1PKI --SCEP(1)                     strongSwan                     PKI --SCEP(1)
2
3
4

NAME

6       pki --scep - Enroll an X.509 certificate with a SCEP server
7

SYNOPSIS

9       pki --scep --url url [--in file] --dn distinguished-name
10                  [--san subjectAltName] [--profile profile]
11                  [--password password] --ca-cert-enc file --ca-cert-sig file
12                  [--cacert file] [--cert file --key file] [--cipher cipher]
13                  [--digest digest] [--rsa-padding padding] [--interval time]
14                  [--maxpolltime time] [--outform encoding] [--debug level]
15
16       pki --scep --options file
17
18       pki --scep -h | --help
19

DESCRIPTION

21       This sub-command of pki(1) sends a PKCS#10 certificate  request  in  an
22       encrypted  and  signed PKCS#7 container via HTTP to a SCEP server using
23       the Simple Certificate Enrollment Protocol (RFC 8894). After successful
24       authorization   which  with  manual  authentication  requires  periodic
25       polling by the enrollment client, the SCEP server returns an X.509 cer‐
26       tificate signed by the CA.
27
28       Before  the expiry of the current certificate, a new client certificate
29       based on a fresh RSA private key can be requested, using the  old  cer‐
30       tificate  and  the  old  key for automatic authentication with the SCEP
31       server.
32

OPTIONS

34       -h, --help
35              Print usage information with a summary of the available options.
36
37       -v, --debug level
38              Set debug level, default: 1.
39
40       -+, --options file
41              Read command line options from file.
42
43       -u, --url url
44              URL of the SCEP server.
45
46       -i, --in file
47              RSA private key. If not given the key is read from STDIN.
48
49       -d, --dn distinguished-name
50              Subject distinguished name (DN). Required.
51
52       -a, --san subjectAltName
53              subjectAltName extension to include in request. Can be used mul‐
54              tiple times.
55
56       -P, --profile profile
57              Certificate  profile  name to be included in the certificate re‐
58              quest. Can be any UTF8 string. Supported e.g.  by  the  openxpki
59              SCEP server with profiles (pc-client, tls-server, etc.) that are
60              translated into corresponding Extended Key Usage (EKU) flags  in
61              the generated X.509 certificate.
62
63       -p, --password password
64              The challengePassword to include in the certificate request.
65
66       -e, --cacert-enc file
67              CA or RA certificate for encryption
68
69       -s, --cacert-sig file
70              CA certificate for signature verification
71
72       -C, --cacert file
73              Additional  CA certificate in the trust chain used for signature
74              verification.  Can be used multiple times.
75
76       -c, --cert file
77              Client certificate to be renewed.
78
79       -k, --key file
80              Client RSA private key to be replaced.
81
82       -E, --cipher cipher
83              Cipher used for symmetric encryption. Either aes  (the  default)
84              or des3.
85
86       -g, --digest digest
87              Digest  to  use  for  signature creation. One of sha256 (the de‐
88              fault), sha384, sha512, or sha1.
89
90       -R, --rsa-padding padding
91              Padding to use for RSA signatures. Either pkcs1 (the default) or
92              pss.
93
94       -t, --interval time
95              Poll interval in seconds, defaults to 60s.
96
97       -m, --maxpolltime time
98              Maximum  poll  time in seconds, defaults to 0 which means unlim‐
99              ited polling.
100
101       -f, --outform encoding
102              Encoding of the created certificate file. Either der (ASN.1 DER)
103              or pem (Base64 PEM), defaults to der.
104

EXAMPLES

106       To  save some typing work the following command line options are stored
107       in a scep.opt file:
108
109       --url http://pki.strongswan.org:8080/scep
110       --cacert-enc myra.crt
111       --cacert-sig myca-1.crt
112       --cacert myca.crt
113
114       With the following command, an X.509 certificate signed by the interme‐
115       diate CA is requested from a SCEP server:
116
117       pki --options scep.opt --in moonKey.der --san "moon.strongswan.org" \
118           --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der
119
120       transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
121         using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
122         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
123         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
124         reached self-signed root ca with a path length of 1
125         SCEP request pending, polling indefinitely every 60 seconds
126         going to sleep for 60 seconds
127       transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
128         ...
129         going to sleep for 60 seconds
130       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
131         serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06
132         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
133         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
134         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
135         reached self-signed root ca with a path length of 1
136       Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)
137
138       A certificate about to expire can be renewed with the command:
139
140       pki --options scep.opt --in moonNewKey.der --san "moon.strongswan.org" \
141           --dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \
142           --cert moonCert.der --key moonKey.der > moonNewCert.der
143
144       transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95
145         using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
146         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
147         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
148         reached self-signed root ca with a path length of 1
149       Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
150         serial: 1f:ff:b2:78:43:a2:9d:85:00:38
151         using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
152         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
153         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
154         reached self-signed root ca with a path length of 1
155       Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)
156

SEE ALSO

158       pki(1)
159
160
161
1625.9.9                             2022-08-22                     PKI --SCEP(1)
Impressum