| | 1 | Note: this was converted from the man page. Do not edit this document directly. |
| | 2 | |
| | 3 | {{{ |
| | 4 | #!html |
| | 5 | <H1>creddy</H1> |
| | 6 | creddy - ABAC X.509 identity and attribute certificate manager (for cool kids) |
| | 7 | <P> |
| | 8 | <A NAME="lbAC"> </A> |
| | 9 | <H2>SYNOPSIS</H2> |
| | 10 | |
| | 11 | <P> |
| | 12 | <B>creddy [ --<mode> ] --help</B> |
| | 13 | |
| | 14 | <P> |
| | 15 | <A NAME="lbAD"> </A> |
| | 16 | <H2>DESCRIPTION</H2> |
| | 17 | |
| | 18 | <P> |
| | 19 | creddy is an awesome and wonderful ABAC credential management tool. It |
| | 20 | creates, verifies, and otherwise frobnicates X.509 identity and |
| | 21 | attribute certificates. The output of the tool is suitable for use with |
| | 22 | ABAC. Additionally, the self-signed X.509 identity certs (with |
| | 23 | associated private keys) can be used with OpenSSL. |
| | 24 | <P> |
| | 25 | <A NAME="lbAE"> </A> |
| | 26 | <H2>OPTIONS</H2> |
| | 27 | |
| | 28 | <P> |
| | 29 | <A NAME="lbAF"> </A> |
| | 30 | <H3>--generate</H3> |
| | 31 | |
| | 32 | Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem. |
| | 33 | <P> |
| | 34 | |
| | 35 | Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems. |
| | 36 | <P> |
| | 37 | <DL COMPACT> |
| | 38 | <DT><B>--cn</B> |
| | 39 | |
| | 40 | <DD> |
| | 41 | common name used on certificate, provided as a convenience and ignored by ABAC |
| | 42 | <P> |
| | 43 | <DT><B>--validity</B> |
| | 44 | |
| | 45 | <DD> |
| | 46 | optional certificate validity in days, default is 1080 |
| | 47 | <P> |
| | 48 | </DL> |
| | 49 | <A NAME="lbAG"> </A> |
| | 50 | <H3>--verify</H3> |
| | 51 | |
| | 52 | verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert |
| | 53 | <P> |
| | 54 | <DL COMPACT> |
| | 55 | <DT><B>--cert</B> |
| | 56 | |
| | 57 | <DD> |
| | 58 | self-signed X.509 identity cert |
| | 59 | <P> |
| | 60 | <DT><B>--attrcert</B> |
| | 61 | |
| | 62 | <DD> |
| | 63 | optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked |
| | 64 | <P> |
| | 65 | </DL> |
| | 66 | <A NAME="lbAH"> </A> |
| | 67 | <H3>--keyid</H3> |
| | 68 | |
| | 69 | extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert |
| | 70 | <P> |
| | 71 | <DL COMPACT> |
| | 72 | <DT><B>--cert</B> |
| | 73 | |
| | 74 | <DD> |
| | 75 | X.509 identity cert |
| | 76 | <P> |
| | 77 | </DL> |
| | 78 | <A NAME="lbAI"> </A> |
| | 79 | <H3>--attribute</H3> |
| | 80 | |
| | 81 | generate an X.509 attribute cert representing an ABAC credential |
| | 82 | <P> |
| | 83 | <DL COMPACT> |
| | 84 | <DT><B>--issuer</B> |
| | 85 | |
| | 86 | <DD> |
| | 87 | X.509 identity cert issuing the credential |
| | 88 | <P> |
| | 89 | <DT><B>--key</B> |
| | 90 | |
| | 91 | <DD> |
| | 92 | private key associated with issuer cert |
| | 93 | <P> |
| | 94 | <DT><B>--role</B> |
| | 95 | |
| | 96 | <DD> |
| | 97 | role in issuer's local attribute space |
| | 98 | <P> |
| | 99 | <DT><B>--subject-cert</B> |
| | 100 | |
| | 101 | <DD> |
| | 102 | X.509 identity cert representing the principal to which the role is being issued. This is mutually exclusive to --subject-id. |
| | 103 | <P> |
| | 104 | <DT><B>--subject-id</B> |
| | 105 | |
| | 106 | <DD> |
| | 107 | public key identifier (SHA1 hash) of the principal to which the role is being issued. This is mutually exclusive to --subject-cert. |
| | 108 | <P> |
| | 109 | <DT><B>--subject-role</B> |
| | 110 | |
| | 111 | <DD> |
| | 112 | optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2. |
| | 113 | <P> |
| | 114 | <DT><B>--validity</B> |
| | 115 | |
| | 116 | <DD> |
| | 117 | optional certificate validity in days, default is 365 |
| | 118 | <P> |
| | 119 | <DT><B>--out</B> |
| | 120 | |
| | 121 | <DD> |
| | 122 | where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der. |
| | 123 | <P> |
| | 124 | </DL> |
| | 125 | <A NAME="lbAJ"> </A> |
| | 126 | <H3>--roles</H3> |
| | 127 | |
| | 128 | Extract the roles from an X.509 attribute cert |
| | 129 | <P> |
| | 130 | <DL COMPACT> |
| | 131 | <DT><B>--cert</B> |
| | 132 | |
| | 133 | <DD> |
| | 134 | X.509 attribute cert containing ABAC roles |
| | 135 | <P> |
| | 136 | </DL> |
| | 137 | <A NAME="lbAK"> </A> |
| | 138 | <H3>--version</H3> |
| | 139 | |
| | 140 | display ABAC/creddy version |
| | 141 | <P> |
| | 142 | <A NAME="lbAL"> </A> |
| | 143 | <H2>EXAMPLES</H2> |
| | 144 | |
| | 145 | <P> |
| | 146 | <DL COMPACT> |
| | 147 | <DT>Generate ID cert and private key pairs:<DD> |
| | 148 | <P> |
| | 149 | <B>creddy --generate --cn Alice</B> |
| | 150 | |
| | 151 | <BR> |
| | 152 | |
| | 153 | <B>creddy --generate --cn Bob</B> |
| | 154 | |
| | 155 | <P> |
| | 156 | <DT>Issue the credential Alice.friend <- Bob<DD> |
| | 157 | <P> |
| | 158 | creddy --attribute \ |
| | 159 | <BR> --issuer Alice_ID.pem --key Alice_private.pem \ |
| | 160 | <BR> --role friend --subject-cert Bob_ID.pem \ |
| | 161 | <BR> --out Alice_friend__Bob_attr.der |
| | 162 | <P> |
| | 163 | </DL> |
| | 164 | }}} |
