pki: Created pki --scep man page

configure.ac

@@ -2175,6 +2175,7 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---print.1
 	src/pki/man/pki---pub.1
 	src/pki/man/pki---req.1
+	src/pki/man/pki---scep.1
 	src/pki/man/pki---scepca.1
 	src/pki/man/pki---self.1
 	src/pki/man/pki---signcrl.1

src/pki/man/Makefile.am

@@ -9,6 +9,7 @@ man1_MANS = \
 	pki---print.1 \
 	pki---pub.1 \
 	pki---req.1 \
+	pki---scep.1 \
 	pki---scepca.1 \
 	pki---self.1 \
 	pki---signcrl.1 \

src/pki/man/pki---scep.1.in

@@ -0,0 +1,176 @@
+.TH "PKI \-\-SCEP" 1 "2022-08-22" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-scep \- Enroll an X.509 certificate with a SCEP server
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-scep
+.BI\-\-\-url\~ url
+.OP \-\-in file
+.BI \-\-dn\~ distinguished-name
+.OP \-\-san subjectAltName
+.OP \-\-password password
+.BI \-\-ca-cert-enc\~ file
+.BI \-\-ca-cert-sig\~ file
+.OP \-\-cacert file
+.BI [\-\-cert\~ file
+.BI \-\-key\~ file ]
+.OP \-\-cipher cipher
+.OP \-\-digest digest
+.OP \-\-rsa-padding padding
+.OP \-\-interval time
+.OP \-\-maxpolltime time
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-scep
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-scep"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+sends a PKCS#10 certificate request in an encrypted and signed PKCS#7 container
+via HTTP to a SCEP server using the Simple Certificate Enrollment Protocol
+(RFC 8894). After successful authorization which with manual authentication
+requires periodic polling by the enrollment client, the SCEP server returns an
+X.509 certificate signed by the CA.
+
+Before the expiry of the current certificate, a new client certificate based on
+a fresh RSA private key can be requested, using the old certificate and the old
+key for automatic authentication with the SCEP server.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-u, \-\-url " url
+URL of the SCEP server.
+.TP
+.BI "\-i, \-\-in " file
+RSA private key. If not given the key is read from \fISTDIN\fR.
+.TP
+.BI "\-d, \-\-dn " distinguished-name
+Subject distinguished name (DN). Required.
+.TP
+.BI "\-a, \-\-san " subjectAltName
+subjectAltName extension to include in request. Can be used multiple times.
+.TP
+.BI "\-p, \-\-password " password
+The challengePassword to include in the certificate request.
+.TP
+.BI "\-e, \-\-cacert-enc " file
+CA or RA certificate for encryption
+.TP
+.BI "\-s, \-\-cacert-sig " file
+CA certificate for signature verification
+.TP
+.BI "\-C, \-\-cacert " file
+Additional CA certificate in the trust chain used for signature verification.
+Can be used multiple times.
+.TP
+.BI "\-c, \-\-cert " file
+Client certificate to be renewed.
+.TP
+.BI "\-k, \-\-key " file
+Client RSA private key to be replaced.
+.TP
+.BI "\-E, \-\-cipher " cipher
+Cipher used for symmetric encryption. Either \fIaes\fR (the default) or \fIdes3\fR.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fIsha256\fR (the default),
+\fIsha384\fR, \fIsha512\fR, or \fIsha1\fR.
+.TP
+.BI "\-R, \-\-rsa\-padding " padding
+Padding to use for RSA signatures. Either \fIpkcs1\fR (the default) or \fIpss\fR.
+.TP
+.BI "\-t, \-\-interval " time
+Poll interval in seconds, defaults to \fI60s\fR.
+.TP
+.BI "\-m, \-\-maxpolltime " time
+Maximum poll time in seconds, defaults to \fI0\fR which means unlimited polling.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+To save some typing work the following command line options are stored in a
+\fIscep.opt\fR file:
+.PP
+.EX
+\-\-url http://pki.strongswan.org:8080/scep
+\-\-cacert-enc myra.crt
+\-\-cacert-sig myca-1.crt
+\-\-cacert myca.crt
+.EE
+.PP
+With the following command, an X.509 certificate signed by the intermediate CA is
+requested from a SCEP server:
+.PP
+.EX
+pki \-\-options scep.opt \-\-in moonKey.der \-\-san "moon.strongswan.org" \\
+    \-\-dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" > moonCert.der
+
+transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
+  using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
+  using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
+  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
+  reached self-signed root ca with a path length of 1
+  SCEP request pending, polling indefinitely every 60 seconds
+  going to sleep for 60 seconds
+transaction ID: 4DFCF31CB18A9B5333CCEC6F99CF230E4524E334
+  ...
+  going to sleep for 60 seconds
+Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
+  serial: 1e:ff:22:7b:6e:d7:4c:c1:8a:06
+  using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
+  using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
+  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
+  reached self-signed root ca with a path length of 1
+Issued certificate is trusted, valid from Aug 22 18:56:23 2022 until Aug 22 18:56:23 2023 (currently valid)
+.EE
+.PP
+A certificate about to expire can be renewed with the command:
+.PP
+.EX
+pki \-\-options scep.opt \-\-in moonNewKey.der \-\-san "moon.strongswan.org" \\
+    \-\-dn "C=CH, O=strongSec GmbH, CN=moon.strongswan.org" \\
+    \-\-cert moonCert.der \-\-key moonKey.der > moonNewCert.der
+
+transaction ID: A9A63D028CC439F68452D125C4DBA025E67DBA95
+  using certificate "C=CH, O=strongSwan Project, CN=SCEP RA"
+  using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
+  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
+  reached self-signed root ca with a path length of 1
+Issued certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
+  serial: 1f:ff:b2:78:43:a2:9d:85:00:38
+  using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
+  using trusted intermediate ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Issuing CA"
+  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
+  reached self-signed root ca with a path length of 1
+Issued certificate is trusted, valid from Jul 20 15:05:33 2023 until Jul 20 15:05:33 2024 (currently valid)
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)

src/pki/man/pki---scepca.1.in

@@ -56,6 +56,12 @@ intermediate or sub CA certificates.
 If a file suffix is missing, then depending on the value of
 .B \-\-outform
 either .\fIder\fR (the default) or .\fIpem\fR is automatically appended.
+If the
+.B \-\-caout
+option is missing and
+.B \-\-outform
+is set to \fIpem\fR then a PEM-encoded CA certificate bundle is written to
+\fIstdout\fR.
 .TP
 .BI "\-r, \-\-raout " file
 If present, path where the fetched RA certificate file is stored to.
@@ -143,6 +149,12 @@ RA cert "C=CH, O=strongSwan Project, CN=SCEP RA"
 RA cert is trusted, valid until Aug 10 15:51:34 2023, 'myca-ra.crt'
 .EE
 .PP
+A CA certificate bundle in PEM format is written to \fIstdout\fR:
+.PP
+.EX
+pki \-\-scepca \-\-url http://pki.strongswan.org:8080/scep --raout myra.crt \-\-outform pem > cacerts.pem
+.EE
+.PP
 .
 .SH "SEE ALSO"
 .