Manual Reference Pages - SCEP (1)
scep - request a certificate from a SCEP server
options ] [
Scep queries a SCEP server for a client certificate, and returns a certificate
it it is ready.
Scep works in two different modes, depending on its options: the first
call requests a certificate through a PCSKReq message,
and if no certificate was obtained, but
a pending reply, subsequent calls try the retrieve the certificate
using a SCEP GetCertInitial message.
A full scep client implementation will thus use
scep in a loop to perform all the steps required by the SCEP protocol.
This can easily be done in from a script, which is what the
When the first
call is made to the SCEP server, the options
-u must be specified as they are needed to create the request.
In addition, a
(in LDAP like format) is required,
scep will take it appart and construct an X.509 distinguished name
-w for the challenge password is optional, and is only required for
If the file specified with the
-r option exists, it will be used, so to create a new request, an existing file
should be deleted first.
The server may or may not return a certificate with its reply.
If a filename is specified with the
-s argument, it is used to save the request.
In the latter case, the client has received a pending reply from
the server, the client has to poll the server for the certificate
until it is either denied or returned.
For these secondary calls, the option
-p should be specified to indicate to
scep that the request has already been generated. In this mode, the options
-u must be specified.
-s option specifies a saved certificate request that can be reused later.
The distinguished name argument is not necessary, as it will be read
from the request.
increase the debug level by one (although this may not really be useful
in this particular case).
cacertificate as the file containing the certificate of the certification
authority we want our request to sign.
specifies the file to contain the request. Note that the first
call to scep generates the request from the private key
specified with the
-k option and the distinguished name on the command line.
keyfile contains the private key of the user in PEM format.
specifies the challenge password to include in the options of the
generated request. Note that this is only necessary in the first
request, when the request file does not exist yet. Later requests
for the certificate do no longer need the challenge password.
scep to poll the server for a the certificate. This is only needed if the first
request provokes a pending reply.
Defines the URL to contact for SCEP requests. This will normally be
Note that the SCEP specification fixes the name of the CGI-program to
pkiclient.exe which seems to be unnecessary restrictive.
Scep distinguishes the result of his queries by the return code.
If the certificate is returned, it is written as PEM on standard output,
and 0 is returned.
If the request failed, and did not return a certificate, or even a
pending reply, 1 is returned. Return code 2 indicates that a pending
reply was received, and that
scep should be called again with the
-p option to query the server again.
This page documents
scepconf as it appears in version 0.4.2 of OpenSCEP.
Andreas F. Mueller <firstname.lastname@example.org>
|OpenSCEP ||SCEP (8) ||04/14/16 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.