SCEP(8)SCEP(8)NAMEscep - request a certificate from a SCEP server
SYNOPSYSscep [ options ] [ distinguished-name ]
DESCRIPTION
Scep queries a SCEP server for a client certificate, and returns a cer‐
tificate it it is ready. Scep works in two different modes, depending
on its options: the first call requests a certificate through a PCSKReq
message, and if no certificate was obtained, but a pending reply, sub‐
sequent calls try the retrieve the certificate using a SCEP GetCertIni‐
tial message. A full scep client implementation will thus use scep in
a loop to perform all the steps required by the SCEP protocol. This
can easily be done in from a script, which is what the scepclient(1)
script does.
When the first call is made to the SCEP server, the options -c, -r, -k
and -u must be specified as they are needed to create the request. In
addition, a distinguished-name argument (in LDAP like format) is
required, scep will take it appart and construct an X.509 distinguished
name from it. The option -w for the challenge password is optional,
and is only required for automatic enrollment. If the file specified
with the -r option exists, it will be used, so to create a new request,
an existing file should be deleted first. The server may or may not
return a certificate with its reply. If a filename is specified with
the -s argument, it is used to save the request.
In the latter case, the client has received a pending reply from the
server, the client has to poll the server for the certificate until it
is either denied or returned. For these secondary calls, the option -p
should be specified to indicate to scep that the request has already
been generated. In this mode, the options -c, -r, -k and -u must be
specified. The -s option specifies a saved certificate request that
can be reused later. The distinguished name argument is not necessary,
as it will be read from the request.
OPTIONS-d increase the debug level by one (although this may not really be
useful in this particular case).
-ccacertificate
specifies cacertificate as the file containing the certificate
of the certification authority we want our request to sign.
-rrequest
specifies the file to contain the request. Note that the first
call to scep generates the request from the private key speci‐
fied with the -k option and the distinguished name on the com‐
mand line.
-kkeyfile
The file keyfile contains the private key of the user in PEM
format.
-wchallenge
specifies the challenge password to include in the options of
the generated request. Note that this is only necessary in the
first request, when the request file does not exist yet. Later
requests for the certificate do no longer need the challenge
password.
-p directs scep to poll the server for a the certificate. This is
only needed if the first request provokes a `pending' reply.
-uurl Defines the URL to contact for SCEP requests. This will normally
be something like
http://openscep.othello.ch/cgi-bin
Note that the SCEP specification fixes the name of the CGI-pro‐
gram to pkiclient.exe which seems to be unnecessary restrictive.
RETURN CODE
Scep distinguishes the result of his queries by the return code. If
the certificate is returned, it is written as PEM on standard output,
and 0 is returned. If the request failed, and did not return a cer‐
tificate, or even a pending reply, 1 is returned. Return code 2 indi‐
cates that a pending reply was received, and that scep should be called
again with the -p option to query the server again.
VERSION
This page documents scepconf as it appears in version 0.4.2 of Open‐
SCEP.
SEE ALSOscepclient(1)AUTHOR
Andreas F. Mueller <andreas.mueller@othello.ch>
OpenSCEP 02/19/16 SCEP(8)
