| 1 | Note: this was converted from the man page. Do not edit this document directly. |
| 2 | |
| 3 | {{{ |
| 4 | #!html |
| 5 | <H1>creddy</H1> |
| 6 | creddy - ABAC X.509 identity and attribute certificate manager (for cool kids) |
| 7 | <P> |
| 8 | <A NAME="lbAC"> </A> |
| 9 | <H2>SYNOPSIS</H2> |
| 10 | |
| 11 | <P> |
| 12 | <B>creddy [ --<mode> ] --help</B> |
| 13 | |
| 14 | <P> |
| 15 | <A NAME="lbAD"> </A> |
| 16 | <H2>DESCRIPTION</H2> |
| 17 | |
| 18 | <P> |
| 19 | creddy is an awesome and wonderful ABAC credential management tool. It |
| 20 | creates, verifies, and otherwise frobnicates X.509 identity and |
| 21 | attribute certificates. The output of the tool is suitable for use with |
| 22 | ABAC. Additionally, the self-signed X.509 identity certs (with |
| 23 | associated private keys) can be used with OpenSSL. |
| 24 | <P> |
| 25 | <A NAME="lbAE"> </A> |
| 26 | <H2>OPTIONS</H2> |
| 27 | |
| 28 | <P> |
| 29 | <A NAME="lbAF"> </A> |
| 30 | <H3>--generate</H3> |
| 31 | |
| 32 | Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem. |
| 33 | <P> |
| 34 | |
| 35 | Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems. |
| 36 | <P> |
| 37 | <DL COMPACT> |
| 38 | <DT><B>--cn</B> |
| 39 | |
| 40 | <DD> |
| 41 | common name used on certificate, provided as a convenience and ignored by ABAC |
| 42 | <P> |
| 43 | <DT><B>--validity</B> |
| 44 | |
| 45 | <DD> |
| 46 | optional certificate validity in days, default is 1080 |
| 47 | <P> |
| 48 | </DL> |
| 49 | <A NAME="lbAG"> </A> |
| 50 | <H3>--verify</H3> |
| 51 | |
| 52 | verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert |
| 53 | <P> |
| 54 | <DL COMPACT> |
| 55 | <DT><B>--cert</B> |
| 56 | |
| 57 | <DD> |
| 58 | self-signed X.509 identity cert |
| 59 | <P> |
| 60 | <DT><B>--attrcert</B> |
| 61 | |
| 62 | <DD> |
| 63 | optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked |
| 64 | <P> |
| 65 | </DL> |
| 66 | <A NAME="lbAH"> </A> |
| 67 | <H3>--keyid</H3> |
| 68 | |
| 69 | extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert |
| 70 | <P> |
| 71 | <DL COMPACT> |
| 72 | <DT><B>--cert</B> |
| 73 | |
| 74 | <DD> |
| 75 | X.509 identity cert |
| 76 | <P> |
| 77 | </DL> |
| 78 | <A NAME="lbAI"> </A> |
| 79 | <H3>--attribute</H3> |
| 80 | |
| 81 | generate an X.509 attribute cert representing an ABAC credential |
| 82 | <P> |
| 83 | <DL COMPACT> |
| 84 | <DT><B>--issuer</B> |
| 85 | |
| 86 | <DD> |
| 87 | X.509 identity cert issuing the credential |
| 88 | <P> |
| 89 | <DT><B>--key</B> |
| 90 | |
| 91 | <DD> |
| 92 | private key associated with issuer cert |
| 93 | <P> |
| 94 | <DT><B>--role</B> |
| 95 | |
| 96 | <DD> |
| 97 | role in issuer's local attribute space |
| 98 | <P> |
| 99 | <DT><B>--subject-cert</B> |
| 100 | |
| 101 | <DD> |
| 102 | X.509 identity cert representing the principal to which the role is being issued. This is mutually exclusive to --subject-id. |
| 103 | <P> |
| 104 | <DT><B>--subject-id</B> |
| 105 | |
| 106 | <DD> |
| 107 | public key identifier (SHA1 hash) of the principal to which the role is being issued. This is mutually exclusive to --subject-cert. |
| 108 | <P> |
| 109 | <DT><B>--subject-role</B> |
| 110 | |
| 111 | <DD> |
| 112 | optional role in subject's local attribute space. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2. |
| 113 | <P> |
| 114 | <DT><B>--validity</B> |
| 115 | |
| 116 | <DD> |
| 117 | optional certificate validity in days, default is 365 |
| 118 | <P> |
| 119 | <DT><B>--out</B> |
| 120 | |
| 121 | <DD> |
| 122 | where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der. |
| 123 | <P> |
| 124 | </DL> |
| 125 | <A NAME="lbAJ"> </A> |
| 126 | <H3>--roles</H3> |
| 127 | |
| 128 | Extract the roles from an X.509 attribute cert |
| 129 | <P> |
| 130 | <DL COMPACT> |
| 131 | <DT><B>--cert</B> |
| 132 | |
| 133 | <DD> |
| 134 | X.509 attribute cert containing ABAC roles |
| 135 | <P> |
| 136 | </DL> |
| 137 | <A NAME="lbAK"> </A> |
| 138 | <H3>--version</H3> |
| 139 | |
| 140 | display ABAC/creddy version |
| 141 | <P> |
| 142 | <A NAME="lbAL"> </A> |
| 143 | <H2>EXAMPLES</H2> |
| 144 | |
| 145 | <P> |
| 146 | <DL COMPACT> |
| 147 | <DT>Generate ID cert and private key pairs:<DD> |
| 148 | <P> |
| 149 | <B>creddy --generate --cn Alice</B> |
| 150 | |
| 151 | <BR> |
| 152 | |
| 153 | <B>creddy --generate --cn Bob</B> |
| 154 | |
| 155 | <P> |
| 156 | <DT>Issue the credential Alice.friend <- Bob<DD> |
| 157 | <P> |
| 158 | creddy --attribute \ |
| 159 | <BR> --issuer Alice_ID.pem --key Alice_private.pem \ |
| 160 | <BR> --role friend --subject-cert Bob_ID.pem \ |
| 161 | <BR> --out Alice_friend__Bob_attr.der |
| 162 | <P> |
| 163 | </DL> |
| 164 | }}} |