pki --scep - Enroll an X.509 certificate with a SCEP server

Description

       This  sub-command  of  pki(1)  sends  a  PKCS#10  certificate  request  in an encrypted and signed PKCS#7
       container via HTTP to a SCEP server using the Simple Certificate Enrollment Protocol  (RFC  8894).  After
       successful  authorization  which  with  manual authentication requires periodic polling by the enrollment
       client, the SCEP server returns an X.509 certificate signed by the CA.

       Before the expiry of the current certificate, a new client certificate based on a fresh RSA  private  key
       can  be  requested,  using the old certificate and the old key for automatic authentication with the SCEP
       server.

Examples

       To save some typing work the following command line options are stored in a scep.opt file:

       --url http://pki.strongswan.org:8080/scep
       --cacert-enc myra.crt
       --cacert-sig myca-1.crt
       --cacert myca.crt

       With the following command, an X.509 certificate signed by the intermediate CA is requested from  a  SCEP
       server:

       pki --options scep.opt --in moonKey.der --san "moon.strongswan.org" \
           --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der

       transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
         using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
         reached self-signed root ca with a path length of 1
         SCEP request pending, polling indefinitely every 60 seconds
         going to sleep for 60 seconds
       transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
         ...
         going to sleep for 60 seconds
       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
         serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06
         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
         reached self-signed root ca with a path length of 1
       Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)

       A certificate about to expire can be renewed with the command:

       pki --options scep.opt --in moonNewKey.der --san "moon.strongswan.org" \
           --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \
           --cert moonCert.der --key moonKey.der > moonNewCert.der

       transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95
         using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
         reached self-signed root ca with a path length of 1
       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
         serial: 1f:ff:b2:78:43:a2:9d:85:00:38
         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
         reached self-signed root ca with a path length of 1
       Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)

Name

       pki --scep - Enroll an X.509 certificate with a SCEP server

Options

-h,--help
Print usage information with a summary of the available options.

-v,--debuglevel
Set debug level, default: 1.

-+,--optionsfile
Read command line options from file.

-u,--urlurl
URL of the SCEP server.

-i,--infile
RSA private key. If not given the key is read from STDIN.

-d,--dndistinguished-name
Subject distinguished name (DN). Required unless --cert is given.

-a,--sansubjectAltName
subjectAltName extension to include in request. Can be used multiple times.

-P,--profileprofile
Certificate profile name to be included in the certificate request. Can be any UTF8 string.
Supported e.g. by the openxpki SCEP server with profiles (pc-client, tls-server, etc.) that are
translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate.

-p,--passwordpassword
The challengePassword to include in the certificate request.

-e,--cacert-encfile
CA or RA certificate for encryption

-s,--cacert-sigfile
CA certificate for signature verification

-C,--cacertfile
Additional CA certificate in the trust chain used for signature verification. Can be used
multiple times.

-c,--certfile
Client certificate to be renewed.

-k,--keyfile
Client RSA private key to be replaced.

-E,--ciphercipher
Cipher used for symmetric encryption. Either aes (the default) or des3.

-g,--digestdigest
Digest to use for signature creation. One of sha256 (the default), sha384, sha512, or sha1.

-R,--rsa-paddingpadding
Padding to use for RSA signatures. Either pkcs1 (the default) or pss.

-t,--intervaltime
Poll interval in seconds, defaults to 60s.

-m,--maxpolltimetime
Maximum poll time in seconds, defaults to 0 which means unlimited polling.

-f,--outformencoding
Encoding of the created certificate file. Either der (ASN.1 DER) or pem (Base64 PEM), defaults to
der.

Synopsis

pki--scep--urlurl [--infile] [--dndistinguished-name] [--sansubjectAltName] [--profileprofile]
                  [--passwordpassword] --ca-cert-encfile--ca-cert-sigfile [--cacertfile] [--certfile--keyfile] [--ciphercipher] [--digestdigest] [--rsa-paddingpadding] [--intervaltime]
                  [--maxpolltimetime] [--outformencoding] [--debuglevel]

       pki--scep--optionsfilepki--scep-h | --help