Provided by: libcharon-extra-plugins_5.6.2-1ubuntu2.9_amd64 
NAME
pt-tls-client - Simple client using PT-TLS to collect integrity information
SYNOPSIS
pt-tls-client --connect hostname|address [--port hex] [--certid hex|--cert file]+ [--keyid
hex|--key file] [--key-type rsa|ecdsa] [--client client-id]
[--secret password] [--mutual] [--options filename] [--quiet]
[--debug level]
pt-tls-client -h | --help
DESCRIPTION
pt-tls-client is a simple client using the PT-TLS (RFC 6876) transport protocol to collect
integrity measurements on the client platform. PT-TLS does an initial TLS handshake with
certificate-based server authentication and optional certificate-based client
authentication. Alternatively simple password-based SASL client authentication protected
by TLS can be used.
Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC 5792)
message protocol between any number of Integrity Measurement Verifiers (IMVs) residing on
the remote PT-TLS server and multiple Integrity Measurement Collectors (IMCs) loaded
dynamically by the PT-TLS client according to a list defined by /etc/tnc_config. PA-TNC
messages that contain one or several PA-TNC attributes are multiplexed into PB-TNC (RFC
5793) client or server data batches which in turn are transported via PT-TLS.
OPTIONS
-h, --help
Prints usage information and a short summary of the available commands.
-c, --connect hostname|address
Set the hostname or IP address of the PT-TLS server.
-p, --port port
Set the port of the PT-TLS server, default: 271.
-x, --cert file
Set the path to an X.509 certificate file. This option can be repeated to load
multiple client and CA certificates.
-X, --certid hex
Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted
Platform Module.
-k, --key file
Set the path to the client's PKCS#1 or PKCS#8 private key file
-t, --key-type type
Define the type of the private key if stored in PKCS#1 format. Can be omitted with
PKCS#8 keys.
-K, --keyid hex
Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
Platform Module.
-i, --client client-id
Set the username or client ID of the client required for password-based SASL
authentication.
-s, --secret password
Set the preshared secret or client password required for password-based SASL
authentication.
-q, --mutual
Enable mutual attestation between PT-TLS client and PT-TLS server.
-v, --debug level
Set debug level, default: 1.
-q, --quiet
Disable debug output to stderr.
-+, --options file
Read command line options from file.
EXAMPLES
Connect to a PT-TLS server using certificate-based authentication, storing the private
ECDSA key in a file:
pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --key client.key --key-type ecdsa
Connect to a PT-TLS server using certificate-based authentication, storing the private key
in a smartcard or a TPM 2.0 Trusted Platform Module:
pt-tls-client --connect pdp.example.com --cert ca.crt \
--cert client.crt --keyid 0x81010002
Connect to a PT-TLS server listening on port 443, using SASL password-based
authentication:
pt-tls-client --connect pdp.example.com --port 443 --cert ca.crt \
--client jane --password p2Nl9trKlb
FILES
/etc/tnc_config
SEE ALSO
strongswan.conf(5)