From: Andreas Steffen Date: Sat, 6 Aug 2022 10:23:09 +0000 (+0200) Subject: pki: Created pki --scep man page X-Git-Tag: 5.9.8dr1~2^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93f2901d1a6b0dcf2d9a235e1ebe78120589da57;p=thirdparty%2Fstrongswan.git pki: Created pki --scep man page --- diff --git a/configure.ac b/configure.ac index 7434d58612..fd885ccb16 100644 --- a/configure.ac +++ b/configure.ac @@ -2175,6 +2175,7 @@ AC_CONFIG_FILES([ src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 + src/pki/man/pki---scep.1 src/pki/man/pki---scepca.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 diff --git a/src/pki/man/Makefile.am b/src/pki/man/Makefile.am index 489c913674..9df76d9c35 100644 --- a/src/pki/man/Makefile.am +++ b/src/pki/man/Makefile.am @@ -9,6 +9,7 @@ man1_MANS = \ pki---print.1 \ pki---pub.1 \ pki---req.1 \ + pki---scep.1 \ pki---scepca.1 \ pki---self.1 \ pki---signcrl.1 \ diff --git a/src/pki/man/pki---scep.1.in b/src/pki/man/pki---scep.1.in new file mode 100644 index 0000000000..2422b54ca7 --- /dev/null +++ b/src/pki/man/pki---scep.1.in @@ -0,0 +1,176 @@ +.TH "PKI \-\-SCEP" 1 "2022-08-22" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +pki \-\-scep \- Enroll an X.509 certificate with a SCEP server +. +.SH "SYNOPSIS" +. +.SY pki\ \-\-scep +.BI\-\-\-url\~ url +.OP \-\-in file +.BI \-\-dn\~ distinguished-name +.OP \-\-san subjectAltName +.OP \-\-password password +.BI \-\-ca-cert-enc\~ file +.BI \-\-ca-cert-sig\~ file +.OP \-\-cacert file +.BI [\-\-cert\~ file +.BI \-\-key\~ file ] +.OP \-\-cipher cipher +.OP \-\-digest digest +.OP \-\-rsa-padding padding +.OP \-\-interval time +.OP \-\-maxpolltime time +.OP \-\-outform encoding +.OP \-\-debug level +.YS +. +.SY pki\ \-\-scep +.BI \-\-options\~ file +.YS +. +.SY "pki \-\-scep" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +This sub-command of +.BR pki (1) +sends a PKCS#10 certificate request in an encrypted and signed PKCS#7 container +via HTTP to a SCEP server using the Simple Certificate Enrollment Protocol +(RFC 8894). After successful authorization which with manual authentication +requires periodic polling by the enrollment client, the SCEP server returns an +X.509 certificate signed by the CA. + +Before the expiry of the current certificate, a new client certificate based on +a fresh RSA private key can be requested, using the old certificate and the old +key for automatic authentication with the SCEP server. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Print usage information with a summary of the available options. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.BI "\-+, \-\-options " file +Read command line options from \fIfile\fR. +.TP +.BI "\-u, \-\-url " url +URL of the SCEP server. +.TP +.BI "\-i, \-\-in " file +RSA private key. If not given the key is read from \fISTDIN\fR. +.TP +.BI "\-d, \-\-dn " distinguished-name +Subject distinguished name (DN). Required. +.TP +.BI "\-a, \-\-san " subjectAltName +subjectAltName extension to include in request. Can be used multiple times. +.TP +.BI "\-p, \-\-password " password +The challengePassword to include in the certificate request. +.TP +.BI "\-e, \-\-cacert-enc " file +CA or RA certificate for encryption +.TP +.BI "\-s, \-\-cacert-sig " file +CA certificate for signature verification +.TP +.BI "\-C, \-\-cacert " file +Additional CA certificate in the trust chain used for signature verification. +Can be used multiple times. +.TP +.BI "\-c, \-\-cert " file +Client certificate to be renewed. +.TP +.BI "\-k, \-\-key " file +Client RSA private key to be replaced. +.TP +.BI "\-E, \-\-cipher " cipher +Cipher used for symmetric encryption. Either \fIaes\fR (the default) or \fIdes3\fR. +.TP +.BI "\-g, \-\-digest " digest +Digest to use for signature creation. One of \fIsha256\fR (the default), +\fIsha384\fR, \fIsha512\fR, or \fIsha1\fR. +.TP +.BI "\-R, \-\-rsa\-padding " padding +Padding to use for RSA signatures. Either \fIpkcs1\fR (the default) or \fIpss\fR. +.TP +.BI "\-t, \-\-interval " time +Poll interval in seconds, defaults to \fI60s\fR. +.TP +.BI "\-m, \-\-maxpolltime " time +Maximum poll time in seconds, defaults to \fI0\fR which means unlimited polling. +.TP +.BI "\-f, \-\-outform " encoding +Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or +\fIpem\fR (Base64 PEM), defaults to \fIder\fR. +. +.SH "EXAMPLES" +. +To save some typing work the following command line options are stored in a +\fIscep.opt\fR file: +.PP +.EX +\-\-url http://pki.strongswan.org:8080/scep +\-\-cacert-enc myra.crt +\-\-cacert-sig myca-1.crt +\-\-cacert myca.crt +.EE +.PP +With the following command, an X.509 certificate signed by the intermediate CA is +requested from a SCEP server: +.PP +.EX +pki \-\-options scep.opt \-\-in moonKey.der \-\-san "moon.strongswan.org" \\ + \-\-dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der + +transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334 + using certificate "C=CH, O=strongSwan Project, CN=SCEP RA" + using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + reached self-signed root ca with a path length of 1 + SCEP request pending, polling indefinitely every 60 seconds + going to sleep for 60 seconds +transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334 + ... + going to sleep for 60 seconds +Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" + serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06 + using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" + using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + reached self-signed root ca with a path length of 1 +Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid) +.EE +.PP +A certificate about to expire can be renewed with the command: +.PP +.EX +pki \-\-options scep.opt \-\-in moonNewKey.der \-\-san "moon.strongswan.org" \\ + \-\-dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \\ + \-\-cert moonCert.der \-\-key moonKey.der > moonNewCert.der + +transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95 + using certificate "C=CH, O=strongSwan Project, CN=SCEP RA" + using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + reached self-signed root ca with a path length of 1 +Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" + serial: 1f:ff:b2:78:43:a2:9d:85:00:38 + using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" + using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA" + using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" + reached self-signed root ca with a path length of 1 +Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid) +. +.SH "SEE ALSO" +. +.BR pki (1) diff --git a/src/pki/man/pki---scepca.1.in b/src/pki/man/pki---scepca.1.in index ac37055c7e..337e2f1a6b 100644 --- a/src/pki/man/pki---scepca.1.in +++ b/src/pki/man/pki---scepca.1.in @@ -56,6 +56,12 @@ intermediate or sub CA certificates. If a file suffix is missing, then depending on the value of .B \-\-outform either .\fIder\fR (the default) or .\fIpem\fR is automatically appended. +If the +.B \-\-caout +option is missing and +.B \-\-outform +is set to \fIpem\fR then a PEM-encoded CA certificate bundle is written to +\fIstdout\fR. .TP .BI "\-r, \-\-raout " file If present, path where the fetched RA certificate file is stored to. @@ -143,6 +149,12 @@ RA cert "C=CH, O=strongSwan Project, CN=SCEP RA" RA cert is trusted, valid until Aug 10 15:51:34 2023, 'myca-ra.crt' .EE .PP +A CA certificate bundle in PEM format is written to \fIstdout\fR: +.PP +.EX +pki \-\-scepca \-\-url http://pki.strongswan.org:8080/scep --raout myra.crt \-\-outform pem > cacerts.pem +.EE +.PP . .SH "SEE ALSO" .