Provided by: strongswan-starter_4.5.2-1.2_amd64 bug

NAME

       ipsec scepclient - Client for the SCEP protocol

SYNOPSIS

       ipsec scepclient [argument ...]

       ipsec scepclient --help
       ipsec scepclient --version

DESCRIPTION

       scepclient  is  a  client  implementation  of Cisco System's Simple Certificate Enrollment
       Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>.   scepclient  is
       designed  to  be  used  for  certificate enrollment on machines using the OpenSource IPsec
       solution strongSwan.

FEATURES

       scepclient implements the following features of SCEP:

       -   Automatic enrollment of client certificate using a preshared secret

       -   Manual enrollment of client certificate. Offline fingerprint check required!

       -   Acquisition of CA certificate(s)

OPTIONS

   Basic Startup Options
       -v, --version
           Display the version of ipsec scepclient.

       -h, --help
           Display usage of ipsec scepclient.

   General Options
       -u, --url url
           Full HTTP URL of the SCEP  server  to  be  used  for  certificate  enrollment  and  CA
           certificate acquisition.

       -+, --optionsfrom filename
           Reads additional options from filename.

       -f, --force
           Overwrite existing output file[s].

       -q, --quiet
           Do not write log output to stderr.

   Options for CA Certificate Acquisition
       -o, --out cacert[=filename]
           Output  file of acquired CA certificate. If more then one CA certificate is available,
           filename is used as prefix for the resulting files.
           The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

   Options For Certificate Enrollment
       -i, --in type[=filename]
           Input file for certificate enrollment. This option can be specified multiple times  to
           specify input files for every type.  Input files can bei either DER or PEM encoded.

           Supported values for type:

           pkcs1       RSA  private  key  in  PKCS#1  file  format.  If  no input of this type is
                       specified, a RSA key gets generated.
                       The default filename is $CONFDIR/ipsec.d/private/myKey.der.

           cacert-enc  CA certificate to encrypt the  SCEP  request.  Has  to  be  specified  for
                       certificate enrollment.
                       The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

           cacert-sig  CA  certificate  to check signature of SCEP reply. Has to be specified for
                       certificate enrollment.
                       The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

       -k, --keylength bits
           sets the key length for RSA key generation. The default length for a generated rsa key
           is set to 2048 bit.

       -D, --days days
           Validity  of  the  self-signed  X.509 certificate in days. The default is 1825 days (5
           years).

       -S, --startdate YYMMDDHHMMSSZ
           defines the notBefore date when the X.509 certificate  becomes  valid.  The  date  has
           the format YYMMDDHHMMSS and  must be specified in UTC (Zulu time).  If the --startdate
           option is not specified then the current date is taken as a default.

       -E, --enddate YYMMDDHHMMSSZ
           defines the notAfter date when the X.509 certificate will expire.  The  date  has  the
           format YYMMDDHHMMSS and must be specified in UTC (Zulu time).  If the --enddate option
           is not specified then the default notAfter value is computed by  adding  the  validity
           interval specified by the --days option to the notBefore date.

       -d, --dn dn
           Distinguished  name  as  comma  separated  list  of  relative distinguished names. Use
           quotation marks for a distinguished name containing spaces. If the --dn  parameter  is
           missing then the default "C=CH, O=Linux strongSwan, CN=hostname" is used with hostname
           being the return value of the gethostname() function.

       -s, --subjectAltName type=value
           Include subjectAltName in certificate request. This option can be  specified  multiple
           times to specify a subjectAltName for every type.

           Supported values for type:

           email       subjectAltName is a email address.

           dns         subjectAltName is a hostname.

           ip          subjectAltName is a IP address.

       -p, --password pw
           Password  to  be included as a challenge password in SCEP request.  If pw is %prompt',
           the password gets prompted for on the command line.

                  - In automatic mode, this password corresponds to the preshared secret for  the
                  given enrollment.

                  -  In  manual mode, this password can be used to later revoke the corresponding
                  certificate.

       -a, --algorithm algo
           Change symmetric algorithm to use for encryption of certificate Request.  The  default
           is 3des-cbc.

           Supported values for algo:

           des         DES-CBC encryption (key size = 56 bit).

           3des        Triple DES-EDE-CBC encryption (key size = 168 bit).

           aes128      AES-CBC encryption (key size = 128 bit).

           aes192      AES-CBC encryption (key size = 192 bit).

           aes256      AES-CBC encryption (key size = 256 bit).

           camellia128 Camellia-CBC encryption (key size = 128 bit).

           camellia192 Camelllia-CBC encryption (key size = 192 bit).

           camellia256 Camellia-CBC encryption (key size = 256 bit).

       -o, --out type[=filename]
           Output file for certificate enrollment. This option can be specified multiple times to
           specify output files for every type.

           Supported values for type:

           pkcs1       RSA private key in PKCS#1 file format. If specified, the RSA key used  for
                       enrollment  is stored in file filename.  If none of the types listed below
                       are specified, scepclient will stop after outputting this file.
                       The default filename is $CONFDIR/ipsec.d/private/myKey.der.

           pkcs10      PKCS#10 certificate request. If specified, the  PKCS#10  request  used  or
                       certificate  enrollment  is stored in file filename.  If none of the types
                       listed below are specified, scepclient will  stop  after  outputting  this
                       file.
                       The default filename is $CONFDIR/ipsec.d/req/myReq.der.

           pkcs7       PKCS#7  SCEP  request  as  it  is  sent  using HTTP to the SCEP server. If
                       specified, this SCEP request is stored in file filename.  If none of types
                       listed  below is not specified, scepclient will stop after outputting this
                       file.
                       The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.

           cert-self   Self-signed certificate.  If  specified  the  self-signed  certificate  is
                       stored in file filename.
                       The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.

           cert        Enrolled   certificate.  This  type  must  be  specified  for  certificate
                       enrollment.  The enrolled certificate is stored in file filename.
                       The default filename is set to $CONFDIR/ipsec.d/certs/myCert.der.

       -m, --method method
           Change HTTP request method for certificate enrollment. Default is get.

           Supported values for method:

           post        Certificate enrollment using HTTP POST. Must be  supported  by  the  given
                       SCEP server.

           get         Certificate enrollment using HTTP GET.

       -t, --interval seconds
           Set interval time in seconds when polling in manual mode.  The default interval is set
           to 5 seconds.

       -x, --maxpolltime seconds
           Set max time in seconds to poll in manual mode.   The  default  max  time  is  set  to
           unlimited.

   Debugging Output Options:
       -A, --debug-all
           Log everything except private data.

       -P, --debug-parsing
           Log parsing relevant stuff.

       -R, --debug-raw
           Log raw hex dumps.

       -C, --debug-control
           Log information about control flow.

       -M, --debug-controlmore
           Log more detailed information about control flow.

       -X, --debug-private
           Log sensitive data (e.g. private keys).

EXAMPLES

       ipsec scepclient --out caCert --url http://scepserver/cgi-bin/pkiclient.exe -f
           Acquire   CA   certificate  from  SCEP  server  and  store  it  in  the  default  file
           $CONFDIR/ipsec.d/cacerts/caCert.der.  If more then one  CA  certificate  is  returned,
           store them in files named caCert.der-1', caCert.der-2', etc.
           Existing files are overwritten.

       ipsec scepclient --out pkcs1=joeKey.der -k 1024
           Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.

       ipsec scepclient --in pkcs1=joeKey.der --out pkcs10=joeReq.der \
       --dn ”C=AT, CN=John Doe” -s email=john@doe.com -p mypassword
           Generate  a  PKCS#10  request and store it in file joeReq.der. Use the RSA private key
           joeKey.der  created  earlier  to  sign  the  PKCS#10-Request.  In  addition   to   the
           distinguished  name  include  a  email-subjectAltName  and a challenge password in the
           request.

       ipsec scepclient --out pkcs1=joeKey.der --out cert==joeCert.der \
       --dn ”C=CH, CN=John Doe” -k 512 -p 5xH2pnT7wq \
       --url http://scep.hsr.ch/cgi-bin/pkiclient.exe \
       --in cacert-enc=caCert.der --in cacert-sig=caCert.der
           Generate a new RSA key for the request and store  it  in  joeKey.der.  Then  enroll  a
           certificate  and  store  as  joeCert.der.  The challenge password is '5xH2pnT7wq'. The
           encryption and signature check has to be made with the same CA certificate caCert.der.

BUGS

       --optionsfrom seems to have parsing problems reading option files  containing  strings  in
       quotation marks.

COPYRIGHT

       Copyright (C) 2005 Jan Hutter, Martin Willi
       Hochschule fuer Technik Rapperswil

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as  published  by  the  Free  Software  Foundation;  either
       version   2   of   the   License,   or   (at   your   option)   any  later  version.   See
       <http://www.fsf.org/copyleft/gpl.txt>.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY  WARRANTY;
       without  even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.