1PKI --SCEP(1) strongSwan PKI --SCEP(1)
2
6 pki --scep - Enroll an X.509 certificate with a SCEP server
7
9 pki --scep --url url [--in file] [--dn distinguished-name]
10 [--san subjectAltName] [--profile profile]
11 [--password password] --ca-cert-enc file --ca-cert-sig file
12 [--cacert file] [--cert file --key file] [--cipher cipher]
13 [--digest digest] [--rsa-padding padding] [--interval time]
14 [--maxpolltime time] [--outform encoding] [--debug level]
15 pki --scep --options file
17 pki --scep -h | --help
19
21 This sub-command of pki(1) sends a PKCS#10 certificate request in an
22 encrypted and signed PKCS#7 container via HTTP to a SCEP server using
23 the Simple Certificate Enrollment Protocol (RFC 8894). After successful
24 authorization which with manual authentication requires periodic
25 polling by the enrollment client, the SCEP server returns an X.509 cer‐
26 tificate signed by the CA.
27 Before the expiry of the current certificate, a new client certificate
29 based on a fresh RSA private key can be requested, using the old cer‐
30 tificate and the old key for automatic authentication with the SCEP
31 server.
32
34 -h, --help
35 Print usage information with a summary of the available options.
36 -v, --debug level
38 Set debug level, default: 1.
39 -+, --options file
41 Read command line options from file.
42 -u, --url url
44 URL of the SCEP server.
45 -i, --in file
47 RSA private key. If not given the key is read from STDIN.
48 -d, --dn distinguished-name
50 Subject distinguished name (DN). Required unless --cert is
51 given.
52 -a, --san subjectAltName
54 subjectAltName extension to include in request. Can be used mul‐
55 tiple times.
56 -P, --profile profile
58 Certificate profile name to be included in the certificate re‐
59 quest. Can be any UTF8 string. Supported e.g. by the openxpki
60 SCEP server with profiles (pc-client, tls-server, etc.) that are
61 translated into corresponding Extended Key Usage (EKU) flags in
62 the generated X.509 certificate.
63 -p, --password password
65 The challengePassword to include in the certificate request.
66 -e, --cacert-enc file
68 CA or RA certificate for encryption
69 -s, --cacert-sig file
71 CA certificate for signature verification
72 -C, --cacert file
74 Additional CA certificate in the trust chain used for signature
75 verification. Can be used multiple times.
76 -c, --cert file
78 Client certificate to be renewed.
79 -k, --key file
81 Client RSA private key to be replaced.
82 -E, --cipher cipher
84 Cipher used for symmetric encryption. Either aes (the default)
85 or des3.
86 -g, --digest digest
88 Digest to use for signature creation. One of sha256 (the de‐
89 fault), sha384, sha512, or sha1.
90 -R, --rsa-padding padding
92 Padding to use for RSA signatures. Either pkcs1 (the default) or
93 pss.
94 -t, --interval time
96 Poll interval in seconds, defaults to 60s.
97 -m, --maxpolltime time
99 Maximum poll time in seconds, defaults to 0 which means unlim‐
100 ited polling.
101 -f, --outform encoding
103 Encoding of the created certificate file. Either der (ASN.1 DER)
104 or pem (Base64 PEM), defaults to der.
105
107 To save some typing work the following command line options are stored
108 in a scep.opt file:
109 --url http://pki.strongswan.org:8080/scep
111 --cacert-enc myra.crt
112 --cacert-sig myca-1.crt
113 --cacert myca.crt
114 With the following command, an X.509 certificate signed by the interme‐
116 diate CA is requested from a SCEP server:
117 pki --options scep.opt --in moonKey.der --san "moon.strongswan.org" \
119 --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der
120 transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
122 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
123 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
124 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
125 reached self-signed root ca with a path length of 1
126 SCEP request pending, polling indefinitely every 60 seconds
127 going to sleep for 60 seconds
128 transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
129 ...
130 going to sleep for 60 seconds
131 Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
132 serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06
133 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
134 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
135 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
136 reached self-signed root ca with a path length of 1
137 Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)
138 A certificate about to expire can be renewed with the command:
140 pki --options scep.opt --in moonNewKey.der --san "moon.strongswan.org" \
142 --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \
143 --cert moonCert.der --key moonKey.der > moonNewCert.der
144 transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95
146 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
147 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
148 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
149 reached self-signed root ca with a path length of 1
150 Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
151 serial: 1f:ff:b2:78:43:a2:9d:85:00:38
152 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
153 using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
154 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
155 reached self-signed root ca with a path length of 1
156 Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)
157
159 pki(1)
1605.9.11 2022-08-22 PKI --SCEP(1)