Provided by: strongswan-scepclient_5.9.5-2ubuntu2.3_amd64 bug

NAME

       ipsec_scepclient - Client for the SCEP protocol

SYNOPSIS

       ipsec scepclient [argument ...]

       ipsec scepclient --help
       ipsec scepclient --version

DESCRIPTION

       scepclient  is  a  client  implementation  of Cisco System's Simple Certificate Enrollment
       Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>.   scepclient  is
       designed  to  be  used  for  certificate enrollment on machines using the OpenSource IPsec
       solution strongSwan.

FEATURES

       scepclient implements the following features of SCEP:

       -   Automatic enrollment of client certificate using a preshared secret

       -   Manual enrollment of client certificate. Offline fingerprint check required!

       -   Acquisition of CA certificate(s)

OPTIONS

   Basic Startup Options
       -v, --version
           Display the version of ipsec scepclient.

       -h, --help
           Display usage of ipsec scepclient.

   General Options
       -u, --url url
           Full HTTP URL of the SCEP  server  to  be  used  for  certificate  enrollment  and  CA
           certificate acquisition.

       -+, --optionsfrom filename
           Reads additional options from filename.

       -f, --force
           Overwrite existing output file[s].

       -q, --quiet
           Do not write log output to stderr.

   Options for CA Certificate Acquisition
       -o, --out cacert[=filename]
           Output  file of acquired CA certificate. If more then one CA certificate is available,
           filename is used as prefix for the  resulting  files  (refer  to  EXAMPLES  below  for
           details).
           The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

   Options For Certificate Enrollment
       -i, --in type[=filename]
           Input  file for certificate enrollment. This option can be specified multiple times to
           specify input files for every type.  Input files can be either DER or PEM encoded.

           Supported values for type:

           pkcs1       RSA private key in PKCS#1 file  format.  If  no  input  of  this  type  is
                       specified, a RSA key gets generated.
                       The default filename is $CONFDIR/ipsec.d/private/myKey.der.

           pkcs10      PKCS#10 certificate request to be used in the SCEP request. If no input of
                       this type is specified, a request is generated.
                       The default filename is $CONFDIR/ipsec.d/req/myReq.der.

           cacert-enc  CA certificate to encrypt the  SCEP  request.  Has  to  be  specified  for
                       certificate enrollment.
                       The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

           cacert-sig  CA  certificate  to check signature of SCEP reply. Has to be specified for
                       certificate enrollment.
                       The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.

           cert-self   Certificate to be used in the SCEP request.  If  it  is  not  specified  a
                       self-signed certificate is generated automatically.
                       The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.

       -k, --keylength bits
           sets the key length for RSA key generation. The default length for a generated rsa key
           is set to 2048 bit.

       -D, --days days
           Validity of the self-signed X.509 certificate in days. The default  is  1825  days  (5
           years).

       -S, --startdate YYMMDDHHMMSSZ
           defines  the notBefore date when the X.509 certificate  becomes  valid.  The  date has
           the format YYMMDDHHMMSS and  must be specified in UTC (Zulu time).  If the --startdate
           option is not specified then the current date is taken as a default.

       -E, --enddate YYMMDDHHMMSSZ
           defines  the  notAfter  date when the X.509 certificate will expire.  The date has the
           format YYMMDDHHMMSS and must be specified in UTC (Zulu time).  If the --enddate option
           is  not  specified  then the default notAfter value is computed by adding the validity
           interval specified by the --days option to the notBefore date.

       -d, --dn dn
           Distinguished name as comma  separated  list  of  relative  distinguished  names.  Use
           quotation  marks  for a distinguished name containing spaces. If the --dn parameter is
           missing then the default "C=CH, O=Linux strongSwan, CN=hostname" is used with hostname
           being the return value of the gethostname() function.

       -s, --subjectAltName type=value
           Include  subjectAltName  in certificate request. This option can be specified multiple
           times to specify a subjectAltName for every type.

           Supported values for type:

           email       subjectAltName is a email address.

           dns         subjectAltName is a hostname.

           ip          subjectAltName is a IP address.

       -p, --password pw
           Password to be included as a challenge password in SCEP request.  If pw  is  %prompt',
           the password gets prompted for on the command line.

                  -  In automatic mode, this password corresponds to the preshared secret for the
                  given enrollment.

                  - In manual mode, this password can be used to later revoke  the  corresponding
                  certificate.

       -a, --algorithm [type=]algo
           Change the algorithms to be used when generating and transporting (PKCS#7) certificate
           requests (PKCS#10).

           Supported values for type:

           enc         symmetric encryption algorithm in PKCS#7

           dgst        hash algorithm for message digest in PKCS#7

           sig         hash algorithm for the signature in PKCS#10

           If type is not specified enc is assumed.

           Supported values for algo (enc):

           des         DES-CBC encryption (key size = 56 bit). Default.

           3des        Triple DES-EDE-CBC encryption (key size = 168 bit).

           aes128      AES-CBC encryption (key size = 128 bit).

           aes192      AES-CBC encryption (key size = 192 bit).

           aes256      AES-CBC encryption (key size = 256 bit).

           camellia128 Camellia-CBC encryption (key size = 128 bit).

           camellia192 Camellia-CBC encryption (key size = 192 bit).

           camellia256 Camellia-CBC encryption (key size = 256 bit).

           Supported values for algo (dgst or sig):

           md5 (default), sha1, sha256, sha384, sha512

       -o, --out type[=filename]
           Output file for certificate enrollment. This option can be specified multiple times to
           specify output files for every type.

           Supported values for type:

           pkcs1       RSA  private key in PKCS#1 file format. If specified, the RSA key used for
                       enrollment is stored in file filename.  If none of the types listed  below
                       are specified, scepclient will stop after outputting this file.
                       The default filename is $CONFDIR/ipsec.d/private/myKey.der.

           pkcs10      PKCS#10  certificate  request.  If  specified, the PKCS#10 request used or
                       certificate enrollment is stored in file filename.  If none of  the  types
                       listed  below  are  specified,  scepclient will stop after outputting this
                       file.
                       The default filename is $CONFDIR/ipsec.d/req/myReq.der.

           pkcs7       PKCS#7 SCEP request as it is sent  using  HTTP  to  the  SCEP  server.  If
                       specified, this SCEP request is stored in file filename.  If none of types
                       listed below is not specified, scepclient will stop after outputting  this
                       file.
                       The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.

           cert-self   Self-signed  certificate.  If  specified  the  self-signed  certificate is
                       stored in file filename.
                       The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.

           cert        Enrolled  certificate.  This  type  must  be  specified  for   certificate
                       enrollment.  The enrolled certificate is stored in file filename.
                       The default filename is set to $CONFDIR/ipsec.d/certs/myCert.der.

       -m, --method method
           Change HTTP request method for certificate enrollment. Default is get.

           Supported values for method:

           post        Certificate  enrollment  using  HTTP  POST. Must be supported by the given
                       SCEP server.

           get         Certificate enrollment using HTTP GET.

       -t, --interval seconds
           Set interval time in seconds when polling in manual mode.  The default interval is set
           to 5 seconds.

       -x, --maxpolltime seconds
           Set  max  time  in  seconds  to  poll  in manual mode.  The default max time is set to
           unlimited.

   Debugging Output Options:
       -l, --debug level
           Changes the log level (-1..4, default: 1)

EXAMPLES

       ipsec scepclient --out caCert --url http://scepserver/cgi-bin/pkiclient.exe -f
           Acquire  CA  certificate  from  SCEP  server  and  store  it  in  the   default   file
           $CONFDIR/ipsec.d/cacerts/caCert.der.   If  more  then  one CA certificate is returned,
           store them in files named ´caCert-1.der´, ´caCert-2.der´, etc.  If an  RA  certificate
           is  returned,  store  it  in  a  file  named  ´caCert-ra.der´.   If  more  than one RA
           certificate   is   returned,   store   them   in   files   named    ´caCert-ra-1.der´,
           ´caCert-ra-2.der´, etc.

       ipsec scepclient --out pkcs1=joeKey.der -k 1024
           Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.

       ipsec scepclient --in pkcs1=joeKey.der --out pkcs10=joeReq.der \
       --dn ”C=AT, CN=John Doe” -s email=john@doe.com -p mypassword
           Generate  a  PKCS#10  request and store it in file joeReq.der. Use the RSA private key
           joeKey.der  created  earlier  to  sign  the  PKCS#10-Request.  In  addition   to   the
           distinguished  name  include  a  email-subjectAltName  and a challenge password in the
           request.

       ipsec scepclient --out pkcs1=joeKey.der --out cert==joeCert.der \
       --dn ”C=CH, CN=John Doe” -k 512 -p 5xH2pnT7wq \
       --url http://scep.hsr.ch/cgi-bin/pkiclient.exe \
       --in cacert-enc=caCert.der --in cacert-sig=caCert.der
           Generate a new RSA key for the request and store  it  in  joeKey.der.  Then  enroll  a
           certificate  and  store  as  joeCert.der.  The challenge password is '5xH2pnT7wq'. The
           encryption and signature check has to be made with the same CA certificate caCert.der.

BUGS

       --optionsfrom seems to have parsing problems reading option files  containing  strings  in
       quotation marks.