|
Options
The ssh-cmpclient command-line options are listed below. Note
that when a file name is specified, an existing file with the same name
will be overwritten. When subject names or other strings that contain
spaces are given on the command line, they should be enclosed in double
quotes.
-
-B Requests private key backup to be performed for the initialize, enroll,
and update commands.
-
-o prefix Saves resulting certificates and CRLs into files with the given prefix. The
prefix is first appended by a number, followed by the file extension
.crt or .crl , depending on the type of object.
-
-O filename Saves the result into the specified absolute filename. If there is more
than one result file, the remaining results are rejected.
-
-C file Specifies the file path that contains the CA certificate. If
key backup is done, the file name must be given, but in most cases the
LDAP name of the CA can be given instead.
-
-S url Specifies the SOCKS URL if the CA is located behind a SOCKS-enabled
firewall. The format of the URL is:
socks://[username@]server[:port][/network/bits[,network/bits]]
-
-H url Uses the given HTTP proxy server to access the CA. The format of the
URL is: http://server[:port]/
-
-E Performs encryption proof of possession if the CA supports it. In this
method of PoP, the request is not signed, but instead the PoP is
established based on the ability to decrypt the certificates received
from the CA. The CA encrypts the certificates with the user's public key
before sending them to the user.
-
-v num Selects the CMP protocol version. This is either value 1, for an RFC
2510-based protocol, or 2 (the default) for CMPv2.
-
-N file Specifies a file to be used as an entropy source during key generation.
-
-Z provspec Specifies an external key provider for the private key. The value of
provspec is "provider:initstring" . Currently, the only
valid value for provider is zos-saf . For the format of the
initstring, see Appendix ssh-externalkeys.
Example:
"zos-saf:keys(ring(SSH2-KEYS) label('U313 KEY1'))"
The usage line uses the following meta commands:
-
psk The reference number and the corresponding key value given by the CA or RA.
-
-p refnum:key|file refnum and key are character strings shared among the
CA and the user. refnum identifies the secret key used to
authenticate the message. The refnum string must not contain
colon characters.
Alternatively, a filename containing the reference number and the key
can be given as the argument.
-
-i number number indicates the key hashing iteration count.
-
certs The user's existing key and certificate for authentication.
-
-k url URL specifying the private key location. This is an external key URL
whose format is specified in Section Synopsis.
-
-c file Path to the file that contains the certificate issued to the public key
given in the -k option argument.
-
racerts In RA mode, the RA key and certificate for authentication.
-
-k url URL specifying the private key location. This is an external key URL
whose format is specified in Section Synopsis.
-
-R file Path to the file that contains the RA certificate issued to the public
key given in the -k option argument.
-
keypair The subject key pair to be certified.
-
id Polling ID used if the PKI action is left pending.
-
template The subject name and flags to be certified.
-
-T file The file containing the certificate used as the template for the operation.
Values used to identify the subject are read from this, but the user may
overwrite the key, key-usage flags, or subject names.
-
-s subject-ldap[;type=value]* A subject name in reverse LDAP format, that is, the most general
component first, and alternative subject names. The name
subject-ldap will be copied into the request verbatim.
A typical choice would be a DN in the format
"C=US,O=SSH,CN=Some Body" , but in principle this can
be anything that is usable for the resulting certificate.
The possible type values are ip , email ,
dn , dns , uri , and rid .
-
-u key-usage-name[;key-usage-name]* Requested key usage purpose code. The following codes are recognized:
digitalSignature , nonRepudiation ,
keyEncipherment , dataEncipherment ,
keyAgreement , keyCertSign , cRLSign ,
encipherOnly , decipherOnly , and help . The
special keyword help lists the supported key usages which are defined in
RFC 3280.
-
-U extended-key-usage-name[;extended-key-usage-name]* Requested extended key usage code. The following codes, in addition to
user-specified dotted OID values are recognized: serverAuth ,
clientAuth , codeSigning , emailProtection ,
timeStamping , ikeIntermediate , and
smartCardLogon .
-
access Specifies the CA's address in URL format. Possible access methods are
HTTP (http://host:port/path ), or plain TCP
(tcp://host:port/path ). If the host address is an IPv6 address,
it must be enclosed in brackets (http://[IPv6-address]:port/ ).
-
name Optionally specifies the destination CA name for the operation, in case
a CA certificate was not given using the option -C .
[Contents]
[Index]
[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]
Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice
|
|
|