303 lines
11 KiB
Groff
303 lines
11 KiB
Groff
.\"
|
|
.TH "IPSEC_SCEPCLIENT" "8" "2012-05-11" "strongSwan" ""
|
|
.SH "NAME"
|
|
ipsec scepclient \- Client for the SCEP protocol
|
|
.SH "SYNOPSIS"
|
|
.B ipsec scepclient [argument ...]
|
|
.sp
|
|
.B ipsec scepclient
|
|
.B \-\-help
|
|
.br
|
|
.B ipsec scepclient
|
|
.B \-\-version
|
|
.SH "DESCRIPTION"
|
|
.BR scepclient
|
|
is a client implementation of Cisco System's Simple Certificate Enrollment Protocol (SCEP) written for Linux strongSwan <http://www.strongswan.org>.
|
|
.BR scepclient
|
|
is designed to be used for certificate enrollment on machines using the OpenSource IPsec solution
|
|
.I strongSwan.
|
|
.SH "FEATURES"
|
|
.BR scepclient
|
|
implements the following features of SCEP:
|
|
.br
|
|
.IP "\-" 4
|
|
Automatic enrollment of client certificate using a preshared secret
|
|
.IP "\-" 4
|
|
Manual enrollment of client certificate. Offline fingerprint check required!
|
|
.IP "\-" 4
|
|
Acquisition of CA certificate(s)
|
|
.SH "OPTIONS"
|
|
.SS Basic Startup Options
|
|
.B \-v, \-\-version
|
|
.RS 4
|
|
Display the version of ipsec scepclient.
|
|
.PP
|
|
.RE
|
|
.B \-h, \-\-help
|
|
.RS 4
|
|
Display usage of ipsec scepclient.
|
|
.RE
|
|
|
|
.SS General Options
|
|
.B \-u, \-\-url \fIurl\fP
|
|
.RS 4
|
|
Full HTTP URL of the SCEP server to be used for certificate enrollment and CA certificate acquisition.
|
|
.RE
|
|
.PP
|
|
.B \-+, \-\-optionsfrom \fIfilename\fP
|
|
.RS 4
|
|
Reads additional options from \fIfilename\fP.
|
|
.RE
|
|
.PP
|
|
.B \-f, \-\-force
|
|
.RS 4
|
|
Overwrite existing output file[s].
|
|
.RE
|
|
.PP
|
|
.B \-q, \-\-quiet
|
|
.RS 4
|
|
Do not write log output to stderr.
|
|
.RE
|
|
|
|
.SS Options for CA Certificate Acquisition
|
|
.B \-o, \-\-out cacert[=\fIfilename\fP]
|
|
.RS 4
|
|
Output file of acquired CA certificate. If more then one CA certificate is
|
|
available, \fIfilename\fP is used as prefix for the resulting files (refer to
|
|
EXAMPLES below for details).
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
|
|
.RE
|
|
|
|
.SS Options For Certificate Enrollment
|
|
.B \-i, \-\-in \fItype\fP[=\fIfilename\fP]
|
|
.RS 4
|
|
Input file for certificate enrollment. This option can be specified multiple times to specify input files for every \fItype\fP.
|
|
Input files can be either DER or PEM encoded.
|
|
.PP
|
|
Supported values for \fItype\fP:
|
|
.IP "\fBpkcs1\fP" 12
|
|
RSA private key in PKCS#1 file format. If no input of this type is specified, a RSA key gets generated.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
|
|
.IP "\fBpkcs10\fP" 12
|
|
PKCS#10 certificate request to be used in the SCEP request. If no input of this type is specified, a request is generated.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
|
|
.IP "\fBcacert\-enc\fP" 12
|
|
CA certificate to encrypt the SCEP request. Has to be specified for certificate enrollment.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
|
|
.IP "\fBcacert\-sig\fP" 12
|
|
CA certificate to check signature of SCEP reply. Has to be specified for certificate enrollment.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/cacerts/caCert.der.
|
|
.IP "\fBcert-self\fP" 12
|
|
Certificate to be used in the SCEP request. If it is not specified a
|
|
self-signed certificate is generated automatically.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
|
|
.RE
|
|
.PP
|
|
.B \-k, \-\-keylength \fIbits\fP
|
|
.RS 4
|
|
sets the key length for RSA key generation. The default length for a generated rsa key is set to 2048 bit.
|
|
.RE
|
|
.PP
|
|
.B \-D, \-\-days \fIdays\fP
|
|
.RS 4
|
|
Validity of the self-signed X.509 certificate in days. The default is 1825 days (5 years).
|
|
.RE
|
|
.PP
|
|
.B \-S, \-\-startdate \fIYYMMDDHHMMSS\fPZ
|
|
.RS 4
|
|
defines the \fBnotBefore\fP date when the X.509 certificate becomes valid.
|
|
The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
|
|
If the \fB--startdate\fP option is not specified then the current date is taken as a default.
|
|
.RE
|
|
.PP
|
|
.B \-E, \-\-enddate \fIYYMMDDHHMMSS\fPZ
|
|
.RS 4
|
|
defines the \fBnotAfter\fP date when the X.509 certificate will expire.
|
|
The date has the format \fIYYMMDDHHMMSS\fP and must be specified in UTC (Zulu time).
|
|
If the \fB--enddate\fP option is not specified then the default \fBnotAfter\fP value is computed by
|
|
adding the validity interval specified by the \fB--days\fP option to the \fBnotBefore\fP date.
|
|
.RE
|
|
.PP
|
|
.B \-d, \-\-dn \fIdn\fP
|
|
.RS 4
|
|
Distinguished name as comma separated list of relative distinguished names. Use quotation marks for a distinguished name containing spaces. If the \fB\-\-dn\fP parameter is missing then the default "C=CH, O=Linux strongSwan, CN=\fIhostname\fP"
|
|
is used with \fIhostname\fP being the return value of the \fIgethostname\fP() function.
|
|
.RE
|
|
.PP
|
|
.B \-s, \-\-subjectAltName \fItype\fP=\fIvalue\fP
|
|
.RS 4
|
|
Include subjectAltName in certificate request. This option can be specified multiple times to specify a subjectAltName
|
|
for every \fItype\fP.
|
|
.PP
|
|
Supported values for \fItype\fP:
|
|
.IP "\fBemail\fP" 12
|
|
subjectAltName is a email address.
|
|
.IP "\fBdns\fP" 12
|
|
subjectAltName is a hostname.
|
|
.IP "\fBip\fP" 12
|
|
subjectAltName is a IP address.
|
|
.RE
|
|
.PP
|
|
.B \-p, \-\-password \fIpw\fP
|
|
.RS 4
|
|
Password to be included as a \fIchallenge password\fP in SCEP request.
|
|
If \fIpw\fP is \fB%prompt\fP', the password gets prompted for on the command line.
|
|
.IP
|
|
\- In automatic mode, this password corresponds to the preshared secret for the given enrollment.
|
|
.IP
|
|
\- In manual mode, this password can be used to later revoke the corresponding certificate.
|
|
.RE
|
|
.PP
|
|
.B \-a, \-\-algorithm [\fItype\fP=]\fIalgo\fP
|
|
.RS 4
|
|
Change the algorithms to be used when generating and transporting (PKCS#7)
|
|
certificate requests (PKCS#10).
|
|
.PP
|
|
Supported values for \fItype\fP:
|
|
.IP "\fBenc\fP" 12
|
|
symmetric encryption algorithm in PKCS#7
|
|
.IP "\fBdgst\fP" 12
|
|
hash algorithm for message digest in PKCS#7
|
|
.IP "\fBsig\fP" 12
|
|
hash algorithm for the signature in PKCS#10
|
|
.PP
|
|
If \fItype\fP is not specified \fBenc\fP is assumed.
|
|
.PP
|
|
Supported values for \fIalgo\fP (\fBenc\fP):
|
|
.IP "\fBdes\fP" 12
|
|
DES-CBC encryption (key size = 56 bit). Default.
|
|
.IP "\fB3des\fP" 12
|
|
Triple DES-EDE-CBC encryption (key size = 168 bit).
|
|
.IP "\fBaes128\fP" 12
|
|
AES-CBC encryption (key size = 128 bit).
|
|
.IP "\fBaes192\fP" 12
|
|
AES-CBC encryption (key size = 192 bit).
|
|
.IP "\fBaes256\fP" 12
|
|
AES-CBC encryption (key size = 256 bit).
|
|
.IP "\fBcamellia128\fP" 12
|
|
Camellia-CBC encryption (key size = 128 bit).
|
|
.IP "\fBcamellia192\fP" 12
|
|
Camelllia-CBC encryption (key size = 192 bit).
|
|
.IP "\fBcamellia256\fP" 12
|
|
Camellia-CBC encryption (key size = 256 bit).
|
|
.PP
|
|
Supported values for \fIalgo\fP (\fBdgst\fP or \fBsig\fP):
|
|
.PP
|
|
\fBmd5\fP (default), \fBsha1\fP, \fBsha256\fP, \fBsha384\fP, \fBsha512\fP
|
|
.RE
|
|
.PP
|
|
.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
|
|
.RS 4
|
|
Output file for certificate enrollment. This option can be specified multiple times to specify output files for every \fItype\fP.
|
|
.PP
|
|
Supported values for \fItype\fP:
|
|
.IP "\fBpkcs1\fP" 12
|
|
RSA private key in PKCS#1 file format. If specified, the RSA key used for enrollment is stored in file \fIfilename\fP.
|
|
If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/private/myKey.der.
|
|
.IP "\fBpkcs10\fP" 12
|
|
PKCS#10 certificate request. If specified, the PKCS#10 request used or certificate enrollment is stored in file \fIfilename\fP.
|
|
If none of the \fItypes\fP listed below are specified, \fBscepclient\fP will stop after outputting this file.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/myReq.der.
|
|
.IP "\fBpkcs7\fP" 12
|
|
PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If specified, this SCEP request is stored in file \fIfilename\fP.
|
|
If none of \fItypes\fP listed below is not specified, \fBscepclient\fP will stop after outputting this file.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/req/pkcs7.der.
|
|
.IP "\fBcert-self\fP" 12
|
|
Self-signed certificate. If specified the self-signed certificate is stored in file \fIfilename\fP.
|
|
.br
|
|
The default \fIfilename\fP is $CONFDIR/ipsec.d/certs/selfCert.der.
|
|
.IP "\fBcert\fP" 12
|
|
Enrolled certificate. This \fItype\fP must be specified for certificate enrollment.
|
|
The enrolled certificate is stored in file \fIfilename\fP.
|
|
.br
|
|
The default \fIfilename\fP is set to $CONFDIR/ipsec.d/certs/myCert.der.
|
|
.RE
|
|
.PP
|
|
.B \-m, \-\-method \fImethod\fP
|
|
.RS 4
|
|
Change HTTP request method for certificate enrollment. Default is \fBget\fP.
|
|
.PP
|
|
Supported values for \fImethod\fP:
|
|
.IP "\fBpost\fP" 12
|
|
Certificate enrollment using HTTP POST. Must be supported by the given SCEP server.
|
|
.IP "\fBget\fP" 12
|
|
Certificate enrollment using HTTP GET.
|
|
.RE
|
|
.PP
|
|
.B \-t, \-\-interval \fIseconds\fP
|
|
.RS 4
|
|
Set interval time in seconds when polling in manual mode.
|
|
The default interval is set to 5 seconds.
|
|
.RE
|
|
.PP
|
|
.B \-x, \-\-maxpolltime \fIseconds\fP
|
|
.RS 4
|
|
Set max time in seconds to poll in manual mode.
|
|
The default max time is set to unlimited.
|
|
.RE
|
|
|
|
.SS Debugging Output Options:
|
|
.B \-l, \-\-debug \fIlevel\fP
|
|
.RS 4
|
|
Changes the log level (-1..4, default: 1)
|
|
.RE
|
|
.SH "EXAMPLES"
|
|
.B ipsec scepclient \-\-out caCert \-\-url http://scepserver/cgi\-bin/pkiclient.exe \-f
|
|
.RS 4
|
|
Acquire CA certificate from SCEP server and store it in the default file $CONFDIR/ipsec.d/cacerts/caCert.der.
|
|
If more then one CA certificate is returned, store them in files named
|
|
\'caCert\-1.der\', \'caCert\-2.der\', etc.
|
|
If an RA certificate is returned, store it in a file named \'caCert\-ra.der\'.
|
|
If more than one RA certificate is returned, store them in files named
|
|
\'caCert\-ra\-1.der\', \'caCert\-ra\-2.der\', etc.
|
|
.RE
|
|
.PP
|
|
.B ipsec scepclient \-\-out pkcs1=joeKey.der \-k 1024
|
|
.RS 4
|
|
Generate RSA private key with key length of 1024 bit and store it in file joeKey.der.
|
|
.RE
|
|
.PP
|
|
.B ipsec scepclient \-\-in pkcs1=joeKey.der \-\-out pkcs10=joeReq.der \e
|
|
.br
|
|
.B \-\-dn \*(rqC=AT, CN=John Doe\*(rq \-s email=john@doe.com \-p mypassword
|
|
.RS 4
|
|
Generate a PKCS#10 request and store it in file joeReq.der. Use the RSA private key joeKey.der
|
|
created earlier to sign the PKCS#10\-Request. In addition to the distinguished name include a
|
|
email\-subjectAltName and a challenge password in the request.
|
|
.RE
|
|
.PP
|
|
.B ipsec scepclient \-\-out pkcs1=joeKey.der \-\-out cert==joeCert.der \e
|
|
.br
|
|
.B \-\-dn \*(rqC=CH, CN=John Doe\*(rq \-k 512 \-p 5xH2pnT7wq \e
|
|
.br
|
|
.B \-\-url http://scep.hsr.ch/cgi\-bin/pkiclient.exe \e
|
|
.br
|
|
.B \-\-in cacert\-enc=caCert.der \-\-in cacert\-sig=caCert.der
|
|
.RS 4
|
|
Generate a new RSA key for the request and store it in joeKey.der. Then enroll a certificate and store as joeCert.der.
|
|
The challenge password is '5xH2pnT7wq'. The encryption and signature check has to be made with the same CA certificate
|
|
caCert.der.
|
|
.RE
|
|
|
|
|
|
.SH "BUGS"
|
|
\fB\-\-optionsfrom\fP seems to have parsing problems reading option files containing strings in quotation marks.
|
|
.SH "COPYRIGHT"
|
|
Copyright (C) 2005 Jan Hutter, Martin Willi
|
|
.br
|
|
Hochschule fuer Technik Rapperswil
|
|
.PP
|
|
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
.PP
|
|
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|