Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PKI --ACERT(1)			  strongSwan			PKI --ACERT(1)

       pki --acert - Issue an attribute	certificate

       pki --acert [--in file] [--group	membership]
		   --issuerkey file|--issuerkeyid hex --issuercert file
		   [--lifetime hours] [--not-before datetime] [--not-
		   after datetime] [--serial hex] [--digest digest]
		   [--rsa-padding padding] [--outform encoding]
		   [--debug level]

       pki --acert --options file

       pki --acert -h |	--help

       This sub-command	of pki(1) is used to issue  an	attribute  certificate
       using  an  issuer  certificate with its private key and the holder cer-

       -h, --help
	      Print usage information with a summary of	the available options.

       -v, --debug level
	      Set debug	level, default:	1.

       -+, --options file
	      Read command line	options	from file.

       -i, --in	file
	      Holder certificate to issue an attribute certificate for.	If not
	      given the	certificate is read from STDIN.

       -m, --group membership
	      Group  membership	 the  attribute	certificate shall certify. The
	      specified	group is included as a	string.	 To  include  multiple
	      groups, the option can be	repeated.

       -k, --issuerkey file
	      Issuer  private  key  file.  Either this or --issuerkeyid	is re-

       -x, --issuerkeyid hex
	      Smartcard	or TPM issuer private key object handle	in hex	format
	      with  an	optional h0x prefix. Either this or --issuerkey	is re-

       -c, --issuercert	file
	      Issuer certificate file. Required.

       -l, --lifetime hours
	      Hours the	attribute certificate is valid,	default:  24.  Ignored
	      if both an absolute start	and end	time are given.

       -F, --not-before	datetime
	      Absolute	time  when the validity	of the AC begins. The datetime
	      format is	defined	by the --dateform option.

       -T, --not-after datetime
	      Absolute time when the validity of the  AC  ends.	 The  datetime
	      format is	defined	by the --dateform option.

       -D, --dateform form
	      strptime(3) format for the --not-before and --not-after options,
	      default: %d.%m.%y	%T

       -s, --serial hex
	      Serial number in hex. It is randomly allocated by	default.

       -g, --digest digest
	      Digest to	use for	signature creation. One	of md5,	sha1,  sha224,
	      sha256,  sha384,	or  sha512. The	default	is determined based on
	      the type and size	of the signature key.

       -R, --rsa-padding padding
	      Padding to use for RSA signatures. Either	pkcs1 or pss, defaults
	      to pkcs1.

       -f, --outform encoding
	      Encoding of the created certificate file.	Either der (ASN.1 DER)
	      or pem (Base64 PEM), defaults to der.

       To save repetitive typing, command line options can be stored in	files.
       Lets assume acert.opt contains the following contents:

	 --issuercert aacert.der --issuerkey aakey.der --digest	sha256 --lifetime 4

       Then  the  following command can	be used	to issue an attribute certifi-
       cate based on a holder certificate and the options above:

	 pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem


5.8.4				  2014-02-05			PKI --ACERT(1)


Want to link to this manual page? Use this URL:

home | help