1PKI --SCEPCA(1) strongSwan PKI --SCEPCA(1)
2
6 pki --scepca - Get CA [and RA] certificate[s] from a SCEP server
7
9 pki --scepca --url url [--caout file] [--raout file]
10 [--outform encoding] [--force] [--debug level]
11 pki --scepca --options file
13 pki --scepca -h | --help
15
17 This sub-command of pki(1) gets CA and RA certificates via http from a
18 SCEP server using the GetCACert command of the Simple Certificate En‐
19 rollment Protocol (RFC 8894).
20
22 -h, --help
23 Print usage information with a summary of the available options.
24 -v, --debug level
26 Set debug level, default: 1.
27 -+, --options file
29 Read command line options from file.
30 -u, --url url
32 URL of the SCEP server.
33 -c, --caout file
35 If present, path where the fetched root CA certificate file is
36 stored to. If several CA certificates are downloaded, then the
37 value of --caout is used as a template to derive unique file‐
38 names (*-1, *-2, etc.) for the intermediate or sub CA certifi‐
39 cates. If a file suffix is missing, then depending on the value
40 of --outform either .der (the default) or .pem is automatically
41 appended. If the --caout option is missing and --outform is set
42 to pem then a PEM-encoded CA certificate bundle is written to
43 stdout.
44 -r, --raout file
46 If present, path where the fetched RA certificate file is stored
47 to. If multiple RA certificates are available, then the value
48 of --raout is used as a template to derive unique filenames
49 (*-2, etc.). If the --raout option is missing, then the value of
50 --caout is used as a template to derive unique filenames (*-ra,
51 *-ra-2, etc.) for the RA certificates. If a file suffix is miss‐
52 ing, then depending on the value of --outform either .der (the
53 default) or .pem is automatically appended.
54 -f, --outform encoding
56 Encoding of the created certificate file. Either der (ASN.1 DER)
57 or pem (Base64 PEM), defaults to der.
58 -F, --force
60 Force overwrite of existing files.
61
63 A SCEP server sends a root CA and an intermediate CA certificate as
64 well as an RA certificate:
65 pki --scepca --url http://pki.strongswan.org:8080/scep --caout myca.crt --raout myra.crt
67 Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
69 serial: 65:31:00:ca:79:da:16:6b:aa:ac:89:e2:a8:f9:49:c3:10:ab:64:54
70 SHA256: 96:70:50:51:cd:b9:e7:94:6b:04:f6:15:45:80:fc:90:85:01:71:2a:f6:4f:d1:1b:2d:a1:7e:eb:bf:dd:be:86
71 SHA1 : 8e:f3:78:b0:34:a6:c1:6a:7b:c6:f5:91:eb:e5:46:9b:0d:0a:a7:ba (jvN4sDSmwWp7xvWR6+VGmw0Kp7o)
72 Root CA cert is untrusted, valid until Aug 12 15:51:34 2032, 'myca.crt'
73 Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
74 serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e2
75 SHA256: a3:5b:4b:12:d5:8f:68:7b:05:11:08:27:f5:42:62:b8:b5:01:1b:19:37:9c:28:78:5d:37:08:69:6a:8c:07:bf
76 SHA1 : 8c:e6:67:67:c2:23:89:7b:d0:bc:b1:50:d2:1c:bc:8d:8d:69:15:11 (jOZnZ8IjiXvQvLFQ0hy8jY1pFRE)
77 using certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
78 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
79 reached self-signed root ca with a path length of 0
80 Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'myca-1.crt'
81 RA cert "C=CH, O=strongSwan Project, CN=SCEP RA"
82 serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e3
83 SHA256: 57:22:f3:13:69:2f:24:82:12:59:8e:05:63:0b:f5:a8:fb:4e:78:87:8d:68:d1:4c:c1:c4:b5:85:db:bb:64:df
84 SHA1 : bc:d1:46:76:55:7f:8c:d1:c5:22:31:b9:d7:b1:49:b5:95:a4:f3:ea (vNFGdlV/jNHFIjG517FJtZWk8+o)
85 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
86 using untrusted intermediate certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
87 using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
88 reached self-signed root ca with a path length of 1
89 RA cert is trusted, valid until Aug 10 15:51:34 2023, 'myra.crt'
90 The trusthworthiness of the root CA certificate has to be established
92 manually by verifying the SHA256 or SHA1 fingerprint of the DER-encoded
93 certificate that is e.g. listed on the official PKI website or by some
94 other means.
95 The stored certificate files in DER format can be overwritten by PEM-
97 encoded versions with:
98 pki --scepca --url http://pki.strongswan.org:8080/scep --caout myca.crt --raout myra.crt \
100 --outform pem --force
101 If the --raout option is omitted and the --caout template doesn't have
103 a file suffix, then with --outform pem the following filenames are de‐
104 rived:
105 pki --scepca --url http://pki.strongswan.org:8080/scep --caout scep/myca --outform pem
107 Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
109 ...
110 Root CA cert is untrusted, valid until Aug 12 15:51:34 2032, written to 'scep/myca.pem'
111 Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
112 ...
113 Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'scep/myca-1.pem'
114 RA cert "C=CH, O=strongSwan Project, CN=SCEP RA"
115 ...
116 RA cert is trusted, valid until Aug 10 15:51:34 2023, 'scep/myca-ra.pem'
117 A CA certificate bundle in PEM format is written to stdout:
119 pki --scepca --url http://pki.strongswan.org:8080/scep --raout myra.crt --outform pem > cacerts.pem
121
123 pki(1)
1245.9.9 2022-08-22 PKI --SCEPCA(1)