ipsec_scepclient - Client for the SCEP protocol
ipsec scepclient [argument ...] ipsec scepclient --help ipsec scepclient --version
scepclient is a client implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>. scepclient is designed to be used for certificate enrollment on machines using the OpenSource IPsec solution strongSwan.
scepclient implements the following features of SCEP: - Automatic enrollment of client certificate using a preshared secret - Manual enrollment of client certificate. Offline fingerprint check required! - Acquisition of CA certificate(s)
Basic Startup Options -v, --version Display the version of ipsec scepclient. -h, --help Display usage of ipsec scepclient. General Options -u, --url url Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition. -+, --optionsfrom filename Reads additional options from filename. -f, --force Overwrite existing output file[s]. -q, --quiet Do not write log output to stderr. Options for CA Certificate Acquisition -o, --out cacert[=filename] Output file of acquired CA certificate. If more then one CA certificate is available, filename is used as prefix for the resulting files (refer to EXAMPLES below for details). The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der. Options For Certificate Enrollment -i, --in type[=filename] Input file for certificate enrollment. This option can be specified multiple times to specify input files for every type. Input files can be either DER or PEM encoded. Supported values for type: pkcs1 RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated. The default filename is $CONFDIR/ipsec.d/private/myKey.der. pkcs10 PKCS#10 certificate request to be used in the SCEP request. If no input of this type is specified, a request is generated. The default filename is $CONFDIR/ipsec.d/req/myReq.der. cacert-enc CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment. The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der. cacert-sig CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment. The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der. cert-self Certificate to be used in the SCEP request. If it is not specified a self-signed certificate is generated automatically. The default filename is $CONFDIR/ipsec.d/certs/selfCert.der. -k, --keylength bits sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit. -D, --days days Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years). -S, --startdate YYMMDDHHMMSSZ defines the notBefore date when the X.509 certificate becomes valid. The date has the format YYMMDDHHMMSS and must be specified in UTC (Zulu time). If the --startdate option is not specified then the current date is taken as a default. -E, --enddate YYMMDDHHMMSSZ defines the notAfter date when the X.509 certificate will expire. The date has the format YYMMDDHHMMSS and must be specified in UTC (Zulu time). If the --enddate option is not specified then the default notAfter value is computed by adding the validity interval specified by the --days option to the notBefore date. -d, --dn dn Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the --dn parameter is missing then the default "C=CH, O=Linux strongSwan, CN=hostname" is used with hostname being the return value of the gethostname() function. -s, --subjectAltName type=value Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName for every type. Supported values for type: email subjectAltName is a email address. dns subjectAltName is a hostname. ip subjectAltName is a IP address. -p, --password pw Password to be included as a challenge password in SCEP request. If pw is %prompt', the password gets prompted for on the command line. - In automatic mode, this password corresponds to the preshared secret for the given enrollment. - In manual mode, this password can be used to later revoke the corresponding certificate. -a, --algorithm [type=]algo Change the algorithms to be used when generating and transporting (PKCS#7) certificate requests (PKCS#10). Supported values for type: enc symmetric encryption algorithm in PKCS#7 dgst hash algorithm for message digest in PKCS#7 sig hash algorithm for the signature in PKCS#10 If type is not specified enc is assumed. Supported values for algo (enc): des DES-CBC encryption (key size = 56 bit). Default. 3des Triple DES-EDE-CBC encryption (key size = 168 bit). aes128 AES-CBC encryption (key size = 128 bit). aes192 AES-CBC encryption (key size = 192 bit). aes256 AES-CBC encryption (key size = 256 bit). camellia128 Camellia-CBC encryption (key size = 128 bit). camellia192 Camelllia-CBC encryption (key size = 192 bit). camellia256 Camellia-CBC encryption (key size = 256 bit). Supported values for algo (dgst or sig): md5 (default), sha1, sha256, sha384, sha512 -o, --out type[=filename] Output file for certificate enrollment. This option can be specified multiple times to specify output files for every type. Supported values for type: pkcs1 RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file filename. If none of the types listed below are specified, scepclient will stop after outputting this file. The default filename is $CONFDIR/ipsec.d/private/myKey.der. pkcs10 PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file filename. If none of the types listed below are specified, scepclient will stop after outputting this file. The default filename is $CONFDIR/ipsec.d/req/myReq.der. pkcs7 PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file filename. If none of types listed below is not specified, scepclient will stop after outputting this file. The default filename is $CONFDIR/ipsec.d/req/pkcs7.der. cert-self Self-signed certificate. If specified the self-signed certificate is stored in file filename. The default filename is $CONFDIR/ipsec.d/certs/selfCert.der. cert Enrolled certificate. This type must be specified for certificate enrollment. The enrolled certificate is stored in file filename. The default filename is set to $CONFDIR/ipsec.d/certs/myCert.der. -m, --method method Change HTTP request method for certificate enrollment. Default is get. Supported values for method: post Certificate enrollment using HTTP POST. Must be supported by the given SCEP server. get Certificate enrollment using HTTP GET. -t, --interval seconds Set interval time in seconds when polling in manual mode. The default interval is set to 5 seconds. -x, --maxpolltime seconds Set max time in seconds to poll in manual mode. The default max time is set to unlimited. Debugging Output Options: -l, --debug level Changes the log level (-1..4, default: 1)
ipsec scepclient --out caCert --url http://scepserver/cgi-bin/pkiclient.exe -f Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der. If more then one CA certificate is returned, store them in files named caCert-1.der, caCert-2.der, etc. If an RA certificate is returned, store it in a file named caCert-ra.der. If more than one RA certificate is returned, store them in files named caCert-ra-1.der, caCert-ra-2.der, etc. ipsec scepclient --out pkcs1=joeKey.der -k 1024 Generate RSA private key with key length of 1024 bit and store it in file joeKey.der. ipsec scepclient --in pkcs1=joeKey.der --out pkcs10=joeReq.der \ --dn "C=AT, CN=John Doe" -s email=john@doe.com -p mypassword Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der created earlier to sign the PKCS#10-Request. In addition to the distinguished name include a email-subjectAltName and a challenge password in the request. ipsec scepclient --out pkcs1=joeKey.der --out cert==joeCert.der \ --dn "C=CH, CN=John Doe" -k 512 -p 5xH2pnT7wq \ --url http://scep.hsr.ch/cgi-bin/pkiclient.exe \ --in cacert-enc=caCert.der --in cacert-sig=caCert.der Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der. The challenge password is '5xH2pnT7wq'. The encryption and signature check has to be made with the same CA certificate caCert.der.
--optionsfrom seems to have parsing problems reading option files containing strings in quotation marks.
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.