --help
19
21 This sub-command of pki(1) is used to issue an attribute certificate
22 using an issuer certificate with its private key and the holder cer‐
23 tificate.
24
26 -h, --help
27 Print usage information with a summary of the available options.
28
29 -v, --debug level
30 Set debug level, default: 1.
31
32 -+, --options file
33 Read command line options from file.
34
35 -i, --in file
36 Holder certificate to issue an attribute certificate for. If not
37 given the certificate is read from STDIN.
38
39 -m, --group membership
40 Group membership the attribute certificate shall certify. The
41 specified group is included as a string. To include multiple
42 groups, the option can be repeated.
43
44 -k, --issuerkey file
45 Issuer private key file. Either this or --issuerkeyid is re‐
46 quired.
47
48 -x, --issuerkeyid hex
49 Smartcard or TPM issuer private key object handle in hex format
50 with an optional h0x prefix. Either this or --issuerkey is re‐
51 quired.
52
53 -c, --issuercert file
54 Issuer certificate file. Required.
55
56 -l, --lifetime hours
57 Hours the attribute certificate is valid, default: 24. Ignored
58 if both an absolute start and end time are given.
59
60 -F, --not-before datetime
61 Absolute time when the validity of the AC begins. The datetime
62 format is defined by the --dateform option.
63
64 -T, --not-after datetime
65 Absolute time when the validity of the AC ends. The datetime
66 format is defined by the --dateform option.
67
68 -D, --dateform form
69 strptime(3) format for the --not-before and --not-after options,
70 default: %d.%m.%y %T
71
72 -s, --serial hex
73 Serial number in hex. It is randomly allocated by default.
74
75 -g, --digest digest
76 Digest to use for signature creation. One of md5, sha1, sha224,
77 sha256, sha384, or sha512. The default is determined based on
78 the type and size of the signature key.
79
80 -R, --rsa-padding padding
81 Padding to use for RSA signatures. Either pkcs1 or pss, defaults
82 to pkcs1.
83
84 -f, --outform encoding
85 Encoding of the created certificate file. Either der (ASN.1 DER)
86 or pem (Base64 PEM), defaults to der.
87
89 To save repetitive typing, command line options can be stored in files.
90 Lets assume acert.opt contains the following contents:
91
92 --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
93
94 Then the following command can be used to issue an attribute certifi‐
95 cate based on a holder certificate and the options above:
96
97 pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
98
100 pki(1)
101
102
103
1045.9.4 2014-02-05 PKI --ACERT(1)