-i, --in type[=filename]
Input file for certificate enrollment. This option can be
specified multiple times to specify input files for every
type. Input
files can be either DER or PEM encoded.
Supported values for type:
- pkcs1
- RSA private key in PKCS#1 file format. If no input of this type is
specified, a RSA key gets generated.
The default filename is $CONFDIR/ipsec.d/private/myKey.der.
- pkcs10
- PKCS#10 certificate request to be used in the SCEP request. If no input of
this type is specified, a request is generated.
The default filename is $CONFDIR/ipsec.d/req/myReq.der.
- cacert-enc
- CA certificate to encrypt the SCEP request. Has to be specified for
certificate enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.
- cacert-sig
- CA certificate to check signature of SCEP reply. Has to be specified for
certificate enrollment.
The default filename is $CONFDIR/ipsec.d/cacerts/caCert.der.
- cert-self
- Certificate to be used in the SCEP request. If it is not specified a
self-signed certificate is generated automatically.
The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.
-k, --keylength bits
sets the key length for RSA key generation. The default
length for a generated rsa key is set to 2048 bit.
-D, --days days
Validity of the self-signed X.509 certificate in days.
The default is 1825 days (5 years).
-S, --startdate YYMMDDHHMMSSZ
defines the notBefore date when the X.509
certificate becomes valid. The date has the format YYMMDDHHMMSS and
must be specified in UTC (Zulu time). If the --startdate option is not
specified then the current date is taken as a default.
-E, --enddate YYMMDDHHMMSSZ
defines the notAfter date when the X.509
certificate will expire. The date has the format YYMMDDHHMMSS and must
be specified in UTC (Zulu time). If the --enddate option is not
specified then the default notAfter value is computed by adding the
validity interval specified by the --days option to the
notBefore date.
-d, --dn dn
Distinguished name as comma separated list of relative
distinguished names. Use quotation marks for a distinguished name containing
spaces. If the --dn parameter is missing then the default "C=CH,
O=Linux strongSwan, CN=hostname" is used with hostname
being the return value of the gethostname() function.
-s, --subjectAltName type=value
Include subjectAltName in certificate request. This
option can be specified multiple times to specify a subjectAltName for every
type.
Supported values for type:
- email
- subjectAltName is a email address.
- dns
- subjectAltName is a hostname.
- ip
- subjectAltName is a IP address.
-p, --password pw
Password to be included as a
challenge password in
SCEP request. If
pw is
%prompt', the password gets prompted for
on the command line.
- - In automatic mode, this password corresponds to the preshared secret for
the given enrollment.
- - In manual mode, this password can be used to later revoke the
corresponding certificate.
-a, --algorithm [type=]algo
Change the algorithms to be used when generating and
transporting (PKCS#7) certificate requests (PKCS#10).
Supported values for type:
- enc
- symmetric encryption algorithm in PKCS#7
- dgst
- hash algorithm for message digest in PKCS#7
- sig
- hash algorithm for the signature in PKCS#10
If type is not specified enc is assumed.
Supported values for algo (enc):
- des
- DES-CBC encryption (key size = 56 bit). Default.
- 3des
- Triple DES-EDE-CBC encryption (key size = 168 bit).
- aes128
- AES-CBC encryption (key size = 128 bit).
- aes192
- AES-CBC encryption (key size = 192 bit).
- aes256
- AES-CBC encryption (key size = 256 bit).
- camellia128
- Camellia-CBC encryption (key size = 128 bit).
- camellia192
- Camellia-CBC encryption (key size = 192 bit).
- camellia256
- Camellia-CBC encryption (key size = 256 bit).
Supported values for algo (dgst or sig):
md5 (default), sha1, sha256, sha384,
sha512
-o, --out type[=filename]
Output file for certificate enrollment. This option can
be specified multiple times to specify output files for every
type.
Supported values for type:
- pkcs1
- RSA private key in PKCS#1 file format. If specified, the RSA key used for
enrollment is stored in file filename. If none of the types
listed below are specified, scepclient will stop after outputting
this file.
The default filename is $CONFDIR/ipsec.d/private/myKey.der.
- pkcs10
- PKCS#10 certificate request. If specified, the PKCS#10 request used or
certificate enrollment is stored in file filename. If none of the
types listed below are specified, scepclient will stop after
outputting this file.
The default filename is $CONFDIR/ipsec.d/req/myReq.der.
- pkcs7
- PKCS#7 SCEP request as it is sent using HTTP to the SCEP server. If
specified, this SCEP request is stored in file filename. If none of
types listed below is not specified, scepclient will stop
after outputting this file.
The default filename is $CONFDIR/ipsec.d/req/pkcs7.der.
- cert-self
- Self-signed certificate. If specified the self-signed certificate is
stored in file filename.
The default filename is $CONFDIR/ipsec.d/certs/selfCert.der.
- cert
- Enrolled certificate. This type must be specified for certificate
enrollment. The enrolled certificate is stored in file filename.
The default filename is set to
$CONFDIR/ipsec.d/certs/myCert.der.
-m, --method method
Change HTTP request method for certificate enrollment.
Default is
get.
Supported values for method:
- post
- Certificate enrollment using HTTP POST. Must be supported by the given
SCEP server.
- get
- Certificate enrollment using HTTP GET.
-t, --interval seconds
Set interval time in seconds when polling in manual mode.
The default interval is set to 5 seconds.
-x, --maxpolltime seconds
Set max time in seconds to poll in manual mode. The
default max time is set to unlimited.