source: doc/creddy.1 @ 612ca14

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml
Last change on this file since 612ca14 was 19be896, checked in by Mike Ryan <mikeryan@…>, 14 years ago

version everything to 0.1.0

  • Property mode set to 100644
File size: 3.0 KB
Line 
1.TH creddy 1 "July 2010" "ABAC 0.1.0"
2
3.SH NAME
4creddy \- ABAC X.509 identity and attribute certificate manager (for cool kids)
5
6.SH SYNOPSIS
7
8.B creddy [ --<mode> ] --help
9
10.SH DESCRIPTION
11
12creddy is an awesome and wonderful ABAC credential management tool. It
13creates, verifies, and otherwise frobnicates X.509 identity and
14attribute certificates. The output of the tool is suitable for use with
15ABAC. Additionally, the self-signed X.509 identity certs (with
16associated private keys) can be used with OpenSSL.
17
18.SH OPTIONS
19
20.SS --generate
21Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.
22.P
23Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.
24
25.TP
26.B --cn
27common name used on certificate, provided as a convenience and ignored by ABAC
28
29.TP
30.B --validity
31optional certificate validity in days, default is 1080
32
33.SS --verify
34verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert
35
36.TP
37.B --cert
38self-signed X.509 identity cert
39
40.TP
41.B --attrcert
42optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked
43
44.SS --keyid
45extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert
46
47.TP
48.B --cert
49X.509 identity cert
50
51.SS --attribute
52generate an X.509 attribute cert representing an ABAC credential
53
54.TP
55.B --issuer
56X.509 identity cert issuing the credential
57
58.TP
59.B --key
60private key associated with issuer cert
61
62.TP
63.B --role
64role in issuer's local attribute space
65
66.TP
67.B --subject-cert
68X.509 identity cert representing the principal to which the role is being issued. This is mutually exclusive to --subject-id.
69
70.TP
71.B --subject-id
72public key identifier (SHA1 hash) of the principal to which the role is being issued. This is mutually exclusive to --subject-cert.
73
74.TP
75.B --subject-role
76optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
77
78.TP
79.B --validity
80optional certificate validity in days, default is 365
81
82.TP
83.B --out
84where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der.
85
86.SS --roles
87Extract the roles from an X.509 attribute cert
88
89.TP
90.B --cert
91X.509 attribute cert containing ABAC roles
92
93.SS --version
94display ABAC/creddy version
95
96.SH EXAMPLES
97
98.TP
99Generate ID cert and private key pairs:
100
101.B creddy --generate --cn Alice
102.br
103.B creddy --generate --cn Bob
104
105.TP
106Issue the credential Alice.friend <- Bob
107
108creddy --attribute \\
109       --issuer Alice_ID.pem --key Alice_private.pem \\
110       --role friend --subject-cert Bob_ID.pem \\
111       --out Alice_friend__Bob_attr.der
112
113.SH AUTHOR
114
115Written by Mike Ryan <mikeryan@ISI.EDU>. Like what you see? Buy me a beer!
116
117.SH BUGS
118
119None yet. Report to http://abac.deterlab.net/
120
121.SH COPYRIGHT
122
123Copyright (c) 2010 USC/ISI. Released under MIT license. See COPYING included with source for details.
Note: See TracBrowser for help on using the repository browser.