1PKI --ACERT(1)                    strongSwan                    PKI --ACERT(1)
2
3
4

NAME

6       pki --acert - Issue an attribute certificate
7

SYNOPSIS

9       pki --acert [--in file] [--group membership]
10                   --issuerkey file|--issuerkeyid hex --issuercert file
11                   [--lifetime hours] [--not-before datetime] [--not-
12                   after datetime] [--serial hex] [--digest digest]
13                   [--rsa-padding padding] [--outform encoding]
14                   [--debug level]
15
16       pki --acert --options file
17
18       pki --acert -h | --help
19

DESCRIPTION

21       This sub-command of pki(1) is used to issue  an  attribute  certificate
22       using  an  issuer  certificate with its private key and the holder cer‐
23       tificate.
24

OPTIONS

26       -h, --help
27              Print usage information with a summary of the available options.
28
29       -v, --debug level
30              Set debug level, default: 1.
31
32       -+, --options file
33              Read command line options from file.
34
35       -i, --in file
36              Holder certificate to issue an attribute certificate for. If not
37              given the certificate is read from STDIN.
38
39       -m, --group membership
40              Group  membership  the  attribute certificate shall certify. The
41              specified group is included as a  string.  To  include  multiple
42              groups, the option can be repeated.
43
44       -k, --issuerkey file
45              Issuer  private  key  file.  Either this or --issuerkeyid is re‐
46              quired.
47
48       -x, --issuerkeyid hex
49              Smartcard or TPM issuer private key object handle in hex  format
50              with  an  optional h0x prefix. Either this or --issuerkey is re‐
51              quired.
52
53       -c, --issuercert file
54              Issuer certificate file. Required.
55
56       -l, --lifetime hours
57              Hours the attribute certificate is valid, default:  24.  Ignored
58              if both an absolute start and end time are given.
59
60       -F, --not-before datetime
61              Absolute  time  when the validity of the AC begins. The datetime
62              format is defined by the --dateform option.
63
64       -T, --not-after datetime
65              Absolute time when the validity of the  AC  ends.  The  datetime
66              format is defined by the --dateform option.
67
68       -D, --dateform form
69              strptime(3) format for the --not-before and --not-after options,
70              default: %d.%m.%y %T
71
72       -s, --serial hex
73              Serial number in hex. It is randomly allocated by default.
74
75       -g, --digest digest
76              Digest to use for signature creation. One of md5, sha1,  sha224,
77              sha256,  sha384,  or  sha512. The default is determined based on
78              the type and size of the signature key.
79
80       -R, --rsa-padding padding
81              Padding to use for RSA signatures. Either pkcs1 or pss, defaults
82              to pkcs1.
83
84       -f, --outform encoding
85              Encoding of the created certificate file. Either der (ASN.1 DER)
86              or pem (Base64 PEM), defaults to der.
87

EXAMPLES

89       To save repetitive typing, command line options can be stored in files.
90       Lets assume acert.opt contains the following contents:
91
92         --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
93
94       Then  the  following command can be used to issue an attribute certifi‐
95       cate based on a holder certificate and the options above:
96
97         pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
98

SEE ALSO

100       pki(1)
101
102
103
1045.9.11                            2014-02-05                    PKI --ACERT(1)
Impressum