Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  OPENSCEP.CNF (5)


openscep.cnf - OpenSCEP configuration file


Ca Definitions
Scepd Definitions
Ldap Section
See Also


OpenSCEP uses the configuration file mechanism provided by OpenSSL for its own configuration. All the OpenSCEP utilities read the configurationfile /usr/local/etc/openscep/openscep.cnf where various sections describe parameters foreign to OpenSSL and only useful to OpenSCEP. See the next sections for the configuration parameters specific to OpenSCEP.


There are three main sections used by OpenSCEP. The CA sections are more or less standard from OpenSSL.


See the OpenSSL documentation about details of the configuration of a CA.


These are the options the control the behaviour of the scepd(8) programm from the OpenSCEP distribution. To keep the scripts that also use these variables simple, there are no defaults for them. All of them must be set, which is especially easy to do incorrectly when upgrading.

name = CAname
  Name of this CA, used to find the right CA section during CA operations.

cacert =
  Path to the PEM encoded CA certificate.

cakey = /path/to/cakey.pem
  Path to the PEM encoded and unencrypted CA key.

crl = /path/to/crl.pem
  Path to a PEM encoded certificate revokation list.

grantcmd = /path/to/scepgrant
  Path to the scepgrant(8) program.

automatic = {true|false}
  Specifies whether automatic enrollment is possible or not.

debug = {true|false}
  Specifies whether debug output should be generated.

logfile = /path/to/logfile
  Defines the log file. syslog(8) must be configured to direct log messages to this file. This variable influences only the CGI-program used to display the log file.

openssl = /path/to/openssl/binary
  Sets the fully qualified path to the openssl(1) binary. Note that on many installations, openssl(1) is not on the path, and there is no easy way for a CGI program to find this program, hence the requirement that the path to it must be configured.

crlusers = users
  This option allows to define a white space separated list of users (as authenticated by the web server) which are allowed to perform certificate revocations without specifying the challenge password from the request.

crlpublic = {true|false}
  If set to true, public access to certificate revocation is granted. Any user who knows the challenge password of a certificate request can revoke the corresponding certificate. Note that trusted users as defined in the crlusers variable are not required to give the challenge password, even if crlpublic is set to false.


In this section, all parameters needed to access the ldap directory are defined. There are no defaults for these values, they must all be set in the configuration file (this simplifies the code for the CGI programs a little bit).

ldaphost = ldapservername
  Specifies the name of the LDAP server used as back end for the certificate data.

ldapport = ldapserverport
  Specifies the TCP port number of the LDAP server used as back end for the certificate data.

ldapbase = basedn
  The base distinguished name to be used by OpenSCEP.

binddn = binddn
  Some of the OpenSCEP programms need to update the directory, which requires additional privileges. They therefore use this distinguished name to bind to the directory, and the password as specified by the bindpw variable (see below).

bindpw = bindpw
  see binddn.

ldapmodify = /path/to/ldapmodify
  Full path to the ldapmodify(1) programm to be used to modify the directory. Note that a binary from the OpenLDAP version 2 distribution must be used, as the CGI scripts use some options only available in OpenLDAP.

ldapsearch = /path/to/ldapsearch
  program to be used to read the directory, only used in the crl revocation program.


The OpenSCEP distribution comes with an example openscep.cnf file that one can use as a starting point when setting up a CA.


This page documents openscep.cnf as it appears in version 0.4.2 of OpenSCEP.


Andreas F. Mueller <>

Search for    or go to Top of page |  Section 5 |  Main Index

OpenSCEP OPENSCEP.CNF (8) 04/14/16

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.