Provided by: strongswan-starter_5.1.2-0ubuntu2.11_amd64 bug

NAME
       ipsec_openac - Generation of X.509 attribute certificates


SYNOPSIS
       ipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
          [ --quiet ] [ --debug level ]
          [ --days days ] [ --hours hours ]
          [ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
          --cert certfile --key keyfile [ --password password ]
          --usercert certfile --groups attr1,attr2,...  --out filename


DESCRIPTION
       openac  is  intended  to  be used by an Authorization Authority (AA) to generate and sign X.509 attribute
       certificates. Currently only the inclusion of one ore several group attributes is supported. An attribute
       certificate is linked to a holder by including the  issuer  and  serial  number  of  the  holder's  X.509
       certificate.


OPTIONS
       --help display the usage message.

       --version
              display the version of openac.

       --optionsfrom filename
              adds  the contents of the file to the argument list.  If filename is a relative path then the file
              is searched in the directory /etc/openac.

       --quiet
              By default openac logs all control output both to syslog and stderr.  With the --quiet  option  no
              output is written to stderr.

       --days days
              Validity  of  the X.509 attribute certificate in days. If neiter the --days nor the --hours option
              is specified then a default validity interval of 1 day  is  assumed.   The  --days option  can  be
              combined with the --hours option.

       --hours hours
              Validity  of the X.509 attribute certificate in hours. If neiter the --hours nor the --days option
              is specified then a default validity interval of 24 hours is assumed.  The --hours option  can  be
              combined with the --days option.

       --startdate YYYYMMDDHHMMSSZ
              defines  the  notBefore  date  when  the  X.509  attribute  certificate  becomes  valid.  The date
              YYYYMMDDHHMMSS must be specified in UTC (Zulu time).  If the --startdate option is  not  specified
              then the current date is taken as a default.

       --stopdate YYYYMMDDHHMMSSZ
              defines   the  notAfter  date  when  the  X.509  attribute  certificate  will  expire.   The  date
              YYYYMMDDHHMMSS must be specified in UTC (Zulu time).  If the --stopdate option  is  not  specified
              then  the  default  notAfter  value  is  computed by adding the validity interval specified by the
              --days and/or --days options to the notBefore date.

       --cert certfile
              specifies the  file  containing  the  X.509  certificate  of  the  Authorization  Authority.   The
              certificate is stored either in PEM or DER format.

       --key keyfile
              specifies  the  encrypted file containing the private RSA key of the Authoritzation Authority. The
              private key is stored in PKCS#1 format.

       --password password
              specifies the password with which the private RSA keyfile defined by the  --key  option  has  been
              protected. If the option is missing then the password is prompted for on the command line.

       --usercert certfile
              specifies  file  containing  the  X.509  certificate  of the user to which the generated attribute
              certificate will apply. The certificate file is stored either in PEM or DER format.

       --groups attr1,attr2
              specifies a comma-separated list of group  attributes  that  will  go  into  the  X.509  attribute
              certificate.

       --out filename
              specifies the file where the generated X.509 attribute certificate will be stored to.

   Debugging
       openac  produces  a  prodigious  amount  of  debugging  information.   To do so, it must be compiled with
       -DDEBUG.  There are several classes of debugging  output,  and  openac  may  be  directed  to  produce  a
       selection of them.  All lines of debugging output are prefixed with ``| '' to distinguish them from error
       messages.

       When  openac  is  invoked,  it  may  be  given arguments to specify which classes to output.  The current
       options are:

       --debug level
              sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw),  and  4  (private),  the  default
              level being 1.


EXIT STATUS
       The execution of openac terminates with one of the following two exit codes:

       0      means that the attribute certificate was successfully generated and stored.

       1      means that something went wrong.


FILES
       /etc/openac/serial   serial number of latest attribute certificate


SEE ALSO
       The  X.509  attribute certificates generated with openac can be used to enforce group policies defined by
       ipsec.conf(5). Use ipsec_auto(8) to load and list X.509 attribute certificates.

       For more information on X.509 attribute certificates, refer to the following IETF RFC:

              RFC 3281 An Internet Attribute Certificate Profile for Authorization


HISTORY
       The openac program was originally written by Ariane Seiler and Ueli Galizzi.  The software was recoded by
       Andreas Steffen using strongSwan's X.509 library and  the  ASN.1  code  synthesis  functions  written  by
       Christoph  Gysin  and Christoph Zwahlen.  All authors were with the Zurich University of Applied Sciences
       in Winterthur, Switzerland.


BUGS
       Bugs should be reported to the <users@lists.strongswan.org> mailing list.

                                                22 September 2007                                IPSEC_OPENAC(8)