.TH "keyclient" "8" "" ""

.SH "NAME"
keyclient \- generate and distribute keys on behalf of Pubcookie.

.SH "SYNOPSIS"
.IP "\fBkeyclient [options]\fP"
Download host key from the keyserver\&.
.IP "\fBkeyclient -P <host> [options]\fP"
Allow <host> to also access the keyserver\&.
.IP "\fBkeyclient -U <cert file> [options]\fP"
Upload <cert file> to the keyserver\&.
.IP "\fBkeyclient -G <gcert file> [options]\fP"
Download granting certificate from the keyserver, and write it to <gcert file>\&.

.SH "DESCRIPTION"
\fBkeyclient\fP is used by participating Pubcookie application servers to securely request keys from the login server's keyserver component\&.

.SH "OPTIONS"
.IP "\fB\-f <config file>\fP"
Use alternate configuration file\&.
.IP "\fB\-K <URI>\fP"
URI of key management server (running keyserver)\&.
.IP "\fB\-k <key file>\fP"
Key to use for TLS authentication\&.
.IP "\fB\-a\fP"
Expect key file in ASN.1 format\&.
.IP "\fB\-p\fP"
Expect key file in PEM format (default)\&.
.IP "\fB\-c <cert file>\fP"
Certificate to use for TLS authentication\&.
.IP "\fB\-C <cert file>\fP"
CA certificate to use for client verification\&.
.IP "\fB\-D <CA directory>\fP"
Directory of trusted CAs, hashed OpenSSL-style\&.
.IP "\fB\-H <host name>\fP"
Specify requesting host name. Useful when the application server uses a wildcard certificate (CN is *.subdomain.example.edu), or if the application server host name is one of several in the certificate's Subject Alt Name field\&.
.IP "\fB\-K <URI>\fP"
Directory of trusted CAs, hashed OpenSSL-style\&.
.IP "\fB\-d\fP"
Download existing, rather than generating new host key\&.
.IP "\fB\-u\fP"
Upload local host key to keyserver\&.
.IP "\fB\-n\fP"
Just show what would be done\&.
.IP "\fB\-q\fP"
Quiet mode\&.


.PP
.SH "FILES"
.nf
/etc/pubcookie/config
.fi

.PP
.SH "SEE ALSO"
.nf
.I keyserver (8)
.I xinetd (8)
.I openssl (1)
/usr/share/doc/mod_pubcookie*/doc/*.html
.fi