openac » History » Version 1
Martin Willi, 22.09.2007 22:03
created openac page
| 1 | 1 | Martin Willi | = openac = |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 1 | Martin Willi | '''openac''' is intended to be used by an ''Authorization Authority (AA)'' to generate and sign X.509 attribute |
| 4 | 1 | Martin Willi | certificates. Currently only the inclusion of ''group attributes'' is supported. An attribute certificate is linked |
| 5 | 1 | Martin Willi | to a holder by including the issuer and serial number of the holder's X.509 certificate. |
| 6 | 1 | Martin Willi | |
| 7 | 1 | Martin Willi | The following command line options are supported: |
| 8 | 1 | Martin Willi | |
| 9 | 1 | Martin Willi | ''--help'' |
| 10 | 1 | Martin Willi | display the usage message. |
| 11 | 1 | Martin Willi | |
| 12 | 1 | Martin Willi | ''--version'' |
| 13 | 1 | Martin Willi | display the version of ''openac''. |
| 14 | 1 | Martin Willi | |
| 15 | 1 | Martin Willi | ''--optionsfrom <filename>'' |
| 16 | 1 | Martin Willi | adds the contents of the file to the argument list. If ''<filename>'' is a relative path then the |
| 17 | 1 | Martin Willi | file is searched in the ''/etc/openac'' directory. |
| 18 | 1 | Martin Willi | |
| 19 | 1 | Martin Willi | ''--quiet'' |
| 20 | 1 | Martin Willi | By default ''openac'' logs all control output both to syslog and stderr. With the ''--quiet'' option no |
| 21 | 1 | Martin Willi | output is written to stderr. |
| 22 | 1 | Martin Willi | |
| 23 | 1 | Martin Willi | ''--days <days>'' |
| 24 | 1 | Martin Willi | Validity of the X.509 attribute certificate in days. If neither the ''--days'' nor the ''--hours'' option |
| 25 | 1 | Martin Willi | is specified then a default validity interval of 1 day is assumed. The ''--days'' option can be |
| 26 | 1 | Martin Willi | combined with the ''--hours'' option. |
| 27 | 1 | Martin Willi | |
| 28 | 1 | Martin Willi | ''--hours <hours>'' |
| 29 | 1 | Martin Willi | Validity of the X.509 attribute certificate in hours. If neither the ''--hours'' nor the ''--days'' option |
| 30 | 1 | Martin Willi | is specified then a default validity interval of 24 hours is assumed. The ''--hours'' option can be |
| 31 | 1 | Martin Willi | combined with the ''--days'' option. |
| 32 | 1 | Martin Willi | |
| 33 | 1 | Martin Willi | ''--startdate YYYYMMDDHHMMSSZ'' |
| 34 | 1 | Martin Willi | defines the ''notBefore'' date when the X.509 attribute certificate becomes valid. The date ''YYYYMMDDHHMMSS'' |
| 35 | 1 | Martin Willi | must be specified in UTC (Zulu time). If the ''--startdate'' option is not specified then |
| 36 | 1 | Martin Willi | the current time is taken as a default. |
| 37 | 1 | Martin Willi | |
| 38 | 1 | Martin Willi | ''--stopdate YYYYMMDDHHMMSSZ'' |
| 39 | 1 | Martin Willi | defines the ''notAfter'' date when the X.509 attribute certificate will expire. The date ''YYYYMMDDHHMMSS'' |
| 40 | 1 | Martin Willi | must be specified in UTC (Zulu time). If the ''--stopdate'' option is not specified then the default |
| 41 | 1 | Martin Willi | ''notAfter'' value is computed by adding the validity interval specified by the ''--days'' and/or |
| 42 | 1 | Martin Willi | ''--days'' options to the ''notBefore'' date. |
| 43 | 1 | Martin Willi | |
| 44 | 1 | Martin Willi | ''--cert <certfile>'' |
| 45 | 1 | Martin Willi | specifies the file containing the X.509 certificate of the Authorization Authority. |
| 46 | 1 | Martin Willi | Thanks to the automatic format recognition the certificate can be stored either in PEM or DER format. |
| 47 | 1 | Martin Willi | |
| 48 | 1 | Martin Willi | ''--key <keyfile>'' |
| 49 | 1 | Martin Willi | specifies the encrypted file containing the private RSA key of the Authoritzation Authority. |
| 50 | 1 | Martin Willi | The private key is stored in PKCS#1 format. |
| 51 | 1 | Martin Willi | |
| 52 | 1 | Martin Willi | ''--password <password>'' |
| 53 | 1 | Martin Willi | specifies the password with which the private RSA keyfile defined by the ''--key'' option has been |
| 54 | 1 | Martin Willi | protected. If the option is missing then the password is prompted for on the command line. |
| 55 | 1 | Martin Willi | |
| 56 | 1 | Martin Willi | ''--usercert <certfile>'' |
| 57 | 1 | Martin Willi | specifies file containing the X.509 certificate of the user to which the generated attribute |
| 58 | 1 | Martin Willi | certificate will apply. Thanks to the automatic format recognition the certificate file can be |
| 59 | 1 | Martin Willi | stored either in PEM or DER format. |
| 60 | 1 | Martin Willi | |
| 61 | 1 | Martin Willi | ''--groups <attr1>,<attr2>'' |
| 62 | 1 | Martin Willi | specifies a comma-separated list of ''group attributes'' that will go into the X.509 attribute |
| 63 | 1 | Martin Willi | certificate. |
| 64 | 1 | Martin Willi | |
| 65 | 1 | Martin Willi | ''--out <filename> |
| 66 | 1 | Martin Willi | specifies the file where the generated X.509 attribute certificate will be stored to in binary |
| 67 | 1 | Martin Willi | DER format. |