|[Front page] [Index]|
ssh-cmpclient command-line options are listed below. Note that when a file name is specified, an existing file with the same name will be overwritten. When subject names or other strings that contain spaces are given on the command line, they should be enclosed in double quotes.
Requests private key backup to be performed for the initialize, enroll, and update commands.
Saves resulting certificates and CRLs into files with the given prefix. The prefix is first appended by a number, followed by the file extension
.crl, depending on the type of object.
Saves the result into the specified absolute filename. If there are more than one result files, the remaining results are rejected.
Specifies the file path that contains the CA certificate. If key backup is done, the file name must be given, but in most cases the LDAP name of the CA can be given instead.
Specifies the SOCKS URL if the CA is located behind a SOCKS-enabled firewall. The format of the URL is:
Uses the given HTTP proxy server to access the CA. The format of the URL is:
Performs encryption proof of possession if the CA supports it. In this method of PoP, the request is not signed, but instead the PoP is established based on the ability to decrypt the certificates received from the CA. The CA encrypts the certificates with the user's public key before sending them to the user.
Selects the CMP protocol version. This is either value 1, for an RFC 2510-based protocol, or 2 (the default) for CMPv2.
Specifies a file to be used as an entropy source during key generation.
The usage line uses the following meta commands:
The reference number and the corresponding key value given by the CA or RA.
keyare character strings shared among the CA and the user.
refnumidentifies the secret
keyused to authenticate the message. The
refnumstring must not contain colon characters.
Alternatively, a filename containing the reference number and the key can be given as the argument.
numberindicates the key hashing iteration count.
The user's existing key and certificate for authentication.
URL specifying the private key location. This is an external key URL whose format is specified in Section Synopsis.
Path to the file that contains the certificate issued to the public key given in the
In RA mode, the RA key and certificate for authentication.
Path to the file that contains the RA certificate issued to the public key given in the
The subject key pair to be certified.
Polling ID used if the PKI action is left pending.
Polling transaction ID
numbergiven by the RA or CA if the action is left pending.
The subject name and flags to be certified.
The file containing the certificate used as the template for the operation. Values used to identify the subject are read from this, but the user may overwrite the key, key-usage flags, or subject names.
A subject name in reverse LDAP format, that is, the most general component first, and alternative subject names. The name
subject-ldapwill be copied into the request verbatim.
A typical choice would be a DN in the format
"C=US,O=SSH,CN=Some Body", but in principle this can be anything that is usable for the resulting certificate.
Requested key usage purpose code. The following codes are recognized:
help. The special keyword help lists the supported key usages which are defined in RFC 3280.
Requested extended key usage code. The following codes, in addition to user-specified dotted OID values are recognized:
Specifies the CA's address in URL format. Possible access methods are HTTP (
http://host:port/path), or plain TCP (
tcp://host:port/path). If the host address is an IPv6 address, it must be enclosed in brackets (
Optionally specifies the destination CA name for the operation, in case a CA certificate was not given using the option
[Front page] [Index]