Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
openscep.cnf(8)		    System Manager's Manual	       openscep.cnf(8)

       openscep.cnf - OpenSCEP configuration file

       OpenSCEP	 uses the configuration	file mechanism provided	by OpenSSL for
       its own configuration.  All the OpenSCEP	utilities read the  configura-
       tionfile	 /usr/local/etc/openscep/openscep.cnf  where  various sections
       describe	parameters foreign to OpenSSL and  only	 useful	 to  OpenSCEP.
       See  the	 next  sections	 for  the configuration	parameters specific to

       There are three main sections used by OpenSCEP.	The  CA	 sections  are
       more or less standard from OpenSSL.

       See  the	 OpenSSL documentation about details of	the configuration of a

       These are the options the control the behaviour of  the	scepd(8)  pro-
       gramm  from  the	 OpenSCEP distribution.	 To keep the scripts that also
       use these variables simple, there are no	defaults for them. All of them
       must be set, which is especially	easy to	do incorrectly when upgrading.

       name = CAname
	      Name of this CA, used to find the	right CA section during	CA op-

       cacert =
	      Path to the PEM encoded CA certificate.

       cakey = /path/to/cakey.pem
	      Path to the PEM encoded and unencrypted CA key.

       crl = /path/to/crl.pem
	      Path to a	PEM encoded certificate	revokation list.

       grantcmd	= /path/to/scepgrant
	      Path to the scepgrant(8) program.

       automatic = {true|false}
	      Specifies	whether	automatic enrollment is	possible or not.

       debug = {true|false}
	      Specifies	whether	debug output should be generated.

       logfile = /path/to/logfile
	      Defines the log file.  syslog(8) must be	configured  to	direct
	      log  messages  to	 this file.  This variable influences only the
	      CGI-program used to display the log file.

       openssl = /path/to/openssl/binary
	      Sets the fully qualified path to	the  openssl(1)	 binary.  Note
	      that  on	many installations, openssl(1) is not on the path, and
	      there is no easy way for a CGI program  to  find	this  program,
	      hence the	requirement that the path to it	must be	configured.

       crlusers	= users
	      This  option  allows  to	define a white space separated list of
	      users (as	authenticated by the web server) which are allowed  to
	      perform certificate revocations without specifying the challenge
	      password from the	request.

       crlpublic = {true|false}
	      If set to	true,  public  access  to  certificate	revocation  is
	      granted.	 Any  user  who	knows the challenge password of	a cer-
	      tificate request can revoke the corresponding certificate.  Note
	      that  trusted  users as defined in the crlusers variable are not
	      required to give the challenge password, even  if	 crlpublic  is
	      set to false.

       In this section,	all parameters needed to access	the ldap directory are
       defined.	There are no defaults for these	values,	they must all  be  set
       in  the	configuration  file (this simplifies the code for the CGI pro-
       grams a little bit).

       ldaphost	= ldapservername
	      Specifies	the name of the	LDAP server used as back end  for  the
	      certificate data.

       ldapport	= ldapserverport
	      Specifies	 the  TCP  port	number of the LDAP server used as back
	      end for the certificate data.

       ldapbase	= basedn
	      The base distinguished name to be	used by	OpenSCEP.

       binddn =	binddn
	      Some of the OpenSCEP programms need  to  update  the  directory,
	      which  requires  additional privileges.  They therefore use this
	      distinguished name to bind to the	directory, and the password as
	      specified	by the bindpw variable (see below).

       bindpw =	bindpw
	      see binddn.

       ldapmodify = /path/to/ldapmodify
	      Full path	to the ldapmodify(1) programm to be used to modify the
	      directory. Note that a binary from the OpenLDAP version  2  dis-
	      tribution	must be	used, as the CGI scripts use some options only
	      available	in OpenLDAP.

       ldapsearch = /path/to/ldapsearch
	      program to be used to read the directory,	only used in  the  crl
	      revocation program.

       The  OpenSCEP distribution comes	with an	example	openscep.cnf file that
       one can use as a	starting point when setting up a CA.

       This page documents openscep.cnf	as it  appears	in  version  0.4.2  of

       Andreas F. Mueller <>

OpenSCEP			   07/03/17		       openscep.cnf(8)


Want to link to this manual page? Use this URL:

home | help