ssh-scepclient command [options] access [name]
Where command is one of the following:
ENROLL keypair ca psk template
POLL keypair ca -r state-file
Most commands can accept the following options:
-o prefix Save result into files with prefix.
-S url Use this socks server to access CA.
-H url Use this HTTP proxy to access CA.
-N file Specifies a file to stir to the random pool.
-Z provspec Specifies the external key provider for private key.
The format of provspec is "providername:initstring".
The following identifiers are used to specify options:
psk -p key (used as revocationPassword or challengePassword)
keypair -P url (private-key URL)
ca -C file (CA certificate file)
-E file (RA encryption certificate file)
-V file (RA validation certificate file)
template -T file (certificate template)
access URL where the CA listens for requests.
GET-CA and GET-CHAIN take name argument, that is something
interpreted by the CA to specify a CA entity managed by the responder.
Key URLs are either valid external key paths or in the format:
The "keytype" for the SCEP protocol has to be "rsa".
The key generation "savetype" can be:
- ssh2 (Secure Shell 2 key type)
- ssh1 (Legacy Secure Shell 1 key type)
- ssh (SSH proprietary crypto library format, passphrase-protected)
- pkcs1 (PKCS#1 format)
- pkcs8s (passphrase-protected PKCS#8, "shrouded PKCS#8")
- pkcs8 (plain-text PKCS#8)
- x509 (SSH proprietary X.509 library key type)