scep - request a certificate from a SCEP server
scep [ options ] [ distinguished-name ]
Scep queries a SCEP server for a client certificate, and
returns a certificate it it is ready. Scep works in two
different modes, depending on its options: the first call
requests a certificate through a PCSKReq message, and if no
certificate was obtained, but a pending reply, subsequent
calls try the retrieve the certificate using a SCEP GetCer-
tInitial message. A full scep client implementation will
thus use scep in a loop to perform all the steps required by
the SCEP protocol. This can easily be done in from a
script, which is what the scepclient(1) script does.
When the first call is made to the SCEP server, the options
-c, -r, -k and -u must be specified as they are needed to
create the request. In addition, a distinguished-name argu-
ment (in LDAP like format) is required, scep will take it
appart and construct an X.509 distinguished name from it.
The option -w for the challenge password is optional, and is
only required for automatic enrollment. If the file speci-
fied with the -r option exists, it will be used, so to
create a new request, an existing file should be deleted
first. The server may or may not return a certificate with
its reply. If a filename is specified with the -s argument,
it is used to save the request.
In the latter case, the client has received a pending reply
from the server, the client has to poll the server for the
certificate until it is either denied or returned. For
these secondary calls, the option -p should be specified to
indicate to scep that the request has already been gen-
erated. In this mode, the options -c, -r, -k and -u must be
specified. The -s option specifies a saved certificate
request that can be reused later. The distinguished name
argument is not necessary, as it will be read from the
-d increase the debug level by one (although this may not
really be useful in this particular case).
specifies cacertificate as the file containing the cer-
tificate of the certification authority we want our
request to sign.
specifies the file to contain the request. Note that
the first call to scep generates the request from the
private key specified with the -k option and the dis-
tinguished name on the command line.
The file keyfile contains the private key of the user
in PEM format.
specifies the challenge password to include in the
options of the generated request. Note that this is
only necessary in the first request, when the request
file does not exist yet. Later requests for the certi-
ficate do no longer need the challenge password.
-p directs scep to poll the server for a the certificate.
This is only needed if the first request provokes a
Defines the URL to contact for SCEP requests. This will
normally be something like
Note that the SCEP specification fixes the name of the
CGI-program to pkiclient.exe which seems to be unneces-
Scep distinguishes the result of his queries by the return
code. If the certificate is returned, it is written as PEM
on standard output, and 0 is returned. If the request
failed, and did not return a certificate, or even a pending
reply, 1 is returned. Return code 2 indicates that a pending
reply was received, and that scep should be called again
with the -p option to query the server again.
This page documents scepconf as it appears in version 0.3.8
Andreas F. Mueller <email@example.com>
Man(1) output converted with