ssh-cmpclient command [options] access [name]
Where command is one of the following:
INITIALIZE psk|racerts keypair template
ENROLL certs|racerts keypair template
UPDATE certs [keypair]
POLL psk|certs|racerts id
RECOVER psk|certs|racerts template
REVOKE psk|certs|racerts template
TUNNEL racerts template
Most commands can accept the following options:
-B Perform key backup for subject keys.
-o prefix Save result into files with prefix.
-O filename Save the result into the specified file.
If there is more than one result file,
the remaining results are rejected.
-C file CA certificate from this file.
-S url Use this SOCKS server to access the CA.
-H url Use this HTTP proxy to access the CA.
-E PoP by encryption (CA certificate needed).
-v num Protocol version 1|2 of the CA platform. Default is 2.
-y Non-interactive mode. All questions answered with 'y'.
-N file Specifies a file to stir to the random pool.
-Z provspec Specifies the external key provider for private key.
The format of provspec is "providername:initstring".
The following identifiers are used to specify options:
psk -p refnum:key (reference number and pre-shared key)
-p file (containing refnum:key)
-i number (iteration count, default 1024)
certs -c file (certificate file) -k url (private-key URL)
racerts -R file (RA certificate file) -k url (RA private-key URL)
keypair -P url (private-key URL)
id -I number (polling ID)
template -T file (certificate template)
access URL where the CA listens for requests.
name Directory name for the issuing CA (if -C is not given).
Key URLs are either valid external key paths or in the format:
The key generation "savetype" can be:
- ssh2, secsh2, secsh (Secure Shell 2 key type)
- ssh1, secsh1 (legacy Secure Shell 1 key type)
- pkcs1 (PKCS #1 format)
- pkcs8s (passphrase-protected PKCS #8, "shrouded PKCS #8")
- pkcs8 (plain-text PKCS #8)
- x509 (SSH-proprietary X.509 library key type)
-h Prints usage message.
-F Prints key usage extension and keytype instructions.
-e Prints command-line examples.