pki --scep
Synopsis
pki --scep --url url [--in file] [--dn distinguished-name] [--san subjectAltName]+ [--profile profile] [--password password] --cacert-enc file --cacert-sig file [--cacert file]+ [--cert file --key file] [--cipher aes|des3] [--digest sha256|sha384|sha512|sha224|sha1] [--rsa-padding pss|pkcs1] [--interval time] [--maxpolltime time] [--outform der|pem] pki --scepca --help
Description
This pki
subcommand sends a PKCS#10 certificate request in
an encrypted and signed PKCS#7 container via HTTP to a SCEP server using the
Simple Certificate Enrollment Protocol (RFC 8894). After successful
authorization which with manual authentication requires periodic polling by the
enrollment client, the SCEP server returns an X.509 certificate signed by the CA.
Before the expiry of the current certificate, a new client certificate based on a fresh RSA private key can be requested, using the old certificate and the old key for automatic authentication with the SCEP server.
Supported since version 5.9.8.
Options
|
|
Prints usage information and a short summary of the available options |
|
|
Set debug level, default: |
|
|
Read command line options from file |
|
|
URL of the SCEP server. According to RFC 8894, the URL
should be of the form |
|
|
RSA private key. If not given, the key is read from |
|
|
Subject distinguished name (DN). Required unless |
|
|
|
|
|
Certificate profile name to be included in the certificate request. Can be any
UTF8 string. Supported e.g. by the |
|
|
The |
|
|
CA or RA certificate for encryption |
|
|
CA certificate for signature verification |
|
|
Additional CA certificate in the trust chain used for signature verification. Can be used multiple times |
|
|
Client certificate to be renewed |
|
|
Client RSA private key to be replaced |
|
|
Cipher used for symmetric encryption. Either |
|
|
Digest to use for signature creation. One of |
|
|
Padding to use for RSA signatures. Either |
|
|
Poll interval in seconds, defaults to |
|
|
Maximum poll time in seconds, defaults to |
|
|
Encoding of the created certificate file. Either |
Examples
-
To save some typing work the following command line options are stored in a
scep.opt
file:
--url http://pki.strongswan.org:8080/scep --cacert-enc myra.crt --cacert-sig myca-1.crt --cacert myca.crt
-
With the following command, an X.509 certificate signed by the intermediate CA is requested from a SCEP server:
pki --options scep.opt --in moonKey.der --san "moon.strongswan.org" --dn "C=CH, O=strongSwan Project, CN=moon.strongswan.org" > moonCert.der
transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA" using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 1 SCEP request pending, polling indefinitely every 60 seconds going to sleep for 60 seconds transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334 ... going to sleep for 60 seconds Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 1 Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)
-
A certificate about to expire can be renewed with the command:
pki --options scep.opt --in moonNewKey.der --san "moon.strongswan.org" --dn "C=CH, O=strongSwan Project, CN=moon.strongswan.org" --cert moonCert.der --key moonKey.der > moonNewCert.der
transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95 using certificate "C=CH, O=strongSwan Project, CN=SCEP RA" using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 1 Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" serial: 1f:ff:b2:78:43:a2:9d:85:00:38 using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" reached self-signed root ca with a path length of 1 Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)