GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  SCEP (1)

NAME

scep - request a certificate from a SCEP server

CONTENTS

Synopsys
Description
Options
Return Code
Version
See Also
Author

SYNOPSYS

scep [ options ] [ distinguished-name ]

DESCRIPTION

Scep queries a SCEP server for a client certificate, and returns a certificate it it is ready. Scep works in two different modes, depending on its options: the first call requests a certificate through a PCSKReq message, and if no certificate was obtained, but a pending reply, subsequent calls try the retrieve the certificate using a SCEP GetCertInitial message. A full scep client implementation will thus use scep in a loop to perform all the steps required by the SCEP protocol. This can easily be done in from a script, which is what the scepclient(1) script does.

When the first call is made to the SCEP server, the options -c, -r, -k and -u must be specified as they are needed to create the request. In addition, a distinguished-name argument (in LDAP like format) is required, scep will take it appart and construct an X.509 distinguished name from it. The option -w for the challenge password is optional, and is only required for automatic enrollment. If the file specified with the -r option exists, it will be used, so to create a new request, an existing file should be deleted first. The server may or may not return a certificate with its reply. If a filename is specified with the -s argument, it is used to save the request.

In the latter case, the client has received a pending reply from the server, the client has to poll the server for the certificate until it is either denied or returned. For these secondary calls, the option -p should be specified to indicate to scep that the request has already been generated. In this mode, the options -c, -r, -k and -u must be specified. The -s option specifies a saved certificate request that can be reused later. The distinguished name argument is not necessary, as it will be read from the request.

OPTIONS

-d increase the debug level by one (although this may not really be useful in this particular case).
-ccacertificate
  specifies cacertificate as the file containing the certificate of the certification authority we want our request to sign.
-rrequest
  specifies the file to contain the request. Note that the first call to scep generates the request from the private key specified with the -k option and the distinguished name on the command line.
-kkeyfile
  The file keyfile contains the private key of the user in PEM format.
-wchallenge
  specifies the challenge password to include in the options of the generated request. Note that this is only necessary in the first request, when the request file does not exist yet. Later requests for the certificate do no longer need the challenge password.
-p directs scep to poll the server for a the certificate. This is only needed if the first request provokes a ‘pending’ reply.
-uurl Defines the URL to contact for SCEP requests. This will normally be something like

http://openscep.othello.ch/cgi-bin

Note that the SCEP specification fixes the name of the CGI-program to pkiclient.exe which seems to be unnecessary restrictive.

RETURN CODE

Scep distinguishes the result of his queries by the return code. If the certificate is returned, it is written as PEM on standard output, and 0 is returned. If the request failed, and did not return a certificate, or even a pending reply, 1 is returned. Return code 2 indicates that a pending reply was received, and that scep should be called again with the -p option to query the server again.

VERSION

This page documents scepconf as it appears in version 0.4.2 of OpenSCEP.

SEE ALSO

scepclient(1)

AUTHOR

Andreas F. Mueller <andreas.mueller@othello.ch>
Search for    or go to Top of page |  Section 1 |  Main Index


OpenSCEP SCEP (8) 04/14/16

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.