1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
.\"
.TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
.SH "NAME"
ipsec scepclient \- Client for the SCEP protocol
.SH "SYNOPSIS"
.B ipsec scepclient [argument ...]
.sp
.B ipsec scepclient
.B \-\-help
.br
.B ipsec scepclient
.B \-\-version
.SH "DESCRIPTION"
.BR scepclient
is a client implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>.
.BR scepclient
is designed to be used for certificate enrollment on machines using the OpenSource IPsec solution
.I strongSwan.
.SH "FEATURES"
.BR scepclient
implements the following features of SCEP:
.br
.IP "\-" 4
Automatic enrollment of client certificate using a preshared secret
.IP "\-" 4
Manual enrollment of client certificate. Offline fingerprint check required!
.IP "\-" 4
Acquisition of CA certificate(s)
.SH "OPTIONS"
.SS Basic Startup Options
.B \-v, \-\-version
.RS 4
Display the version of ipsec scepclient.
.PP
.RE
.B \-h, \-\-help
.RS 4
Display usage of ipsec scepclient.
.RE
.SS General Options
.B \-u, \-\-url \fIurl\fP
.RS 4
Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
.RE
.PP
.B \-+, \-\-optionsfrom \fIfilename\fP
.RS 4
Reads additional options from \fIfilename\fP.
.RE
.PP
.B \-f, \-\-force
.RS 4
Overwrite existing output file[s].
.RE
.PP
.B \-q, \-\-quiet
.RS 4
Do not write log output to stderr.
.RE
.SS Options for CA Certificate Acquisition
.B \-o, \-\-out cacert[=\fIfilename\fP]
.RS 4
Output file of acquired CA certificate. If more then one CA certificate is
available, \fIfilename\fP is used as prefix for the resulting files (refer to
EXAMPLES below for details).
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
.RE
.SS Options For Certificate Enrollment
.B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
.RS 4
Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
Input files can be either DER or PEM encoded.
.PP
Supported values for \fItype\fP:
.IP "\fBpkcs1\fP" 12
RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
.IP "\fBpkcs10\fP" 12
PKCS#10 certificate request to be used in the SCEP request. If no input of this type is specified, a request is generated.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
.IP "\fBcacert\-enc\fP" 12
CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
.IP "\fBcacert\-sig\fP" 12
CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
.IP "\fBcert-self\fP" 12
Certificate to be used in the SCEP request. If it is not specified a
self-signed certificate is generated automatically.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
.RE
.PP
.B \-k, \-\-keylength \fIbits\fP
.RS 4
sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit.
.RE
.PP
.B \-D, \-\-days \fIdays\fP
.RS 4
Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).
.RE
.PP
.B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ
.RS 4
defines the \fBnotBefore\fP date when the X.509 certificate becomes valid.
The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
If the \fB--startdate\fP option is not specified then the current date is taken as a default.
.RE
.PP
.B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ
.RS 4
defines the \fBnotAfter\fP date when the X.509 certificate will expire.
The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
If the \fB--enddate\fP option is not specified then the default \fBnotAfter\fP value is computed by
adding the validity interval specified by the \fB--days\fP option to the \fBnotBefore\fP date.
.RE
.PP
.B \-d, \-\-dn \fIdn\fP
.RS 4
Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP"
is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function.
.RE
.PP
.B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP
.RS 4
Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName
for every \fItype\fP.
.PP
Supported values for \fItype\fP:
.IP "\fBemail\fP" 12
subjectAltName is a email address.
.IP "\fBdns\fP" 12
subjectAltName is a hostname.
.IP "\fBip\fP" 12
subjectAltName is a IP address.
.RE
.PP
.B \-p, \-\-password \fIpw\fP
.RS 4
Password to be included as a \fIchallenge password\fP in SCEP request.
If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line.
.IP
\- In automatic mode, this password corresponds to the preshared secret for the given enrollment.
.IP
\- In manual mode, this password can be used to later revoke the corresponding certificate.
.RE
.PP
.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP
.RS 4
Change the algorithms to be used when generating and transporting (PKCS#7)
certificate requests (PKCS#10).
.PP
Supported values for \fItype\fP:
.IP "\fBenc\fP" 12
symmetric encryption algorithm in PKCS#7
.IP "\fBdgst\fP" 12
hash algorithm for message digest in PKCS#7
.IP "\fBsig\fP" 12
hash algorithm for the signature in PKCS#10
.PP
If \fItype\fP is not specified \fBenc\fP is assumed.
.PP
Supported values for \fIalgo\fP (\fBenc\fP):
.IP "\fBdes\fP" 12
DES-CBC encryption (key size = 56 bit). Default.
.IP "\fB3des\fP" 12
Triple DES-EDE-CBC encryption (key size = 168 bit).
.IP "\fBaes128\fP" 12
AES-CBC encryption (key size = 128 bit).
.IP "\fBaes192\fP" 12
AES-CBC encryption (key size = 192 bit).
.IP "\fBaes256\fP" 12
AES-CBC encryption (key size = 256 bit).
.IP "\fBcamellia128\fP" 12
Camellia-CBC encryption (key size = 128 bit).
.IP "\fBcamellia192\fP" 12
Camelllia-CBC encryption (key size = 192 bit).
.IP "\fBcamellia256\fP" 12
Camellia-CBC encryption (key size = 256 bit).
.PP
Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP):
.PP
\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP
.RE
.PP
.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
.RS 4
Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP.
.PP
Supported values for \fItype\fP:
.IP "\fBpkcs1\fP" 12
RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP.
If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
.IP "\fBpkcs10\fP" 12
PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP.
If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
.IP "\fBpkcs7\fP" 12
PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP.
If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der.
.IP "\fBcert-self\fP" 12
Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP.
.br
The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
.IP "\fBcert\fP" 12
Enrolled certificate. This \fItype\fP must be specified for certificate enrollment.
The enrolled certificate is stored in file \fIfilename\fP.
.br
The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der.
.RE
.PP
.B \-m, \-\-method \fImethod\fP
.RS 4
Change HTTP request method for certificate enrollment. Default is \fBget\fP.
.PP
Supported values for \fImethod\fP:
.IP "\fBpost\fP" 12
Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.
.IP "\fBget\fP" 12
Certificate enrollment using HTTP GET.
.RE
.PP
.B \-t, \-\-interval \fIseconds\fP
.RS 4
Set interval time in seconds when polling in manual mode.
The default interval is set to 5 seconds.
.RE
.PP
.B \-x, \-\-maxpolltime \fIseconds\fP
.RS 4
Set max time in seconds to poll in manual mode.
The default max time is set to unlimited.
.RE
.SS Debugging Output Options:
.B \-l, \-\-debug \fIlevel\fP
.RS 4
Changes the log level (-1..4, default: 1)
.RE
.SH "EXAMPLES"
.B ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
.RS 4
Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
If more then one CA certificate is returned, store them in files named
\'caCert\-1.der\', \'caCert\-2.der\', etc.
If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'.
If more than one RA certificate is returned, store them in files named
\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc.
.RE
.PP
.B ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
.RS 4
Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.
.RE
.PP
.B ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e
.br
.B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword
.RS 4
Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der
created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a
email\-subjectAltName and a challenge password in the request.
.RE
.PP
.B ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e
.br
.B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e
.br
.B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e
.br
.B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der
.RS 4
Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der.
The challenge password is '5xH2pnT7wq'. The encryption and signature check has to be made with the same CA certificate
caCert.der.
.RE
.SH "BUGS"
\fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
|