.TH "keyclient" "8" "" "" .SH "NAME" keyclient \- generate and distribute keys on behalf of Pubcookie. .SH "SYNOPSIS" .IP "\fBkeyclient [options]\fP" Download host key from the keyserver\&. .IP "\fBkeyclient -P <host> [options]\fP" Allow <host> to also access the keyserver\&. .IP "\fBkeyclient -U <cert file> [options]\fP" Upload <cert file> to the keyserver\&. .IP "\fBkeyclient -G <gcert file> [options]\fP" Download granting certificate from the keyserver, and write it to <gcert file>\&. .SH "DESCRIPTION" \fBkeyclient\fP is used by participating Pubcookie application servers to securely request keys from the login server's keyserver component\&. .SH "OPTIONS" .IP "\fB\-f <config file>\fP" Use alternate configuration file\&. .IP "\fB\-K <URI>\fP" URI of key management server (running keyserver)\&. .IP "\fB\-k <key file>\fP" Key to use for TLS authentication\&. .IP "\fB\-a\fP" Expect key file in ASN.1 format\&. .IP "\fB\-p\fP" Expect key file in PEM format (default)\&. .IP "\fB\-c <cert file>\fP" Certificate to use for TLS authentication\&. .IP "\fB\-C <cert file>\fP" CA certificate to use for client verification\&. .IP "\fB\-D <CA directory>\fP" Directory of trusted CAs, hashed OpenSSL-style\&. .IP "\fB\-H <host name>\fP" Specify requesting host name. Useful when the application server uses a wildcard certificate (CN is *.subdomain.example.edu), or if the application server host name is one of several in the certificate's Subject Alt Name field\&. .IP "\fB\-K <URI>\fP" Directory of trusted CAs, hashed OpenSSL-style\&. .IP "\fB\-d\fP" Download existing, rather than generating new host key\&. .IP "\fB\-u\fP" Upload local host key to keyserver\&. .IP "\fB\-n\fP" Just show what would be done\&. .IP "\fB\-q\fP" Quiet mode\&. .PP .SH "FILES" .nf /etc/pubcookie/config .fi .PP .SH "SEE ALSO" .nf .I keyserver (8) .I xinetd (8) .I openssl (1) /usr/share/doc/mod_pubcookie*/doc/*.html .fi