1IPSEC_SCEPCLIENT(8)                                        IPSEC_SCEPCLIENT(8)
2
3
4

NAME

6       ipsec scepclient - Client for the SCEP protocol
7

SYNOPSIS

9       ipsec scepclient [argument ...]
10
11       ipsec scepclient --help
12       ipsec scepclient --version
13

DESCRIPTION

15       scepclient is a client implementation of Cisco System's Simple Certifi‐
16       cate  Enrollment  Protocol  (SCEP)   written   for   Linux   strongSwan
17       <http://www.strongswan.org>.   scepclient  is  designed  to be used for
18       certificate enrollment on machines using the OpenSource IPsec  solution
19       strongSwan.
20

FEATURES

22       scepclient implements the following features of SCEP:
23
24       -   Automatic enrollment of client certificate using a preshared secret
25
26       -   Manual  enrollment of client certificate. Offline fingerprint check
27           required!
28
29       -   Acquisition of CA certificate(s)
30

OPTIONS

32   Basic Startup Options
33       -v, --version
34           Display the version of ipsec scepclient.
35
36       -h, --help
37           Display usage of ipsec scepclient.
38
39
40   General Options
41       -u, --url url
42           Full HTTP URL of the SCEP server to be used for certificate enroll‐
43           ment and CA certificate acquisition.
44
45       -+, --optionsfrom filename
46           Reads additional options from filename.
47
48       -f, --force
49           Overwrite existing output file[s].
50
51       -q, --quiet
52           Do not write log output to stderr.
53
54
55   Options for CA Certificate Acquisition
56       -o, --out cacert[=filename]
57           Output  file  of  acquired CA certificate. If more then one CA cer‐
58           tificate is available, filename is used as prefix for the resulting
59           files (refer to EXAMPLES below for details).
60           The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.
61
62
63   Options For Certificate Enrollment
64       -i, --in type[=filename]
65           Input file for certificate enrollment. This option can be specified
66           multiple times to specify input files for every type.  Input  files
67           can be either DER or PEM encoded.
68
69           Supported values for type:
70
71           pkcs1       RSA  private  key in PKCS#1 file format. If no input of
72                       this type is specified, a RSA key gets generated.
73                       The   default   filename    is    $CONFDIR/ipsec.d/pri‐
74                       vate/myKey.der.
75
76           pkcs10      PKCS#10  certificate  request  to  be  used in the SCEP
77                       request. If no input  of  this  type  is  specified,  a
78                       request is generated.
79                       The default filename is $CONFDIR/ipsec.d/req/myReq.der.
80
81           cacert-enc  CA  certificate  to encrypt the SCEP request. Has to be
82                       specified for certificate enrollment.
83                       The default filename  is  $CONFDIR/ipsec.d/cacerts/caC‐
84                       ert.der.
85
86           cacert-sig  CA certificate to check signature of SCEP reply. Has to
87                       be specified for certificate enrollment.
88                       The default filename  is  $CONFDIR/ipsec.d/cacerts/caC‐
89                       ert.der.
90
91           cert-self   Certificate  to  be used in the SCEP request.  If it is
92                       not specified a self-signed  certificate  is  generated
93                       automatically.
94                       The  default  filename  is $CONFDIR/ipsec.d/certs/self‐
95                       Cert.der.
96
97       -k, --keylength bits
98           sets the key length for RSA key generation. The default length  for
99           a generated rsa key is set to 2048 bit.
100
101       -D, --days days
102           Validity  of the self-signed X.509 certificate in days. The default
103           is 1825 days (5 years).
104
105       -S, --startdate YYMMDDHHMMSSZ
106           defines the notBefore date  when  the  X.509  certificate   becomes
107           valid.   The   date has the format YYMMDDHHMMSS and  must be speci‐
108           fied in UTC (Zulu time).  If the --startdate option is  not  speci‐
109           fied then the current date is taken as a default.
110
111       -E, --enddate YYMMDDHHMMSSZ
112           defines  the  notAfter date when the X.509 certificate will expire.
113           The date has the format YYMMDDHHMMSS and must be specified  in  UTC
114           (Zulu  time).   If  the  --enddate option is not specified then the
115           default notAfter value is computed by adding the validity  interval
116           specified by the --days option to the notBefore date.
117
118       -d, --dn dn
119           Distinguished  name  as  comma  separated  list of relative distin‐
120           guished names. Use quotation marks for a  distinguished  name  con‐
121           taining  spaces.  If the --dn parameter is missing then the default
122           "C=CH, O=Linux strongSwan, CN=hostname" is used with hostname being
123           the return value of the gethostname() function.
124
125       -s, --subjectAltName type=value
126           Include  subjectAltName  in certificate request. This option can be
127           specified multiple times to  specify  a  subjectAltName  for  every
128           type.
129
130           Supported values for type:
131
132           email       subjectAltName is a email address.
133
134           dns         subjectAltName is a hostname.
135
136           ip          subjectAltName is a IP address.
137
138       -p, --password pw
139           Password  to  be  included as a challenge password in SCEP request.
140           If pw is %prompt', the password gets prompted for  on  the  command
141           line.
142
143                  -  In  automatic mode, this password corresponds to the pre‐
144                  shared secret for the given enrollment.
145
146                  - In manual mode, this password can be used to later  revoke
147                  the corresponding certificate.
148
149       -a, --algorithm [type=]algo
150           Change  the  algorithms to be used when generating and transporting
151           (PKCS#7) certificate requests (PKCS#10).
152
153           Supported values for type:
154
155           enc         symmetric encryption algorithm in PKCS#7
156
157           dgst        hash algorithm for message digest in PKCS#7
158
159           sig         hash algorithm for the signature in PKCS#10
160
161           If type is not specified enc is assumed.
162
163           Supported values for algo (enc):
164
165           des         DES-CBC encryption (key size = 56 bit). Default.
166
167           3des        Triple DES-EDE-CBC encryption (key size = 168 bit).
168
169           aes128      AES-CBC encryption (key size = 128 bit).
170
171           aes192      AES-CBC encryption (key size = 192 bit).
172
173           aes256      AES-CBC encryption (key size = 256 bit).
174
175           camellia128 Camellia-CBC encryption (key size = 128 bit).
176
177           camellia192 Camellia-CBC encryption (key size = 192 bit).
178
179           camellia256 Camellia-CBC encryption (key size = 256 bit).
180
181           Supported values for algo (dgst or sig):
182
183           md5 (default), sha1, sha256, sha384, sha512
184
185       -o, --out type[=filename]
186           Output file for certificate enrollment. This option can  be  speci‐
187           fied multiple times to specify output files for every type.
188
189           Supported values for type:
190
191           pkcs1       RSA  private  key  in PKCS#1 file format. If specified,
192                       the RSA key used for enrollment is stored in file file‐
193                       name.  If none of the types listed below are specified,
194                       scepclient will stop after outputting this file.
195                       The   default   filename    is    $CONFDIR/ipsec.d/pri‐
196                       vate/myKey.der.
197
198           pkcs10      PKCS#10  certificate request. If specified, the PKCS#10
199                       request used or certificate  enrollment  is  stored  in
200                       file  filename.   If none of the types listed below are
201                       specified, scepclient will stop after  outputting  this
202                       file.
203                       The default filename is $CONFDIR/ipsec.d/req/myReq.der.
204
205           pkcs7       PKCS#7  SCEP  request  as  it is sent using HTTP to the
206                       SCEP server. If specified, this SCEP request is  stored
207                       in file filename.  If none of types listed below is not
208                       specified, scepclient will stop after  outputting  this
209                       file.
210                       The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.
211
212           cert-self   Self-signed  certificate.  If specified the self-signed
213                       certificate is stored in file filename.
214                       The default  filename  is  $CONFDIR/ipsec.d/certs/self‐
215                       Cert.der.
216
217           cert        Enrolled  certificate.  This type must be specified for
218                       certificate enrollment.  The  enrolled  certificate  is
219                       stored in file filename.
220                       The      default      filename      is      set      to
221                       $CONFDIR/ipsec.d/certs/myCert.der.
222
223       -m, --method method
224           Change HTTP request method for certificate enrollment.  Default  is
225           get.
226
227           Supported values for method:
228
229           post        Certificate  enrollment  using  HTTP POST. Must be sup‐
230                       ported by the given SCEP server.
231
232           get         Certificate enrollment using HTTP GET.
233
234       -t, --interval seconds
235           Set interval time in seconds when  polling  in  manual  mode.   The
236           default interval is set to 5 seconds.
237
238       -x, --maxpolltime seconds
239           Set  max  time  in seconds to poll in manual mode.  The default max
240           time is set to unlimited.
241
242
243   Debugging Output Options:
244       -l, --debug level
245           Changes the log level (-1..4, default: 1)
246

EXAMPLES

248       ipsec  scepclient  --out  caCert  --url  http://scepserver/cgi-bin/pki
249       client.exe -f
250           Acquire CA certificate from SCEP server and store it in the default
251           file $CONFDIR/ipsec.d/cacerts/caCert.der.  If more then one CA cer‐
252           tificate  is  returned,  store  them in files named ´caCert-1.der´,
253           ´caCert-2.der´, etc.  If an RA certificate is returned, store it in
254           a  file  named ´caCert-ra.der´.  If more than one RA certificate is
255           returned,  store  them  in  files  named  ´caCert-ra-1.der´,  ´caC‐
256           ert-ra-2.der´, etc.
257
258       ipsec scepclient --out pkcs1=joeKey.der -k 1024
259           Generate  RSA  private key with key length of 1024 bit and store it
260           in file joeKey.der.
261
262       ipsec scepclient --in pkcs1=joeKey.der --out pkcs10=joeReq.der \
263       --dn ”C=AT, CN=John Doe” -s email=john@doe.com -p mypassword
264           Generate a PKCS#10 request and store it in file joeReq.der. Use the
265           RSA   private   key   joeKey.der   created   earlier  to  sign  the
266           PKCS#10-Request. In addition to the distinguished  name  include  a
267           email-subjectAltName and a challenge password in the request.
268
269       ipsec scepclient --out pkcs1=joeKey.der --out cert==joeCert.der \
270       --dn ”C=CH, CN=John Doe” -k 512 -p 5xH2pnT7wq \
271       --url http://scep.hsr.ch/cgi-bin/pkiclient.exe \
272       --in cacert-enc=caCert.der --in cacert-sig=caCert.der
273           Generate  a new RSA key for the request and store it in joeKey.der.
274           Then enroll a certificate and store as joeCert.der.  The  challenge
275           password is '5xH2pnT7wq'. The encryption and signature check has to
276           be made with the same CA certificate caCert.der.
277
278

BUGS

280       --optionsfrom seems to have parsing problems reading option files  con‐
281       taining strings in quotation marks.
282
283
284
285strongSwan                        2012-05-11               IPSEC_SCEPCLIENT(8)
Impressum