1IPSEC_SCEPCLIENT(8) IPSEC_SCEPCLIENT(8)
2
3
4
6 ipsec scepclient - Client for the SCEP protocol
7
9 ipsec scepclient [argument ...]
10
11 ipsec scepclient --help
12 ipsec scepclient --version
13
15 scepclient is a client implementation of Cisco System's Simple Certifi‐
16 cate Enrollment Protocol (SCEP) written for Linux strongSwan
17 <http://www.strongswan.org>. scepclient is designed to be used for
18 certificate enrollment on machines using the OpenSource IPsec solution
19 strongSwan.
20
22 scepclient implements the following features of SCEP:
23
24 - Automatic enrollment of client certificate using a preshared secret
25
26 - Manual enrollment of client certificate. Offline fingerprint check
27 required!
28
29 - Acquisition of CA certificate(s)
30
32 Basic Startup Options
33 -v, --version
34 Display the version of ipsec scepclient.
35
36 -h, --help
37 Display usage of ipsec scepclient.
38
39
40 General Options
41 -u, --url url
42 Full HTTP URL of the SCEP server to be used for certificate enroll‐
43 ment and CA certificate acquisition.
44
45 -+, --optionsfrom filename
46 Reads additional options from filename.
47
48 -f, --force
49 Overwrite existing output file[s].
50
51 -q, --quiet
52 Do not write log output to stderr.
53
54
55 Options for CA Certificate Acquisition
56 -o, --out cacert[=filename]
57 Output file of acquired CA certificate. If more then one CA cer‐
58 tificate is available, filename is used as prefix for the resulting
59 files (refer to EXAMPLES below for details).
60 The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.
61
62
63 Options For Certificate Enrollment
64 -i, --in type[=filename]
65 Input file for certificate enrollment. This option can be specified
66 multiple times to specify input files for every type. Input files
67 can be either DER or PEM encoded.
68
69 Supported values for type:
70
71 pkcs1 RSA private key in PKCS#1 file format. If no input of
72 this type is specified, a RSA key gets generated.
73 The default filename is $CONFDIR/ipsec.d/pri‐
74 vate/myKey.der.
75
76 pkcs10 PKCS#10 certificate request to be used in the SCEP
77 request. If no input of this type is specified, a
78 request is generated.
79 The default filename is $CONFDIR/ipsec.d/req/myReq.der.
80
81 cacert-enc CA certificate to encrypt the SCEP request. Has to be
82 specified for certificate enrollment.
83 The default filename is $CONFDIR/ipsec.d/cacerts/caC‐
84 ert.der.
85
86 cacert-sig CA certificate to check signature of SCEP reply. Has to
87 be specified for certificate enrollment.
88 The default filename is $CONFDIR/ipsec.d/cacerts/caC‐
89 ert.der.
90
91 cert-self Certificate to be used in the SCEP request. If it is
92 not specified a self-signed certificate is generated
93 automatically.
94 The default filename is $CONFDIR/ipsec.d/certs/self‐
95 Cert.der.
96
97 -k, --keylength bits
98 sets the key length for RSA key generation. The default length for
99 a generated rsa key is set to 2048 bit.
100
101 -D, --days days
102 Validity of the self-signed X.509 certificate in days. The default
103 is 1825 days (5 years).
104
105 -S, --startdate YYMMDDHHMMSSZ
106 defines the notBefore date when the X.509 certificate becomes
107 valid. The date has the format YYMMDDHHMMSS and must be speci‐
108 fied in UTC (Zulu time). If the --startdate option is not speci‐
109 fied then the current date is taken as a default.
110
111 -E, --enddate YYMMDDHHMMSSZ
112 defines the notAfter date when the X.509 certificate will expire.
113 The date has the format YYMMDDHHMMSS and must be specified in UTC
114 (Zulu time). If the --enddate option is not specified then the
115 default notAfter value is computed by adding the validity interval
116 specified by the --days option to the notBefore date.
117
118 -d, --dn dn
119 Distinguished name as comma separated list of relative distin‐
120 guished names. Use quotation marks for a distinguished name con‐
121 taining spaces. If the --dn parameter is missing then the default
122 "C=CH, O=Linux strongSwan, CN=hostname" is used with hostname being
123 the return value of the gethostname() function.
124
125 -s, --subjectAltName type=value
126 Include subjectAltName in certificate request. This option can be
127 specified multiple times to specify a subjectAltName for every
128 type.
129
130 Supported values for type:
131
132 email subjectAltName is a email address.
133
134 dns subjectAltName is a hostname.
135
136 ip subjectAltName is a IP address.
137
138 -p, --password pw
139 Password to be included as a challenge password in SCEP request.
140 If pw is %prompt', the password gets prompted for on the command
141 line.
142
143 - In automatic mode, this password corresponds to the pre‐
144 shared secret for the given enrollment.
145
146 - In manual mode, this password can be used to later revoke
147 the corresponding certificate.
148
149 -a, --algorithm [type=]algo
150 Change the algorithms to be used when generating and transporting
151 (PKCS#7) certificate requests (PKCS#10).
152
153 Supported values for type:
154
155 enc symmetric encryption algorithm in PKCS#7
156
157 dgst hash algorithm for message digest in PKCS#7
158
159 sig hash algorithm for the signature in PKCS#10
160
161 If type is not specified enc is assumed.
162
163 Supported values for algo (enc):
164
165 des DES-CBC encryption (key size = 56 bit). Default.
166
167 3des Triple DES-EDE-CBC encryption (key size = 168 bit).
168
169 aes128 AES-CBC encryption (key size = 128 bit).
170
171 aes192 AES-CBC encryption (key size = 192 bit).
172
173 aes256 AES-CBC encryption (key size = 256 bit).
174
175 camellia128 Camellia-CBC encryption (key size = 128 bit).
176
177 camellia192 Camellia-CBC encryption (key size = 192 bit).
178
179 camellia256 Camellia-CBC encryption (key size = 256 bit).
180
181 Supported values for algo (dgst or sig):
182
183 md5 (default), sha1, sha256, sha384, sha512
184
185 -o, --out type[=filename]
186 Output file for certificate enrollment. This option can be speci‐
187 fied multiple times to specify output files for every type.
188
189 Supported values for type:
190
191 pkcs1 RSA private key in PKCS#1 file format. If specified,
192 the RSA key used for enrollment is stored in file file‐
193 name. If none of the types listed below are specified,
194 scepclient will stop after outputting this file.
195 The default filename is $CONFDIR/ipsec.d/pri‐
196 vate/myKey.der.
197
198 pkcs10 PKCS#10 certificate request. If specified, the PKCS#10
199 request used or certificate enrollment is stored in
200 file filename. If none of the types listed below are
201 specified, scepclient will stop after outputting this
202 file.
203 The default filename is $CONFDIR/ipsec.d/req/myReq.der.
204
205 pkcs7 PKCS#7 SCEP request as it is sent using HTTP to the
206 SCEP server. If specified, this SCEP request is stored
207 in file filename. If none of types listed below is not
208 specified, scepclient will stop after outputting this
209 file.
210 The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.
211
212 cert-self Self-signed certificate. If specified the self-signed
213 certificate is stored in file filename.
214 The default filename is $CONFDIR/ipsec.d/certs/self‐
215 Cert.der.
216
217 cert Enrolled certificate. This type must be specified for
218 certificate enrollment. The enrolled certificate is
219 stored in file filename.
220 The default filename is set to
221 $CONFDIR/ipsec.d/certs/myCert.der.
222
223 -m, --method method
224 Change HTTP request method for certificate enrollment. Default is
225 get.
226
227 Supported values for method:
228
229 post Certificate enrollment using HTTP POST. Must be sup‐
230 ported by the given SCEP server.
231
232 get Certificate enrollment using HTTP GET.
233
234 -t, --interval seconds
235 Set interval time in seconds when polling in manual mode. The
236 default interval is set to 5 seconds.
237
238 -x, --maxpolltime seconds
239 Set max time in seconds to poll in manual mode. The default max
240 time is set to unlimited.
241
242
243 Debugging Output Options:
244 -l, --debug level
245 Changes the log level (-1..4, default: 1)
246
248 ipsec scepclient --out caCert --url http://scepserver/cgi-bin/pki‐
249 client.exe -f
250 Acquire CA certificate from SCEP server and store it in the default
251 file $CONFDIR/ipsec.d/cacerts/caCert.der. If more then one CA cer‐
252 tificate is returned, store them in files named ´caCert-1.der´,
253 ´caCert-2.der´, etc. If an RA certificate is returned, store it in
254 a file named ´caCert-ra.der´. If more than one RA certificate is
255 returned, store them in files named ´caCert-ra-1.der´, ´caC‐
256 ert-ra-2.der´, etc.
257
258 ipsec scepclient --out pkcs1=joeKey.der -k 1024
259 Generate RSA private key with key length of 1024 bit and store it
260 in file joeKey.der.
261
262 ipsec scepclient --in pkcs1=joeKey.der --out pkcs10=joeReq.der \
263 --dn ”C=AT, CN=John Doe” -s email=john@doe.com -p mypassword
264 Generate a PKCS#10 request and store it in file joeReq.der. Use the
265 RSA private key joeKey.der created earlier to sign the
266 PKCS#10-Request. In addition to the distinguished name include a
267 email-subjectAltName and a challenge password in the request.
268
269 ipsec scepclient --out pkcs1=joeKey.der --out cert==joeCert.der \
270 --dn ”C=CH, CN=John Doe” -k 512 -p 5xH2pnT7wq \
271 --url http://scep.hsr.ch/cgi-bin/pkiclient.exe \
272 --in cacert-enc=caCert.der --in cacert-sig=caCert.der
273 Generate a new RSA key for the request and store it in joeKey.der.
274 Then enroll a certificate and store as joeCert.der. The challenge
275 password is '5xH2pnT7wq'. The encryption and signature check has to
276 be made with the same CA certificate caCert.der.
277
278
280 --optionsfrom seems to have parsing problems reading option files con‐
281 taining strings in quotation marks.
282
283
284
285strongSwan 2012-05-11 IPSEC_SCEPCLIENT(8)