openac » History » Version 6
Version 5 (Tobias Brunner, 05.05.2009 18:41) → Version 6/7 (Tobias Brunner, 04.08.2011 11:05)
h1. openac
*openac* is intended to be used by an _Authorization Authority (AA)_ to generate and sign X.509 attribute
certificates. Currently only the inclusion of _group attributes_ is supported. An attribute certificate is linked
to a holder by including the issuer and serial number of the holder's X.509 certificate.
h3. Parameters
The following command line options are supported:
_--help_
--help
p(. display the usage message.
_--version_
--version
p(. display the version of _openac_.
_--optionsfrom <filename>_
--optionsfrom <filename>
p(. adds the contents of the file to the argument list. If _<filename>_ is a relative path then the
file is searched in the _/etc/openac_ directory.
_--debug <level>_
--debug <level>
p(. sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), the default level being 1.
_--quiet_
--quiet
p(. By default _openac_ logs all control output both to syslog and stderr. With the --quiet option no
output is written to stderr.
_--days <days>_
--days <days>
p(. Validity of the X.509 attribute certificate in days. If neither the --days nor the --hours option
is specified then a default validity interval of 1 day is assumed. The --days option can be
combined with the --hours option.
_--hours <hours>_
--hours <hours>
p(. Validity of the X.509 attribute certificate in hours. If neither the --hours nor the --days option
is specified then a default validity interval of 24 hours is assumed. The --hours option can be
combined with the --days option.
_--startdate YYYYMMDDHHMMSSZ_
--startdate YYYYMMDDHHMMSSZ
p(. defines the _notBefore_ date when the X.509 attribute certificate becomes valid. The date _YYYYMMDDHHMMSS_
must be specified in UTC (Zulu time). If the --startdate option is not specified then
the current time is taken as a default.
_--stopdate YYYYMMDDHHMMSSZ_
--stopdate YYYYMMDDHHMMSSZ
p(. defines the _notAfter_ date when the X.509 attribute certificate will expire. The date _YYYYMMDDHHMMSS_
must be specified in UTC (Zulu time). If the --stopdate option is not specified then the default
_notAfter_ value is computed by adding the validity interval specified by the --days and/or
--days options to the _notBefore_ date.
_--cert <certfile>_
--cert <certfile>
p(. specifies the file containing the X.509 certificate of the Authorization Authority.
Thanks to the automatic format recognition the certificate can be stored either in PEM or DER format.
_--key <keyfile>_
--key <keyfile>
p(. specifies the encrypted file containing the private RSA key of the Authoritzation Authority.
The private key is stored in PKCS#1 format.
_--password <password>_
--password <password>
p(. specifies the password with which the private RSA keyfile defined by the --key option has been
protected. If the option is missing then the password is prompted for on the command line.
_--usercert <certfile>_
--usercert <certfile>
p(. specifies file containing the X.509 certificate of the user to which the generated attribute
certificate will apply. Thanks to the automatic format recognition the certificate file can be
stored either in PEM or DER format.
_--groups <attr1>,<attr2>_
--groups <attr1>,<attr2>
p(. specifies a comma-separated list of _group attributes_ that will go into the X.509 attribute
certificate.
_--out <filename>_
--out <filename>
p(. specifies the file where the generated X.509 attribute certificate will be stored to in binary
DER format.
h3. Examples
Common options can be stored in a file and be loaded via the --optionsfrom parameter:
<pre>
moon# cat /etc/openac/default.conf
--cert /etc/ipsec.d/aacerts/aaCert.pem
--key /etc/openac/aaKey.pem
--hours 8
</pre>
First the attribute certificate for _carol_ is generated. She is member of the
_Research_ group.
<pre>
moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem \
--groups Research --out /etc/ipsec.d/acerts/carolAC.pem
loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)
loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)
loaded user cert file '/etc/openac/carolCert.pem' (1493 bytes)
file '/etc/openac/serial' does not exist yet - serial number set to 01
written attribute cert file '/etc/ipsec.d/acerts/carolAC.pem' (784 bytes)
serial number is 01
</pre>
The second attribute certificate is issued to _dave_ who belongs to the _Sales_
and _Accounting_ groups.
<pre>
moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem \
--groups "Sales, Accounting" --out /etc/ipsec.d/acerts/daveAC.pem
loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)
loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)
loaded user cert file '/etc/openac/daveCert.pem' (1493 bytes)
written attribute cert file '/etc/ipsec.d/acerts/daveAC.pem' (787 bytes)
serial number is 02
</pre>
*openac* is intended to be used by an _Authorization Authority (AA)_ to generate and sign X.509 attribute
certificates. Currently only the inclusion of _group attributes_ is supported. An attribute certificate is linked
to a holder by including the issuer and serial number of the holder's X.509 certificate.
h3. Parameters
The following command line options are supported:
_--help_
--help
p(. display the usage message.
_--version_
--version
p(. display the version of _openac_.
_--optionsfrom <filename>_
--optionsfrom <filename>
p(. adds the contents of the file to the argument list. If _<filename>_ is a relative path then the
file is searched in the _/etc/openac_ directory.
_--debug <level>_
--debug <level>
p(. sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), the default level being 1.
_--quiet_
--quiet
p(. By default _openac_ logs all control output both to syslog and stderr. With the --quiet option no
output is written to stderr.
_--days <days>_
--days <days>
p(. Validity of the X.509 attribute certificate in days. If neither the --days nor the --hours option
is specified then a default validity interval of 1 day is assumed. The --days option can be
combined with the --hours option.
_--hours <hours>_
--hours <hours>
p(. Validity of the X.509 attribute certificate in hours. If neither the --hours nor the --days option
is specified then a default validity interval of 24 hours is assumed. The --hours option can be
combined with the --days option.
_--startdate YYYYMMDDHHMMSSZ_
--startdate YYYYMMDDHHMMSSZ
p(. defines the _notBefore_ date when the X.509 attribute certificate becomes valid. The date _YYYYMMDDHHMMSS_
must be specified in UTC (Zulu time). If the --startdate option is not specified then
the current time is taken as a default.
_--stopdate YYYYMMDDHHMMSSZ_
--stopdate YYYYMMDDHHMMSSZ
p(. defines the _notAfter_ date when the X.509 attribute certificate will expire. The date _YYYYMMDDHHMMSS_
must be specified in UTC (Zulu time). If the --stopdate option is not specified then the default
_notAfter_ value is computed by adding the validity interval specified by the --days and/or
--days options to the _notBefore_ date.
_--cert <certfile>_
--cert <certfile>
p(. specifies the file containing the X.509 certificate of the Authorization Authority.
Thanks to the automatic format recognition the certificate can be stored either in PEM or DER format.
_--key <keyfile>_
--key <keyfile>
p(. specifies the encrypted file containing the private RSA key of the Authoritzation Authority.
The private key is stored in PKCS#1 format.
_--password <password>_
--password <password>
p(. specifies the password with which the private RSA keyfile defined by the --key option has been
protected. If the option is missing then the password is prompted for on the command line.
_--usercert <certfile>_
--usercert <certfile>
p(. specifies file containing the X.509 certificate of the user to which the generated attribute
certificate will apply. Thanks to the automatic format recognition the certificate file can be
stored either in PEM or DER format.
_--groups <attr1>,<attr2>_
--groups <attr1>,<attr2>
p(. specifies a comma-separated list of _group attributes_ that will go into the X.509 attribute
certificate.
_--out <filename>_
--out <filename>
p(. specifies the file where the generated X.509 attribute certificate will be stored to in binary
DER format.
h3. Examples
Common options can be stored in a file and be loaded via the --optionsfrom parameter:
<pre>
moon# cat /etc/openac/default.conf
--cert /etc/ipsec.d/aacerts/aaCert.pem
--key /etc/openac/aaKey.pem
--hours 8
</pre>
First the attribute certificate for _carol_ is generated. She is member of the
_Research_ group.
<pre>
moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem \
--groups Research --out /etc/ipsec.d/acerts/carolAC.pem
loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)
loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)
loaded user cert file '/etc/openac/carolCert.pem' (1493 bytes)
file '/etc/openac/serial' does not exist yet - serial number set to 01
written attribute cert file '/etc/ipsec.d/acerts/carolAC.pem' (784 bytes)
serial number is 01
</pre>
The second attribute certificate is issued to _dave_ who belongs to the _Sales_
and _Accounting_ groups.
<pre>
moon# ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem \
--groups "Sales, Accounting" --out /etc/ipsec.d/acerts/daveAC.pem
loaded private key file '/etc/openac/aaKey.pem' (1675 bytes)
loaded signer cert file '/etc/ipsec.d/aacerts/aaCert.pem' (1505 bytes)
loaded user cert file '/etc/openac/daveCert.pem' (1493 bytes)
written attribute cert file '/etc/ipsec.d/acerts/daveAC.pem' (787 bytes)
serial number is 02
</pre>