scep - request a certificate from a SCEP server


     scep [ options ] [ distinguished-name ]


     Scep queries a SCEP server for  a  client  certificate,  and
     returns  a  certificate  it  it is ready.  Scep works in two
     different modes, depending on its options:  the  first  call
     requests  a certificate through a PCSKReq message, and if no
     certificate was obtained, but a  pending  reply,  subsequent
     calls  try the retrieve the certificate using a SCEP GetCer-
     tInitial message.  A full scep  client  implementation  will
     thus use scep in a loop to perform all the steps required by
     the SCEP protocol.  This  can  easily  be  done  in  from  a
     script, which is what the scepclient(1) script does.

     When the first call is made to the SCEP server, the  options
     -c,  -r,  -k  and -u must be specified as they are needed to
     create the request.  In addition, a distinguished-name argu-
     ment  (in  LDAP  like format) is required, scep will take it
     appart and construct an X.509 distinguished  name  from  it.
     The option -w for the challenge password is optional, and is
     only required for automatic enrollment.  If the file  speci-
     fied  with  the  -r  option  exists,  it will be used, so to
     create a new request, an existing  file  should  be  deleted
     first.   The server may or may not return a certificate with
     its reply.  If a filename is specified with the -s argument,
     it is used to save the request.

     In the latter case, the client has received a pending  reply
     from  the  server, the client has to poll the server for the
     certificate until it is  either  denied  or  returned.   For
     these  secondary calls, the option -p should be specified to
     indicate to scep that the  request  has  already  been  gen-
     erated.  In this mode, the options -c, -r, -k and -u must be
     specified.  The -s  option  specifies  a  saved  certificate
     request  that  can  be reused later.  The distinguished name
     argument is not necessary, as  it  will  be  read  from  the


     -d   increase the debug level by one (although this may  not
          really be useful in this particular case).

          specifies cacertificate as the file containing the cer-
          tificate  of  the  certification  authority we want our
          request to sign.

          specifies the file to contain the  request.  Note  that
          the  first  call to scep generates the request from the
          private key specified with the -k option and  the  dis-
          tinguished name on the command line.

          The file keyfile contains the private key of  the  user
          in PEM format.

          specifies the challenge  password  to  include  in  the
          options  of  the  generated  request. Note that this is
          only necessary in the first request, when  the  request
          file  does not exist yet. Later requests for the certi-
          ficate do no longer need the challenge password.

     -p   directs scep to poll the server for a the  certificate.
          This  is  only  needed  if the first request provokes a
          `pending' reply.

          Defines the URL to contact for SCEP requests. This will
          normally be something like

          Note that the SCEP specification fixes the name of  the
          CGI-program to pkiclient.exe which seems to be unneces-
          sary restrictive.


     Scep distinguishes the result of his queries by  the  return
     code.   If the certificate is returned, it is written as PEM
     on standard output, and  0  is  returned.   If  the  request
     failed,  and did not return a certificate, or even a pending
     reply, 1 is returned. Return code 2 indicates that a pending
     reply  was  received,  and  that scep should be called again
     with the -p option to query the server again.


     This page documents scepconf as it appears in version  0.3.8
     of OpenSCEP.




     Andreas F. Mueller <>

Man(1) output converted with man2html