summaryrefslogtreecommitdiff
path: root/programs/scepclient/scepclient.8
diff options
context:
space:
mode:
Diffstat (limited to 'programs/scepclient/scepclient.8')
-rw-r--r--programs/scepclient/scepclient.8288
1 files changed, 0 insertions, 288 deletions
diff --git a/programs/scepclient/scepclient.8 b/programs/scepclient/scepclient.8
deleted file mode 100644
index 0d6364ef2..000000000
--- a/programs/scepclient/scepclient.8
+++ /dev/null
@@ -1,288 +0,0 @@
-.\"
-.TH "IPSEC_SCEPCLIENT" "8" "29 September 2005" "Jan Hutter, Martin Willi" ""
-.SH "NAME"
-ipsec scepclient \- Client for the SCEP protocol
-.SH "SYNOPSIS"
-.B ipsec scepclient [argument ...]
-.sp
-.B ipsec scepclient
-.B \-\-help
-.br
-.B ipsec scepclient
-.B \-\-version
-.SH "DESCRIPTION"
-.BR scepclient
-is a client implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>.
-.BR scepclient
-is designed to be used for certificate enrollment on machines using the OpenSource IPsec solution
-.I strongSwan.
-.SH "FEATURES"
-.BR scepclient
-implements the following features of SCEP:
-.br
-.IP "\-" 4
-Automatic enrollment of client certificate using a preshared secret
-.IP "\-" 4
-Manual enrollment of client certificate. Offline fingerprint check required!
-.IP "\-" 4
-Acquisition of CA certificate(s)
-.SH "OPTIONS"
-.SS Basic Startup Options
-.B \-v, \-\-version
-.RS 4
-Display the version of ipsec scepclient.
-.PP
-.RE
-.B \-h, \-\-help
-.RS 4
-Display usage of ipsec scepclient.
-.RE
-
-.SS General Options
-.B \-u, \-\-url \fIurl\fP
-.RS 4
-Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
-.RE
-.PP
-.B \-+, \-\-optionsfrom \fIfilename\fP
-.RS 4
-Reads additional options from \fIfilename\fP.
-.RE
-.PP
-.B \-f, \-\-force
-.RS 4
-Overwrite existing output file[s].
-.RE
-.PP
-.B \-q, \-\-quiet
-.RS 4
-Do not write log output to stderr.
-.RE
-
-.SS Options for CA Certificate Acquisition
-.B \-o, \-\-out cacert[=\fIfilename\fP]
-.RS 4
-Output file of acquired CA certificate. If more then one CA certificate is available, \fIfilename\fP is used as prefix for the resulting files.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
-.RE
-
-.SS Options For Certificate Enrollment
-.B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
-.RS 4
-Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
-Input files can bei either DER or PEM encoded.
-.PP
-Supported values for \fItype\fP:
-.IP "\fBpkcs1\fP" 12
-RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
-.IP "\fBcacert\-enc\fP" 12
-CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
-.IP "\fBcacert\-sig\fP" 12
-CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
-.RE
-.PP
-.B \-k, \-\-keylength \fIbits\fP
-.RS 4
-sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit.
-.RE
-.PP
-.B \-D, \-\-days \fIdays\fP
-.RS 4
-Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).
-.RE
-.PP
-.B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ
-.RS 4
-defines the \fBnotBefore\fP date when the X.509 certificate becomes valid.
-The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
-If the \fB--startdate\fP option is not specified then the current date is taken as a default.
-.RE
-.PP
-.B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ
-.RS 4
-defines the \fBnotAfter\fP date when the X.509 certificate will expire.
-The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
-If the \fB--enddate\fP option is not specified then the default \fBnotAfter\fP value is computed by
-adding the validity interval specified by the \fB--days\fP option to the \fBnotBefore\fP date.
-.RE
-.PP
-.B \-d, \-\-dn \fIdn\fP
-.RS 4
-Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP"
-is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function.
-.RE
-.PP
-.B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP
-.RS 4
-Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName
-for every \fItype\fP.
-.PP
-Supported values for \fItype\fP:
-.IP "\fBemail\fP" 12
-subjectAltName is a email address.
-.IP "\fBdns\fP" 12
-subjectAltName is a hostname.
-.IP "\fBip\fP" 12
-subjectAltName is a IP address.
-.RE
-.PP
-.B \-p, \-\-password \fIpw\fP
-.RS 4
-Password to be included as a \fIchallenge password\fP in SCEP request.
-If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line.
-.IP
-\- In automatic mode, this password corresponds to the preshared secret for the given enrollment.
-.IP
-\- In manual mode, this password can be used to later revoke the corresponding certificate.
-.RE
-.PP
-.B \-a, \-\-algorithm \fIalgo\fP
-.RS 4
-Change symmetric algorithm to use for encryption of certificate Request.
-The default is \fB3des\-cbc\fP.
-.PP
-Supported values for \fIalgo\fP:
-.IP "\fBdes\-cbc\fP" 12
-DES CBC encryption (key size = 56 bit).
-.IP "\fB3des\-cbc\fP" 12
-Triple DES CBC encryption (key size = 168 bit).
-.RE
-.PP
-.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
-.RS 4
-Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP.
-.PP
-Supported values for \fItype\fP:
-.IP "\fBpkcs1\fP" 12
-RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP.
-If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
-.IP "\fBpkcs10\fP" 12
-PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP.
-If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
-.IP "\fBpkcs7\fP" 12
-PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP.
-If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der.
-.IP "\fBcert-self\fP" 12
-Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP.
-.br
-The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
-.IP "\fBcert\fP" 12
-Enrolled certificate. This \fItype\fP must be specified for certificate enrollment.
-The enrolled certificate is stored in file \fIfilename\fP.
-.br
-The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der.
-.RE
-.PP
-.B \-m, \-\-method \fImethod\fP
-.RS 4
-Change HTTP request method for certificate enrollment. Default is \fBget\fP.
-.PP
-Supported values for \fImethod\fP:
-.IP "\fBpost\fP" 12
-Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.
-.IP "\fBget\fP" 12
-Certificate enrollment using HTTP GET.
-.RE
-.PP
-.B \-t, \-\-interval \fIseconds\fP
-.RS 4
-Set interval time in seconds when polling in manual mode.
-The default interval is set to 5 seconds.
-.RE
-.PP
-.B \-x, \-\-maxpolltime \fIseconds\fP
-.RS 4
-Set max time in seconds to poll in manual mode.
-The default max time is set to unlimited.
-.RE
-
-.SS Debugging Output Options:
-.B \-A, \-\-debug\-all
-.RS 4
-Log everything except private data.
-.RE
-.PP
-.B \-P, \-\-debug\-parsing
-.RS 4
-Log parsing relevant stuff.
-.RE
-.PP
-.B \-R, \-\-debug\-raw
-.RS 4
-Log raw hex dumps.
-.RE
-.PP
-.B \-C, \-\-debug\-control
-.RS 4
-Log informations about control flow.
-.RE
-.PP
-.B \-M, \-\-debug\-controlmore
-.RS 4
-Log more detailed informations about control flow.
-.RE
-.PP
-.B \-X, \-\-debug\-private
-.RS 4
-Log sensitive data (e.g. private keys).
-.RE
-.SH "EXAMPLES"
-.B ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
-.RS 4
-Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
-If more then one CA certificate is returned, store them in files named caCert.der\-1', caCert.der\-2', etc.
-.br
-Existing files are overwritten.
-.RE
-.PP
-.B ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
-.RS 4
-Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.
-.RE
-.PP
-.B ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e
-.br
-.B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword
-.RS 4
-Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der
-created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a
-email\-subjectAltName and a challenge password in the request.
-.RE
-.PP
-.B ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e
-.br
-.B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e
-.br
-.B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e
-.br
-.B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der
-.RS 4
-Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der.
-The challenge password is '5xH2pnT7wq'. The encryption and signature check has to be made with the same CA certificate
-caCert.der.
-.RE
-
-
-.SH "BUGS"
-\fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
-.SH "COPYRIGHT"
-Copyright (C) 2005 Jan Hutter, Martin Willi
-.br
-Hochschule fuer Technik Rapperswil
-.PP
-This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-.PP
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-26 20:12:07 +0000