strongSwan

= openac =

'''openac''' is intended to be used by an ''Authorization Authority (AA)'' to generate and sign X.509 attribute

certificates. Currently only the inclusion of ''group attributes'' is supported. An attribute certificate is linked

to a holder by including the issuer and serial number of the holder's X.509 certificate.

=== Parameters ===

The following command line options are supported:

''--help''

    display the usage message.

''--version''

    display the version of ''openac''.

''--optionsfrom <filename>''

    adds the contents of the file to the argument list. If ''<filename>'' is a relative path then the

    file is searched in the ''/etc/openac'' directory.

''--debug <level>''

    sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), the default level being 1.

''--quiet''

    By default ''openac'' logs all control output both to syslog and stderr. With the ''--quiet'' option no

    output is written to stderr.

''--days <days>''

    Validity of the X.509 attribute certificate in days. If neither the ''--days'' nor the ''--hours'' option

    is specified then a default validity interval of 1 day is assumed. The ''--days'' option can be

    combined with the ''--hours'' option.

''--hours <hours>''

    Validity of the X.509 attribute certificate in hours. If neither the ''--hours'' nor the ''--days'' option

    is specified then a default validity interval of 24 hours is assumed. The ''--hours'' option can be

    combined with the ''--days'' option.

''--startdate YYYYMMDDHHMMSSZ''

    defines the ''notBefore'' date when the X.509 attribute certificate becomes valid. The date ''YYYYMMDDHHMMSS''

    must be specified in UTC (Zulu time).  If the ''--startdate'' option is not specified then

    the current time is taken as a default.

''--stopdate YYYYMMDDHHMMSSZ''

    defines the ''notAfter'' date when the X.509 attribute certificate will expire. The date ''YYYYMMDDHHMMSS''

    must be specified in UTC (Zulu time). If the ''--stopdate'' option is not specified then the default

    ''notAfter'' value is computed by adding the validity interval specified by the ''--days'' and/or

    ''--days'' options to the ''notBefore'' date.

''--cert <certfile>''

    specifies  the  file  containing the X.509 certificate of the Authorization Authority.

    Thanks to the automatic format recognition the certificate can be stored either in PEM or DER format.

''--key <keyfile>''

    specifies the encrypted file containing the private RSA key of the Authoritzation Authority.

    The private key is stored in PKCS#1 format.

''--password <password>''

    specifies the password with which the private RSA keyfile defined by the ''--key'' option has been

    protected. If the option is missing then the password is prompted for on the command line.

''--usercert <certfile>''

    specifies file containing the X.509 certificate of the user to which the generated attribute

    certificate will apply. Thanks to the automatic format recognition the certificate file can be

    stored either in PEM or DER format.

''--groups <attr1>,<attr2>''

    specifies a comma-separated list of ''group attributes'' that will go into the X.509 attribute

    certificate.

''--out <filename>

    specifies the file where the generated X.509 attribute certificate will be stored to in binary

    DER format.

=== Examples ===

Common options can be stored in a file and be loaded via the ''--optionsfrom'' parameter:

{{{

moon# cat /etc/openac/default.conf

--cert /etc/ipsec.d/aacerts/aaCert.pem

--key /etc/openac/aaKey.pem

--hours 8

}}}

First the attribute certificate for ''carol'' is generated. She is member of the

''Research'' group.

{{{

moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem \

                   --groups Research --out /etc/ipsec.d/acerts/carolAC.pem

  loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)

  loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)

  loaded user cert file '/etc/openac/carolCert.pem' (1493 bytes)

  file '/etc/openac/serial' does not exist yet - serial number set to 01

  written attribute cert file '/etc/ipsec.d/acerts/carolAC.pem' (784 bytes)

  serial number is 01

}}}

The second attribute certificate is issued to ''dave'' who belongs to the ''Sales''

and ''Accounting'' groups.

{{{

moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem \

                   --groups "Sales, Accounting" --out /etc/ipsec.d/acerts/daveAC.pem

  loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)

  loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)

  loaded user cert file '/etc/openac/daveCert.pem' (1493 bytes)

  written attribute cert file '/etc/ipsec.d/acerts/daveAC.pem' (787 bytes)

  serial number is 02

}}}