ssh-scepclient command [options] access [name]
Where command is one of the following:
GET-CA
GET-CHAIN
ENROLL keypair ca psk template
POLL keypair ca -r state-file
Most commands can accept the following options:
-o prefix Save result into files with prefix.
-S url Use this socks server to access CA.
-H url Use this HTTP proxy to access CA.
-N file Specifies a file to stir to the random pool.
-Z provspec Specifies the external key provider for private key.
The format of provspec is "providername:initstring".
The following identifiers are used to specify options:
psk -p key (used as revocationPassword or challengePassword)
keypair -P url (private-key URL)
ca -C file (CA certificate file)
-E file (RA encryption certificate file)
-V file (RA validation certificate file)
template -T file (certificate template)
-s subject-ldap[;type=value]
-u key-usage-name[;key-usage-name]
-U extended-key-usage-name[;extended-key-usage-name]
access URL where the CA listens for requests.
GET-CA and GET-CHAIN take name argument, that is something
interpreted by the CA to specify a CA entity managed by the responder.
Key URLs are either valid external key paths or in the format:
"generate://savetype:password@keytype:size/save-file-prefix"
"file://savetype:password@/file-prefix"
"file://passphrase/file-prefix"
"file:/file-prefix"
"any-externalkey-provider-url" (provider-specific)
"key-filename"
The "keytype" for the SCEP protocol has to be "rsa".
The key generation "savetype" can be:
- ssh2 (Secure Shell 2 key type)
- ssh1 (Legacy Secure Shell 1 key type)
- ssh (SSH proprietary crypto library format, passphrase-protected)
- pkcs1 (PKCS#1 format)
- pkcs8s (passphrase-protected PKCS#8, "shrouded PKCS#8")
- pkcs8 (plain-text PKCS#8)
- x509 (SSH proprietary X.509 library key type)
|
