Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.
ssh-scepclient command [options] access [name]
Where command is one of the following:
ENROLL keypair ca psk template
POLL keypair ca -r state-file
Most commands can accept the following options:
-o prefix Save result into files with prefix.
-S url Use this socks server to access CA.
-H url Use this HTTP proxy to access CA.
-N file Specifies a file to stir to the random pool.
-Z provspec Specifies the external key provider for private key.
The format of provspec is "providername:initstring".
The following identifiers are used to specify options:
psk -p key (used as revocationPassword or challengePassword)
keypair -P url (private-key URL)
ca -C file (CA certificate file)
-E file (RA encryption certificate file)
-V file (RA validation certificate file)
template -T file (certificate template)
access URL where the CA listens for requests.
GET-CA and GET-CHAIN take name argument, that is something
interpreted by the CA to specify a CA entity managed by the responder.
Key URLs are either valid external key paths or in the format:
The "keytype" for the SCEP protocol has to be "rsa".
The key generation "savetype" can be:
- ssh2 (Secure Shell 2 key type)
- ssh1 (Legacy Secure Shell 1 key type)
- ssh (SSH proprietary crypto library format, passphrase-protected)
- pkcs1 (PKCS#1 format)
- pkcs8s (passphrase-protected PKCS#8, "shrouded PKCS#8")
- pkcs8 (plain-text PKCS#8)
- x509 (SSH proprietary X.509 library key type)