1PKI --ESTCA(1)                    strongSwan                    PKI --ESTCA(1)
2
3
4

NAME

6       pki --estca - Get CA certificate[s] from an EST server
7

SYNOPSIS

9       pki --estca --url url [--label label] --cacert file [--caout file]
10                   [--outform encoding] [--force] [--debug level]
11
12       pki --estca --options file
13
14       pki --estca -h | --help
15

DESCRIPTION

17       This sub-command of pki(1) gets CA certificates via https from  an  EST
18       server  using  the  /cacerts  operation  of  the Enrollment over Secure
19       Transport protocol (RFC 7030).
20

OPTIONS

22       -h, --help
23              Print usage information with a summary of the available options.
24
25       -v, --debug level
26              Set debug level, default: 1.
27
28       -+, --options file
29              Read command line options from file.
30
31       -u, --url url
32              URL of the SCEP server.
33
34       -l, --label label
35              Label in the EST server path.
36
37       -C, --cacert file
38              CA certificate in the trust chain used for EST TLS server signa‐
39              ture verification.  Can be used multiple times.
40
41       -c, --caout file
42              If  present,  path where the fetched root CA certificate file is
43              stored to.  If several CA certificates are downloaded, then  the
44              value  of  --caout  is used as a template to derive unique file‐
45              names (*-1, *-2, etc.) for the intermediate or sub  CA  certifi‐
46              cates.  If a file suffix is missing, then depending on the value
47              of --outform either .der (the default) or .pem is  automatically
48              appended.  If the --caout option is missing and --outform is set
49              to pem then a PEM-encoded CA certificate bundle  is  written  to
50              stdout.
51
52       -f, --outform encoding
53              Encoding of the created certificate file. Either der (ASN.1 DER)
54              or pem (Base64 PEM), defaults to der.
55
56       -F, --force
57              Force overwrite of existing files.
58

EXAMPLES

60       To save some typing work the following command line options are  stored
61       in a est.opt file:
62
63       --url https://pki.strongswan.org:8443
64       --cacert tlsca.crt
65       --cacert tlsca-1.crt
66
67       NOTE: For a successful HTTPS connection, trust must be established into
68       the EST server certificate. The TLS trust chain including the  root  CA
69       certificate  and  optionally intermediate CA certificates must be given
70       using multiple --cacert options.
71
72       An EST server sends a root CA and an intermediate CA certificate:
73
74       pki --estca --options est.opt --caout myca.crt
75
76       negotiated TLS 1.3 using suite TLS_AES_256_GCM_SHA384
77       received TLS server certificate 'C=CH, O=strongSwan Project, CN=pki.strongswan.org'
78         using certificate "C=CH, O=strongSwan Project, CN=pki.strongswan.org"
79         using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
80         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
81         reached self-signed root ca with a path length of 1
82       Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
83         serial: 65:31:00:ca:79:da:16:6b:aa:ac:89:e2:a8:f9:49:c3:10:ab:64:54
84         SHA256: 96:70:50:51:cd:b9:e7:94:6b:04:f6:15:45:80:fc:90:85:01:71:2a:f6:4f:d1:1b:2d:a1:7e:eb:bf:dd:be:86
85         SHA1  : 8e:f3:78:b0:34:a6:c1:6a:7b:c6:f5:91:eb:e5:46:9b:0d:0a:a7:ba (jvN4sDSmwWp7xvWR6+VGmw0Kp7o)
86       Root CA equals trusted TLS Root CA
87       Root CA cert is trusted, valid until Aug 12 15:51:34 2032, 'myca.crt'
88       Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
89         serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e2
90         SHA256: a3:5b:4b:12:d5:8f:68:7b:05:11:08:27:f5:42:62:b8:b5:01:1b:19:37:9c:28:78:5d:37:08:69:6a:8c:07:bf
91         SHA1  : 8c:e6:67:67:c2:23:89:7b:d0:bc:b1:50:d2:1c:bc:8d:8d:69:15:11 (jOZnZ8IjiXvQvLFQ0hy8jY1pFRE)
92         using certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
93         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
94         reached self-signed root ca with a path length of 0
95       Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'myca-1.crt'
96
97       NOTE: The trusthworthiness of the root CA certificate is  either  veri‐
98       fied automatically if the Root CA certificate of the TLS trust chain is
99       the same as that of the Issuing CA. Otherwise trust has  to  be  estab‐
100       lished manually by verifying the SHA256 or SHA1 fingerprint of the DER-
101       encoded certificate that is e.g. listed on the official PKI website  or
102       by some other means.
103
104       The  stored  certificate files in DER format can be overwritten by PEM-
105       encoded versions with:
106
107       pki --estca --options est.opt --caout myca.crt --outform pem --force
108
109       A CA certificate bundle in PEM format is written to stdout:
110
111       pki --estca --options est.opt --outform pem > cacerts.pem
112

SEE ALSO

114       pki(1)
115
116
117
1185.9.11                            2022-08-22                    PKI --ESTCA(1)
Impressum