wiki:Creddy

Context Navigation

Version 2 (modified by faber, 14 years ago) (diff)
--

Note: this was converted from the man page. Do not edit this document directly.

creddy

creddy - ABAC X.509 identity and attribute certificate manager (for cool kids)

SYNOPSIS

creddy [ --<mode> ] --help

DESCRIPTION

creddy is an awesome and wonderful ABAC credential management tool. It creates, verifies, and otherwise frobnicates X.509 identity and attribute certificates. The output of the tool is suitable for use with ABAC. Additionally, the self-signed X.509 identity certs (with associated private keys) can be used with OpenSSL.

OPTIONS

--generate

Generate an X.509 identity cert and private key pair. The certificate is saved in ${cn}_id.pem and the private key is saved in ${cn}_private.pem.

Note that private key generation is slow and uses a lot of entropy. You can generate entropy by moving your mouse a lot or running large find commands on your local file systems.

--cn: common name used on certificate, provided as a convenience and ignored by ABAC
--validity: optional certificate validity in days, default is 1080

--verify

verify the signature on a self-signed X.509 identity cert or an X.509 attribute cert

--cert: self-signed X.509 identity cert
--attrcert: optional X.509 attribute cert. If omitted the self-signature of the ID cert is checked

--keyid

extract the subjectKeyIdentifier (SHA1 hash) from an X.509 identity cert

--cert: X.509 identity cert

--attribute

generate an X.509 attribute cert representing an ABAC credential

--issuer: X.509 identity cert issuing the credential
--key: private key associated with issuer cert
--role: role in issuer's local attribute space. Must start with a letter and be alphanumeric thereafter.
--subject-cert: X.509 identity cert representing the principal to which the role is being issued. This is mutually exclusive to --subject-id.
--subject-id: public key identifier (SHA1 hash) of the principal to which the role is being issued. This is mutually exclusive to --subject-cert.
--subject-role: optional role in subject's local attribute space. Must start with a letter and be alphanumeric thereafter. If the issuer is A, role is r1, subject is B, and subject-role is r2, the attribute issued will be A.r1 <- B.r2.
--validity: optional certificate validity in days, default is 365
--out: where to save DER-encoded attribute cert. In order to interoperate with the rest of ABAC, this name should end in _attr.der.

--roles

Extract the roles from an X.509 attribute cert

--cert: X.509 attribute cert containing ABAC roles

--version

display ABAC/creddy version

EXAMPLES

Generate ID cert and private key pairs:

creddy --generate --cn Alice
creddy --generate --cn Bob

Issue the credential Alice.friend <- Bob

creddy --attribute \
       --issuer Alice_ID.pem --key Alice_private.pem \
       --role friend --subject-cert Bob_ID.pem \
       --out Alice_friend__Bob_attr.der

Download in other formats:

Plain Text