The addition of SCEP support brings with it a couple of new command-line options which are useful for SCEP. Non-SCEP use cases are not affected. Unlike IPA, certmaster, the local signer, or self-signing, there's no concept of a "default" SCEP server for the system, so certmonger doesn't provide a pre-canned configuration which attempts to use a default server. In order to be able to use certmonger with an SCEP server, then, a CA configuration needs to be added. While previously this could only be done either through the D-Bus API or by manually editing certmonger's data files, the "getcert" command now also provides both an "add-ca" command for the general case, and an "add-scep-ca" command, which "knows" both the location of certmonger's bundled SCEP helper and the options it recognizes, for the specific case. The results are the same regardless of which command is used. The general option looks like this: getcert add-ca -c exampleSCEPca -e \ "/usr/libexec/certmonger/scep-submit -u http://ca.example.com/cgi-bin/pkiclient.exe" The more specific option looks like this: getcert add-scep-ca -c exampleSCEPca -u http://ca.example.com/cgi-bin/pkiclient.exe If the URL of the server is an HTTPS URL, the -R option should be used to specify the location of the CA certificate, so that the server's HTTPS certificate can be verified. Once that's done, the CA will be listed by "getcert list-cas", and can be used to request a certificate, as per usual: getcert request -c exampleSCEPca -f /etc/pki/certfile -k /etc/pki/keyfile SCEP servers often expect an enrollment challenge password to be present in the enrollment request. The "getcert request" command now recognizes the -L and -l options for specifying such a value, or the name of a file that contains such a value, to include in the client's request.