sq-pki-vouch-authorize - Man Page

--add-userid

Use the given user ID even if it isn't a self-signed user ID.

Because certifying a user ID that is not self-signed is often a mistake, you need to use this option to explicitly opt in.  That said, certifying a user ID that is not self-signed is useful.  For instance, you can associate an alternate email address with a certificate, or you can add a petname, i.e., a memorable, personal name like "mom".

--amount=AMOUNT

Set the amount of trust.  Values between 1 and 120 are meaningful. 120 means fully trusted.  Values less than 120 indicate the degree of trust.  60 is usually used for partially trusted.

[default: full]

--binary

Emit binary data

--cert=FINGERPRINT|KEYID

Use certificates with the specified fingerprint or key ID

--cert-file=PATH

Read certificates from PATH

--certifier=FINGERPRINT|KEYID

Create the certification using the key with the specified fingerprint or key ID

--certifier-email=EMAIL

Create the certification using the key where a user ID includes the specified email address

--certifier-file=PATH

Create the certification using the key read from PATH

--certifier-userid=USERID

Create the certification using the key with the specified user ID

--depth=TRUST_DEPTH

Set the trust depth (sometimes referred to as the trust level).  1 means CERTIFICATE is a trusted introducer (default), 2 means CERTIFICATE is a meta-trusted introducer and can authorize another trusted introducer, etc.

[default: 1]

--domain=DOMAIN

Add a domain constraint to the introducer.

Add a domain to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID with an email address in the specified domain.  Multiple domains may be specified.  In that case, one must match.

--email=EMAIL

Use the specified email address

--expiration=EXPIRATION

Sets the expiration time.

EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively.  Alternatively, the keyword `never` does not set an expiration time.

[default: 5y]

--local

Make the certification a local certification.  Normally, local certifications are not exported.

--non-revocable

Mark the certification as being non-revocable. That is, you cannot later revoke this certification.  This should normally only be used with an expiration.

--notation NAME VALUE

Add a notation to the certification.  A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a !, then the notation is marked as being critical.  If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature.  The notation is marked as being human readable.

--output=FILE

Write to FILE or stdout if omitted

--regex=REGEX

Add a regular expression to constrain the introducer.

Add a regular expression to constrain what certifications are respected.  A certification made by the certificate is only respected if it is over a user ID that matches one of the specified regular expression.  Multiple regular expressions may be specified.  In that case, at least one must match.

--unconstrained

Don't constrain the introducer.

Normally an introducer is constrained so that only certain user IDs are respected, e.g., those that have an email address for a certain domain name.  This option authorizes an introducer without constraining it in this way.  Because this grants the introducer a lot of power, you have to opt in to this behavior explicitly.

--userid=USERID

Use the specified user ID

See sq(1) for a description of the global options.