IPSEC_SCEPCLIENT(8)IPSEC_SCEPCLIENT(8)NAME
ipsec scepclient - Client for the SCEP protocol
SYNOPSIS
ipsec scepclient [argument ...]
ipsec scepclient--help
ipsec scepclient--version
DESCRIPTIONscepclient is a client implementation of Cisco System's Simple Certifi‐
cate Enrollment Protocol (SCEP) written for Linux strongSwan
<http://www.strongswan.org>. scepclient is designed to be used for
certificate enrollment on machines using the OpenSource IPsec solution
strongSwan.
FEATURESscepclient implements the following features of SCEP:
- Automatic enrollment of client certificate using a preshared secret
- Manual enrollment of client certificate. Offline fingerprint check
required!
- Acquisition of CA certificate(s)OPTIONS
Basic Startup Options
-v, --version
Display the version of ipsec scepclient.
-h, --help
Display usage of ipsec scepclient.
General Options
-u, --url url
Full HTTP URL of the SCEP server to be used for certificate enroll‐
ment and CA certificate acquisition.
-+, --optionsfrom filename
Reads additional options from filename.
-f, --force
Overwrite existing output file[s].
-q, --quiet
Do not write log output to stderr.
Options for CA Certificate Acquisition
-o, --out cacert[=filename]
Output file of acquired CA certificate. If more then one CA cer‐
tificate is available, filename is used as prefix for the resulting
files.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.
Options For Certificate Enrollment
-i, --in type[=filename]
Input file for certificate enrollment. This option can be specified
multiple times to specify input files for every type. Input files
can bei either DER or PEM encoded.
Supported values for type:
pkcs1 RSA private key in PKCS#1 file format. If no input of
this type is specified, a RSA key gets generated.
The default filename is $CONFDIR/ipsec.d/pri‐
vate/myKey.der.
cacert-enc CA certificate to encrypt the SCEP request. Has to be
specified for certificate enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caC‐
ert.der.
cacert-sig CA certificate to check signature of SCEP reply. Has to
be specified for certificate enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caC‐
ert.der.
-k, --keylength bits
sets the key length for RSA key generation. The default length for
a generated rsa key is set to 2048 bit.
-D, --days days
Validity of the self-signed X.509 certificate in days. The default
is 1825 days (5 years).
-S, --startdate YYMMDDHHMMSSZ
defines the notBefore date when the X.509 certificate becomes
valid. The date has the format YYMMDDHHMMSS and must be speci‐
fied in UTC (Zulu time). If the --startdate option is not speci‐
fied then the current date is taken as a default.
-E, --enddate YYMMDDHHMMSSZ
defines the notAfter date when the X.509 certificate will expire.
The date has the format YYMMDDHHMMSS and must be specified in UTC
(Zulu time). If the --enddate option is not specified then the
default notAfter value is computed by adding the validity interval
specified by the --days option to the notBefore date.
-d, --dn dn
Distinguished name as comma separated list of relative distin‐
guished names. Use quotation marks for a distinguished name con‐
taining spaces. If the --dn parameter is missing then the default
"C=CH, O=Linux strongSwan, CN=hostname" is used with hostname being
the return value of the gethostname() function.
-s, --subjectAltName type=value
Include subjectAltName in certificate request. This option can be
specified multiple times to specify a subjectAltName for every
type.
Supported values for type:
email subjectAltName is a email address.
dns subjectAltName is a hostname.
ip subjectAltName is a IP address.
-p, --password pw
Password to be included as a challenge password in SCEP request.
If pw is %prompt', the password gets prompted for on the command
line.
- In automatic mode, this password corresponds to the pre‐
shared secret for the given enrollment.
- In manual mode, this password can be used to later revoke
the corresponding certificate.
-a, --algorithm algo
Change symmetric algorithm to use for encryption of certificate
Request. The default is 3des-cbc.
Supported values for algo:
des DES-CBC encryption (key size = 56 bit).
3des Triple DES-EDE-CBC encryption (key size = 168 bit).
aes128 AES-CBC encryption (key size = 128 bit).
aes192 AES-CBC encryption (key size = 192 bit).
aes256 AES-CBC encryption (key size = 256 bit).
camellia128 Camellia-CBC encryption (key size = 128 bit).
camellia192 Camelllia-CBC encryption (key size = 192 bit).
camellia256 Camellia-CBC encryption (key size = 256 bit).
-o, --out type[=filename]
Output file for certificate enrollment. This option can be speci‐
fied multiple times to specify output files for every type.
Supported values for type:
pkcs1 RSA private key in PKCS#1 file format. If specified,
the RSA key used for enrollment is stored in file file‐
name. If none of the types listed below are specified,
scepclient will stop after outputting this file.
The default filename is $CONFDIR/ipsec.d/pri‐
vate/myKey.der.
pkcs10 PKCS#10 certificate request. If specified, the PKCS#10
request used or certificate enrollment is stored in
file filename. If none of the types listed below are
specified, scepclient will stop after outputting this
file.
The default filename is $CONFDIR/ipsec.d/req/myReq.der.
pkcs7 PKCS#7 SCEP request as it is sent using HTTP to the
SCEP server. If specified, this SCEP request is stored
in file filename. If none of types listed below is not
specified, scepclient will stop after outputting this
file.
The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.
cert-self Self-signed certificate. If specified the self-signed
certificate is stored in file filename.
The default filename is $CONFDIR/ipsec.d/certs/self‐
Cert.der.
cert Enrolled certificate. This type must be specified for
certificate enrollment. The enrolled certificate is
stored in file filename.
The default filename is set to
$CONFDIR/ipsec.d/certs/myCert.der.
-m, --method method
Change HTTP request method for certificate enrollment. Default is
get.
Supported values for method:
post Certificate enrollment using HTTP POST. Must be sup‐
ported by the given SCEP server.
get Certificate enrollment using HTTP GET.
-t, --interval seconds
Set interval time in seconds when polling in manual mode. The
default interval is set to 5 seconds.
-x, --maxpolltime seconds
Set max time in seconds to poll in manual mode. The default max
time is set to unlimited.
Debugging Output Options:
-A, --debug-all
Log everything except private data.
-P, --debug-parsing
Log parsing relevant stuff.
-R, --debug-raw
Log raw hex dumps.
-C, --debug-control
Log informations about control flow.
-M, --debug-controlmore
Log more detailed informations about control flow.
-X, --debug-private
Log sensitive data (e.g. private keys).
EXAMPLES
ipsec scepclient--out caCert --url http://scepserver/cgi-bin/pki‐
client.exe -f
Acquire CA certificate from SCEP server and store it in the default
file $CONFDIR/ipsec.d/cacerts/caCert.der. If more then one CA cer‐
tificate is returned, store them in files named caCert.der-1', caC‐
ert.der-2', etc.
Existing files are overwritten.
ipsec scepclient--out pkcs1=joeKey.der -k 1024
Generate RSA private key with key length of 1024 bit and store it
in file joeKey.der.
ipsec scepclient--in pkcs1=joeKey.der --out pkcs10=joeReq.der \
--dn ”C=AT, CN=John Doe” -s email=john@doe.com -p mypassword
Generate a PKCS#10 request and store it in file joeReq.der. Use the
RSA private key joeKey.der created earlier to sign the
PKCS#10-Request. In addition to the distinguished name include a
email-subjectAltName and a challenge password in the request.
ipsec scepclient--out pkcs1=joeKey.der --out cert==joeCert.der \
--dn ”C=CH, CN=John Doe” -k 512 -p 5xH2pnT7wq \
--url http://scep.hsr.ch/cgi-bin/pkiclient.exe \
--in cacert-enc=caCert.der --in cacert-sig=caCert.der
Generate a new RSA key for the request and store it in joeKey.der.
Then enroll a certificate and store as joeCert.der. The challenge
password is '5xH2pnT7wq'. The encryption and signature check has to
be made with the same CA certificate caCert.der.
BUGS--optionsfrom seems to have parsing problems reading option files con‐
taining strings in quotation marks.
COPYRIGHT
Copyright (C) 2005 Jan Hutter, Martin Willi
Hochschule fuer Technik Rapperswil
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER‐
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
Jan Hutter, Martin Willi 29 September 2005 IPSEC_SCEPCLIENT(8)
