From: Andreas Steffen Date: Sun, 14 Aug 2022 02:51:23 +0000 (+0200) Subject: pki: Created pki --estca man page X-Git-Tag: 5.9.8dr1~2^2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e5daec56e389bd948a331933d118ee7a7c079fa;p=thirdparty%2Fstrongswan.git pki: Created pki --estca man page --- diff --git a/configure.ac b/configure.ac index 40252e79da..e0a78cc7f4 100644 --- a/configure.ac +++ b/configure.ac @@ -2162,6 +2162,7 @@ AC_CONFIG_FILES([ src/pki/man/pki.1 src/pki/man/pki---acert.1 src/pki/man/pki---dn.1 + src/pki/man/pki---estca.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 9df76d9c35..c3f3982d96 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -2,6 +2,7 @@ man1_MANS = \ pki.1 \ pki---acert.1 \ pki---dn.1 \ + pki---estca.1 \ pki---gen.1 \ pki---issue.1 \ pki---keyid.1 \ diff --git a/src/pki/man/pki---estca.1.in b/src/pki/man/pki---estca.1.in new file mode 100644 index 0000000000..85ccd0929b --- /dev/null +++ b/src/pki/man/pki---estca.1.in @@ -0,0 +1,139 @@ +.TH "PKI \-\-ESTCA" 1 "2022-08-22" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-estca \- Get CA certificate[s] from an EST server +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-estca +.BI\-\-\-url\~ url +.BI\-\-\-cacert\~ file +.OP \-\-caout file +.OP \-\-outform encoding +.OP \-\-force +.OP \-\-debug level +.YS +. +.SY pki\ \-\-estca +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-estca" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +gets CA certificates via https from an EST server using the \fI/cacerts\fR +operation of the Enrollment over Secure Transport protocol (RFC 7030). +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-u, \-\-url " url +URL of the SCEP server. +.TP +.BI "\-C, \-\-cacert " file +CA certificate in the trust chain used for EST TLS server signature verification. +Can be used multiple times. +.TP +.BI "\-c, \-\-caout " file +If present, path where the fetched root CA certificate file is stored to. +If several CA certificates are downloaded, then the value of +.B \-\-caout +is used as a template to derive unique filenames (*-1, *-2, etc.) for the +intermediate or sub CA certificates. +If a file suffix is missing, then depending on the value of +.B \-\-outform +either .\fIder\fR (the default) or .\fIpem\fR is automatically appended. +If the +.B \-\-caout +option is missing and +.B \-\-outform +is set to \fIpem\fR then a PEM-encoded CA certificate bundle is written to +\fIstdout\fR. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +.TP +.B "\-F, \-\-force" +Force overwrite of existing files. +. +.SH "EXAMPLES" +. +To save some typing work the following command line options are stored in a +\fIest.opt\fR file: +.PP +.EX +\-\-url https://pki.strongswan.org:8443 +\-\-cacert tlsca.crt +\-\-cacert tlsca-1.crt +.EE +.PP +.B NOTE: +For a successful HTTPS connection, trust must be established into the EST server +certificate. The TLS trust chain including the root CA certificate and optionally +intermediate CA certificates must be given using [multiple] +.B --cacert +options. +.P +An EST server sends a root CA and an intermediate CA certificate: +.PP +.EX +pki \-\-estca \-\-options est.opt \-\-caout myca.crt + +Root CA cert "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + serial: 65:31:00:ca:79:da:16:6b:aa:ac:89:e2:a8:f9:49:c3:10:ab:64:54 + SHA256: 96:70:50:51:cd:b9:e7:94:6b:04:f6:15:45:80:fc:90:85:01:71:2a:f6:4f:d1:1b:2d:a1:7e:eb:bf:dd:be:86 + SHA1 : 8e:f3:78:b0:34:a6:c1:6a:7b:c6:f5:91:eb:e5:46:9b:0d:0a:a7:ba (jvN4sDSmwWp7xvWR6+VGmw0Kp7o) +Root CA equals trusted TLS Root CA +Root CA cert is untrusted, valid until Aug 12 15:51:34 2032, 'myca.crt' +Sub CA cert "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + serial: 74:f9:7e:72:7d:b8:fd:f2:c6:e5:1b:fa:37:f9:cb:87:bf:9c:ea:e2 + SHA256: a3:5b:4b:12:d5:8f:68:7b:05:11:08:27:f5:42:62:b8:b5:01:1b:19:37:9c:28:78:5d:37:08:69:6a:8c:07:bf + SHA1 : 8c:e6:67:67:c2:23:89:7b:d0:bc:b1:50:d2:1c:bc:8d:8d:69:15:11 (jOZnZ8IjiXvQvLFQ0hy8jY1pFRE) + using certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + reached self-signed root ca with a path length of 0 +Sub CA cert is trusted, valid until Aug 12 15:51:34 2027, 'mycacert-1.crt' +.EE +.PP +.B NOTE: +The trusthworthiness of the root CA certificate is either verified automatically +if the Root CA certificate of the TLS trust chain is the same as that of the +Issuing CA. Otherwise trust has to be established manually by verifying the SHA256 +or SHA1 fingerprint of the DER-encoded certificate that is e.g. listed on the +official PKI website or by some other means. +.P +The stored certificate files in DER format can be overwritten by PEM-encoded +versions with: +.PP +.EX +pki \-\-estca \-\-options est.opt \-\-caout myca.crt \-\-outform pem \-\-force +.EE +.PP +A CA certificate bundle in PEM format is written to \fIstdout\fR: +.PP +.EX +pki \-\-estca \-\-options est.opt \-\-outform pem > cacerts.pem +.EE +.PP +. +.SH "SEE ALSO" +. +.BR pki (1)