ipsec_scepclient(8)
NAME
ipsec scepclient - Client for the SCEP protocol
SYNOPSIS
ipsec scepclient [argument ...] ipsec scepclient --help ipsec scepclient --version
DESCRIPTION
- scepclient is a client implementation of Cisco System's
- Simple Certificate Enrollment Protocol (SCEP) written for Linux
- strongSwan <http://www.strongswan.org>. scepclient is designed
- to be used for certificate enrollment on machines using the Open
- Source IPsec solution strongSwan.
FEATURES
scepclient implements the following features of SCEP:
- - Automatic enrollment of client certificate using a
- preshared secret
- - Manual enrollment of client certificate. Offline fin
- gerprint check required!
- - Acquisition of CA certificate(s)
OPTIONS
- Basic Startup Options
- -v, --version
Display the version of ipsec scepclient.
- -h, --help
Display usage of ipsec scepclient.
- General Options
- -u, --url url
Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
- -+, --optionsfrom filename
Reads additional options from filename.
- -f, --force
Overwrite existing output file[s].
- -q, --quiet
Do not write log output to stderr.
- Options for CA Certificate Acquisition
- -o, --out cacert[=filename]
Output file of acquired CA certificate. If more thenone CA certificate is available, filename is used as prefix forthe resulting files.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der. - Options For Certificate Enrollment
- -i, --in type[=filename]
Input file for certificate enrollment. This option canbe specified multiple times to specify input files for everytype. Input files can bei either DER or PEM encoded.Supported values for type:pkcs1 RSA private key in PKCS#1 file format. Ifno input of this type is specified, a RSA key gets generated.The default filename is$CONFDIR/ipsec.d/private/myKey.der.
- cacert-enc CA certificate to encrypt the SCEP re
- quest. Has to be specified for certificate enrollment.
- The default filename is
- $CONFDIR/ipsec.d/cacerts/caCert.der.
- cacert-sig CA certificate to check signature of SCEP
- reply. Has to be specified for certificate enrollment.
- The default filename is
- $CONFDIR/ipsec.d/cacerts/caCert.der.
- -k, --keylength bits
- sets the key length for RSA key generation. The de
- fault length for a generated rsa key is set to 2048 bit.
- -D, --days days
- Validity of the self-signed X.509 certificate in days.
- The default is 1825 days (5 years).
- -S, --startdate YYMMDDHHMMSSZ
- defines the notBefore date when the X.509 certificate
- becomes valid. The date has the format YYMMDDHHMMSS and must
- be specified in UTC (Zulu time). If the --startdate option is
- not specified then the current date is taken as a default.
- -E, --enddate YYMMDDHHMMSSZ
- defines the notAfter date when the X.509 certificate
- will expire. The date has the format YYMMDDHHMMSS and must be
- specified in UTC (Zulu time). If the --enddate option is not
- specified then the default notAfter value is computed by adding
- the validity interval specified by the --days option to the
- notBefore date.
- -d, --dn dn
- Distinguished name as comma separated list of relative
- distinguished names. Use quotation marks for a distinguished name
- containing spaces. If the --dn parameter is missing then the de
- fault "C=CH, O=Linux strongSwan, CN=hostname" is used with
- hostname being the return value of the gethostname() function.
- -s, --subjectAltName type=value
- Include subjectAltName in certificate request. This
- option can be specified multiple times to specify a subjectAlt
- Name for every type.
- Supported values for type:
- email subjectAltName is a email address.
- dns subjectAltName is a hostname.
- ip subjectAltName is a IP address.
- -p, --password pw
- Password to be included as a challenge password in
- SCEP request. If pw is %prompt', the password gets prompted for
- on the command line.
- In automatic mode, this password correspondsto the preshared secret for the given enrollment.- In manual mode, this password can be used tolater revoke the corresponding certificate. - -a, --algorithm algo
- Change symmetric algorithm to use for encryption of
- certificate Request. The default is 3des-cbc.
- Supported values for algo:
- des-cbc DES CBC encryption (key size = 56 bit).
- 3des-cbc Triple DES CBC encryption (key size = 168
- bit).
- -o, --out type[=filename]
- Output file for certificate enrollment. This option
- can be specified multiple times to specify output files for every
- type.
- Supported values for type:
- pkcs1 RSA private key in PKCS#1 file format. If
- specified, the RSA key used for enrollment is stored in file
- filename. If none of the types listed below are specified,
- scepclient will stop after outputting this file.
The default filename is$CONFDIR/ipsec.d/private/myKey.der.
- pkcs10 PKCS#10 certificate request. If specified,
- the PKCS#10 request used or certificate enrollment is stored in
- file filename. If none of the types listed below are specified,
- scepclient will stop after outputting this file.
- The default filename is
- $CONFDIR/ipsec.d/req/myReq.der.
- pkcs7 PKCS#7 SCEP request as it is sent using
- HTTP to the SCEP server. If specified, this SCEP request is
- stored in file filename. If none of types listed below is not
- specified, scepclient will stop after outputting this file.
- The default filename is
- $CONFDIR/ipsec.d/req/pkcs7.der.
- cert-self Self-signed certificate. If specified the
- self-signed certificate is stored in file filename.
- The default filename is
- $CONFDIR/ipsec.d/certs/selfCert.der.
- cert Enrolled certificate. This type must be
- specified for certificate enrollment. The enrolled certificate
- is stored in file filename.
- The default filename is set to
- $CONFDIR/ipsec.d/certs/myCert.der.
- -m, --method method
- Change HTTP request method for certificate enrollment.
- Default is get.
- Supported values for method:
- post Certificate enrollment using HTTP POST.
- Must be supported by the given SCEP server.
- get Certificate enrollment using HTTP GET.
- -t, --interval seconds
- Set interval time in seconds when polling in manual
- mode. The default interval is set to 5 seconds.
- -x, --maxpolltime seconds
- Set max time in seconds to poll in manual mode. The
- default max time is set to unlimited.
- Debugging Output Options:
- -A, --debug-all
Log everything except private data.
- -P, --debug-parsing
Log parsing relevant stuff.
- -R, --debug-raw
Log raw hex dumps.
- -C, --debug-control
Log informations about control flow.
- -M, --debug-controlmore
Log more detailed informations about control flow.
- -X, --debug-private
Log sensitive data (e.g. private keys).
EXAMPLES
- ipsec scepclient --out caCert --url
- http://scepserver/cgi-bin/pkiclient.exe -f
- Acquire CA certificate from SCEP server and store it
- in the default file $CONFDIR/ipsec.d/cacerts/caCert.der. If more
- then one CA certificate is returned, store them in files named
- caCert.der-1', caCert.der-2', etc.
Existing files are overwritten. - ipsec scepclient --out pkcs1=joeKey.der -k 1024
- Generate RSA private key with key length of 1024 bit
- and store it in file joeKey.der.
- ipsec scepclient --in pkcs1=joeKey.der --out
- pkcs10=joeReq.der --dn "C=AT, CN=John Doe" -s
- email=john@doe.com -p mypassword
- Generate a PKCS#10 request and store it in file jo
- eReq.der. Use the RSA private key joeKey.der created earlier to
- sign the PKCS#10-Request. In addition to the distinguished name
- include a email-subjectAltName and a challenge password in the
- request.
- ipsec scepclient --out pkcs1=joeKey.der --out
- cert==joeCert.der --dn "C=CH, CN=John Doe" -k 512 -p
- 5xH2pnT7wq --url http://scep.hsr.ch/cgi-bin/pkiclient.exe
- --in cacert-enc=caCert.der --in cacert-sig=caCert.der
- Generate a new RSA key for the request and store it in
- joeKey.der. Then enroll a certificate and store as joeCert.der.
- The challenge password is '5xH2pnT7wq'. The encryption and signa
- ture check has to be made with the same CA certificate caC
- ert.der.
BUGS
- --optionsfrom seems to have parsing problems reading op
- tion files containing strings in quotation marks.
COPYRIGHT
Copyright (C) 2005 Jan Hutter, Martin Willi
Hochschule fuer Technik Rapperswil
- This program is free software; you can redistribute it
- and/or modify it under the terms of the GNU General Public Li
- cense as published by the Free Software Foundation; either ver
- sion 2 of the License, or (at your option) any later version.
- See <http://www.fsf.org/copyleft/gpl.txt>.
- This program is distributed in the hope that it will be
- useful, but WITHOUT ANY WARRANTY; without even the implied war
- ranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
- See the GNU General Public License for more details.
- Jan Hutter, Martin Willi 29 September 2005