ipsec_scepclient - Client for the SCEP protocol

Bugs

--optionsfrom seems to have parsing problems reading option files containing strings in quotation marks.

strongSwan                                         2012-05-11                                IPSEC_SCEPCLIENT(8)

Description

scepclient  is  a  client  implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP)
       written for Linux  strongSwan  <http://www.strongswan.org>.   scepclient  is  designed  to  be  used  for
       certificate enrollment on machines using the OpenSource IPsec solution strongSwan.

Examples

ipsecscepclient--outcaCert--urlhttp://scepserver/cgi-bin/pkiclient.exe-f
           Acquire    CA    certificate    from    SCEP    server   and   store   it   in   the   default   file
           $CONFDIR/ipsec.d/cacerts/caCert.der.  If more then one CA certificate  is  returned,  store  them  in
           files  named  ´caCert-1.der´,  ´caCert-2.der´,  etc.  If an RA certificate is returned, store it in a
           file named ´caCert-ra.der´.  If more than one RA certificate is returned, store them in  files  named
           ´caCert-ra-1.der´, ´caCert-ra-2.der´, etc.

       ipsecscepclient--outpkcs1=joeKey.der-k1024
           Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.

       ipsecscepclient--inpkcs1=joeKey.der--outpkcs10=joeReq.der\--dn”C=AT,CN=JohnDoe”-semail=john@doe.com-pmypassword
           Generate  a  PKCS#10  request  and  store  it  in file joeReq.der. Use the RSA private key joeKey.der
           created earlier to sign the  PKCS#10-Request.  In  addition  to  the  distinguished  name  include  a
           email-subjectAltName and a challenge password in the request.

       ipsecscepclient--outpkcs1=joeKey.der--outcert==joeCert.der\--dn”C=CH,CN=JohnDoe”-k512-p5xH2pnT7wq\--urlhttp://scep.hsr.ch/cgi-bin/pkiclient.exe\--incacert-enc=caCert.der--incacert-sig=caCert.der
           Generate  a  new  RSA  key  for the request and store it in joeKey.der. Then enroll a certificate and
           store as joeCert.der.  The challenge password is '5xH2pnT7wq'. The encryption and signature check has
           to be made with the same CA certificate caCert.der.

Features

scepclient implements the following features of SCEP:

       -   Automatic enrollment of client certificate using a preshared secret

       -   Manual enrollment of client certificate. Offline fingerprint check required!

       -   Acquisition of CA certificate(s)

Name

       ipsec_scepclient - Client for the SCEP protocol

Options

BasicStartupOptions-v,--version
Display the version of ipsec scepclient.

-h,--help
Display usage of ipsec scepclient.

GeneralOptions-u,--urlurl
Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate
acquisition.

-+,--optionsfromfilename
Reads additional options from filename.

-f,--force
Overwrite existing output file[s].

-q,--quiet
Do not write log output to stderr.

OptionsforCACertificateAcquisition-o,--outcacert[=filename]
Output file of acquired CA certificate. If more then one CA certificate is available, filename is
used as prefix for the resulting files (refer to EXAMPLES below for details).
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

OptionsForCertificateEnrollment-i,--intype[=filename]
Input file for certificate enrollment. This option can be specified multiple times to specify input
files for every type. Input files can be either DER or PEM encoded.

Supported values for type:

pkcs1 RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key
gets generated.
The default filename is $CONFDIR/ipsec.d/private/myKey.der.

pkcs10 PKCS#10 certificate request to be used in the SCEP request. If no input of this type is
specified, a request is generated.
The default filename is $CONFDIR/ipsec.d/req/myReq.der.

cacert-enc CA certificate to encrypt the SCEP request. Has to be specified for certificate
enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

cacert-sig CA certificate to check signature of SCEP reply. Has to be specified for certificate
enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

cert-self Certificate to be used in the SCEP request. If it is not specified a self-signed
certificate is generated automatically.
The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.

-k,--keylengthbits
sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048
bit.

-D,--daysdays
Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).

-S,--startdateYYMMDDHHMMSSZ
defines the notBefore date when the X.509 certificate becomes valid. The date has the format
YYMMDDHHMMSS and must be specified in UTC (Zulu time). If the --startdate option is not specified
then the current date is taken as a default.

-E,--enddateYYMMDDHHMMSSZ
defines the notAfter date when the X.509 certificate will expire. The date has the format
YYMMDDHHMMSS and must be specified in UTC (Zulu time). If the --enddate option is not specified then
the default notAfter value is computed by adding the validity interval specified by the --days option
to the notBefore date.

-d,--dndn
Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a
distinguished name containing spaces. If the --dn parameter is missing then the default "C=CH,
O=Linux strongSwan, CN=hostname" is used with hostname being the return value of the gethostname()
function.

-s,--subjectAltNametype=value
Include subjectAltName in certificate request. This option can be specified multiple times to specify
a subjectAltName for every type.

Supported values for type:

email subjectAltName is a email address.

dns subjectAltName is a hostname.

ip subjectAltName is a IP address.

-p,--passwordpw
Password to be included as a challengepassword in SCEP request. If pw is %prompt', the password
gets prompted for on the command line.

- In automatic mode, this password corresponds to the preshared secret for the given
enrollment.

- In manual mode, this password can be used to later revoke the corresponding certificate.

-a,--algorithm[type=]algo
Change the algorithms to be used when generating and transporting (PKCS#7) certificate requests
(PKCS#10).

Supported values for type:

enc symmetric encryption algorithm in PKCS#7

dgst hash algorithm for message digest in PKCS#7

sig hash algorithm for the signature in PKCS#10

If type is not specified enc is assumed.

Supported values for algo (enc):

des DES-CBC encryption (key size = 56 bit). Default.

3des Triple DES-EDE-CBC encryption (key size = 168 bit).

aes128 AES-CBC encryption (key size = 128 bit).

aes192 AES-CBC encryption (key size = 192 bit).

aes256 AES-CBC encryption (key size = 256 bit).

camellia128 Camellia-CBC encryption (key size = 128 bit).

camellia192 Camellia-CBC encryption (key size = 192 bit).

camellia256 Camellia-CBC encryption (key size = 256 bit).

Supported values for algo (dgst or sig):

md5 (default), sha1, sha256, sha384, sha512-o,--outtype[=filename]
Output file for certificate enrollment. This option can be specified multiple times to specify output
files for every type.

Supported values for type:

pkcs1 RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is
stored in file filename. If none of the types listed below are specified, scepclient
will stop after outputting this file.
The default filename is $CONFDIR/ipsec.d/private/myKey.der.

pkcs10 PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate
enrollment is stored in file filename. If none of the types listed below are specified,
scepclient will stop after outputting this file.
The default filename is $CONFDIR/ipsec.d/req/myReq.der.

pkcs7 PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP
request is stored in file filename. If none of types listed below is not specified,
scepclient will stop after outputting this file.
The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.

cert-self Self-signed certificate. If specified the self-signed certificate is stored in file
filename.
The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.

cert Enrolled certificate. This type must be specified for certificate enrollment. The
enrolled certificate is stored in file filename.
The default filename is set to $CONFDIR/ipsec.d/certs/myCert.der.

-m,--methodmethod
Change HTTP request method for certificate enrollment. Default is get.

Supported values for method:

post Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.

get Certificate enrollment using HTTP GET.

-t,--intervalseconds
Set interval time in seconds when polling in manual mode. The default interval is set to 5 seconds.

-x,--maxpolltimeseconds
Set max time in seconds to poll in manual mode. The default max time is set to unlimited.

DebuggingOutputOptions:-l,--debuglevel
Changes the log level (-1..4, default: 1)

Synopsis

ipsecscepclient[argument...]ipsecscepclient--helpipsecscepclient--version

ipsec_scepclient - Client for the SCEP protocol

Contents

Bugs

Description

Examples

Features

Name

Options

Synopsis

See Also