Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  SCEP (1)


scep - request a certificate from a SCEP server


Return Code
See Also


scep [ options ] [ distinguished-name ]


Scep queries a SCEP server for a client certificate, and returns a certificate it it is ready. Scep works in two different modes, depending on its options: the first call requests a certificate through a PCSKReq message, and if no certificate was obtained, but a pending reply, subsequent calls try the retrieve the certificate using a SCEP GetCertInitial message. A full scep client implementation will thus use scep in a loop to perform all the steps required by the SCEP protocol. This can easily be done in from a script, which is what the scepclient(1) script does.

When the first call is made to the SCEP server, the options -c, -r, -k and -u must be specified as they are needed to create the request. In addition, a distinguished-name argument (in LDAP like format) is required, scep will take it appart and construct an X.509 distinguished name from it. The option -w for the challenge password is optional, and is only required for automatic enrollment. If the file specified with the -r option exists, it will be used, so to create a new request, an existing file should be deleted first. The server may or may not return a certificate with its reply. If a filename is specified with the -s argument, it is used to save the request.

In the latter case, the client has received a pending reply from the server, the client has to poll the server for the certificate until it is either denied or returned. For these secondary calls, the option -p should be specified to indicate to scep that the request has already been generated. In this mode, the options -c, -r, -k and -u must be specified. The -s option specifies a saved certificate request that can be reused later. The distinguished name argument is not necessary, as it will be read from the request.


-d increase the debug level by one (although this may not really be useful in this particular case).
  specifies cacertificate as the file containing the certificate of the certification authority we want our request to sign.
  specifies the file to contain the request. Note that the first call to scep generates the request from the private key specified with the -k option and the distinguished name on the command line.
  The file keyfile contains the private key of the user in PEM format.
  specifies the challenge password to include in the options of the generated request. Note that this is only necessary in the first request, when the request file does not exist yet. Later requests for the certificate do no longer need the challenge password.
-p directs scep to poll the server for a the certificate. This is only needed if the first request provokes a ‘pending’ reply.
-uurl Defines the URL to contact for SCEP requests. This will normally be something like

Note that the SCEP specification fixes the name of the CGI-program to pkiclient.exe which seems to be unnecessary restrictive.


Scep distinguishes the result of his queries by the return code. If the certificate is returned, it is written as PEM on standard output, and 0 is returned. If the request failed, and did not return a certificate, or even a pending reply, 1 is returned. Return code 2 indicates that a pending reply was received, and that scep should be called again with the -p option to query the server again.


This page documents scepconf as it appears in version 0.4.2 of OpenSCEP.




Andreas F. Mueller <>
Search for    or go to Top of page |  Section 1 |  Main Index

OpenSCEP SCEP (8) 04/14/16

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.