1PKI --SCEPCA(1)                   strongSwan                   PKI --SCEPCA(1)
2
3
4

NAME

6       pki --scepca - Get CA [and RA] certificate[s] from a SCEP server
7

SYNOPSIS

9       pki --scepca --url url [--caout file] [--raout file]
10                    [--outform encoding] [--force] [--debug level]
11
12       pki --scepca --options file
13
14       pki --scepca -h | --help
15

DESCRIPTION

17       This sub-command of pki(1) gets CA and RA certificates via http from  a
18       SCEP  server  using the GetCACert command of the Simple Certificate En‐
19       rollment Protocol (RFC 8894).
20

OPTIONS

22       -h, --help
23              Print usage information with a summary of the available options.
24
25       -v, --debug level
26              Set debug level, default: 1.
27
28       -+, --options file
29              Read command line options from file.
30
31       -u, --url url
32              URL of the SCEP server.
33
34       -c, --caout file
35              If present, path where the fetched root CA certificate  file  is
36              stored  to.  If several CA certificates are downloaded, then the
37              value of --caout is used as a template to  derive  unique  file‐
38              names  (*-1,  *-2, etc.) for the intermediate or sub CA certifi‐
39              cates.  If a file suffix is missing, then depending on the value
40              of  --outform either .der (the default) or .pem is automatically
41              appended.  If the --caout option is missing and --outform is set
42              to  pem  then  a PEM-encoded CA certificate bundle is written to
43              stdout.
44
45       -r, --raout file
46              If present, path where the fetched RA certificate file is stored
47              to.   If  multiple RA certificates are available, then the value
48              of --raout is used as a  template  to  derive  unique  filenames
49              (*-2, etc.). If the --raout option is missing, then the value of
50              --caout is used as a template to derive unique filenames  (*-ra,
51              *-ra-2, etc.) for the RA certificates. If a file suffix is miss‐
52              ing, then depending on the value of --outform either  .der  (the
53              default) or .pem is automatically appended.
54
55       -f, --outform encoding
56              Encoding of the created certificate file. Either der (ASN.1 DER)
57              or pem (Base64 PEM), defaults to der.
58
59       -F, --force
60              Force overwrite of existing files.
61

EXAMPLES

63       A SCEP server sends a root CA and an  intermediate  CA  certificate  as
64       well as an RA certificate:
65
66       pki --scepca --url http://pki.strongswan.org:8080/scep --caout myca.crt --raout myra.crt
67
68       Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
69         serial: 65:31:00:ca:79:da:16:6b:aa:ac:89:e2:a8:f9:49:c3:10:ab:64:54
70         SHA256: 96:70:50:51:cd:b9:e7:94:6b:04:f6:15:45:80:fc:90:85:01:71:2a:f6:4f:d1:1b:2d:a1:7e:eb:bf:dd:be:86
71         SHA1  : 8e:f3:78:b0:34:a6:c1:6a:7b:c6:f5:91:eb:e5:46:9b:0d:0a:a7:ba (jvN4sDSmwWp7xvWR6+VGmw0Kp7o)
72       Root CA cert is untrusted, valid until Aug 12 15:51:34 2032, 'myca.crt'
73       Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
74         serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e2
75         SHA256: a3:5b:4b:12:d5:8f:68:7b:05:11:08:27:f5:42:62:b8:b5:01:1b:19:37:9c:28:78:5d:37:08:69:6a:8c:07:bf
76         SHA1  : 8c:e6:67:67:c2:23:89:7b:d0:bc:b1:50:d2:1c:bc:8d:8d:69:15:11 (jOZnZ8IjiXvQvLFQ0hy8jY1pFRE)
77         using certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
78         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
79         reached self-signed root ca with a path length of 0
80       Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'myca-1.crt'
81       RA cert "C=CH, O=strongSwan Project, CN=SCEP RA"
82         serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e3
83         SHA256: 57:22:f3:13:69:2f:24:82:12:59:8e:05:63:0b:f5:a8:fb:4e:78:87:8d:68:d1:4c:c1:c4:b5:85:db:bb:64:df
84         SHA1  : bc:d1:46:76:55:7f:8c:d1:c5:22:31:b9:d7:b1:49:b5:95:a4:f3:ea (vNFGdlV/jNHFIjG517FJtZWk8+o)
85         using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
86         using untrusted intermediate certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
87         using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
88         reached self-signed root ca with a path length of 1
89       RA cert is trusted, valid until Aug 10 15:51:34 2023, 'myra.crt'
90
91       The  trusthworthiness  of the root CA certificate has to be established
92       manually by verifying the SHA256 or SHA1 fingerprint of the DER-encoded
93       certificate  that is e.g. listed on the official PKI website or by some
94       other means.
95
96       The stored certificate files in DER format can be overwritten  by  PEM-
97       encoded versions with:
98
99       pki --scepca --url http://pki.strongswan.org:8080/scep --caout myca.crt --raout myra.crt \
100                    --outform pem --force
101
102       If  the --raout option is omitted and the --caout template doesn't have
103       a file suffix, then with --outform pem the following filenames are  de‐
104       rived:
105
106       pki --scepca --url http://pki.strongswan.org:8080/scep --caout scep/myca --outform pem
107
108       Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
109         ...
110       Root CA cert is untrusted, valid until Aug 12 15:51:34 2032, written to 'scep/myca.pem'
111       Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
112         ...
113       Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'scep/myca-1.pem'
114       RA cert "C=CH, O=strongSwan Project, CN=SCEP RA"
115         ...
116       RA cert is trusted, valid until Aug 10 15:51:34 2023, 'scep/myca-ra.pem'
117
118       A CA certificate bundle in PEM format is written to stdout:
119
120       pki --scepca --url http://pki.strongswan.org:8080/scep --raout myra.crt --outform pem > cacerts.pem
121

SEE ALSO

123       pki(1)
124
125
126
1275.9.11                            2022-08-22                   PKI --SCEPCA(1)
Impressum