Certificate Management Using Command - Part 2 - Keystore Management
The below table gives
the list of the actions that can be performed for the Keystore.
|
commands
|
Object
|
Action
|
Description
|
|
gskcapicmd, gsk7capicmd,gskcmd gsk7cmd
|
-keydb
|
-changepw
|
Change the password for a key database
|
|
-convert
|
Convert the format of a key database
|
||
|
-create
|
Create a key database
|
||
|
-delete
|
Delete a key database
|
||
|
-expiry
|
Display password expiry
|
||
|
-list
|
Currently supported types of key database
|
||
|
-stashpw
|
Stash the password of a key database into a file
|
Note: gskcapicmd/gsk7capicmd
supports CMS and PKCS11 key databases. If we intended to manage other key
database than CMS and PKCS11, we can use gskcmd/gsk7cmd or other
existing java tool.
Keystore Management:
1. Creating the
keystore
The create command creates
a new key database.
Syntax:
gskcmd -keydb -create -db <name> [-pw <passwd>] [-type <cms>]
[-expire <days>] [-stash]
Below table give the various options that can be used with the action "create"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-pw
|
Optional
|
|
|
-type
|
Optional
|
<cms | jceks | jks | kdb | p12 | pkcs12 | pkcs12s2>
|
|
-expire
|
Optional
|
<0 - 7300>
|
|
-stash
|
Optional
|
|
|
-populate
|
Optional
|
|
|
-label
|
Optional (if -populate present)
|
|
Note:
If the “-type” tag
is not mentioned in the command, then the tool will assume that a CMS key
database is to be created.
If the “-expire” tag
is not mentioned in the command while creating keystore, then the key database
password will never expire. If specified the duration must be from 1 to 7300
days (20 years).
Examples:
A. gskcmd -keydb -create -db sample.kdb -pw pass -type kdb
-expire 7300 -stash
The Above command will
create the key database "sample.kdb" with the password expiry to 7300
days. The password will be stashed to the file "sample.sth"
If we don't mention the
-expire, then the password will never expire.
If we omit -pw tag, then
the command will prompt to give the password.
B. gskcmd -keydb -create -db sample.kdb -pw pass -populate
The above command will create the key database "sample.kdb" and populate all the signers certificates.
C. gskcmd -keydb -create -db sample.kdb -pw pass -populate -label "Thawte Server CA"
The above command will create the key database "sample.kdb" and add only the singer certificate labelled "Thawte Server CA".
To list and verify if the certificate is populated/added to the signer, we can execute below command
bash-4.2$ ./gskcmd -cert -list -db sample.kdb -pw pass
Certificates in database /usr/IBM/HTTPServer/bin/sample.kdb:
"Thawte Server CA"
bash-4.2$
The above command will create the key database "sample.kdb" and populate all the signers certificates.
C. gskcmd -keydb -create -db sample.kdb -pw pass -populate -label "Thawte Server CA"
The above command will create the key database "sample.kdb" and add only the singer certificate labelled "Thawte Server CA".
To list and verify if the certificate is populated/added to the signer, we can execute below command
bash-4.2$ ./gskcmd -cert -list -db sample.kdb -pw pass
Certificates in database /usr/IBM/HTTPServer/bin/sample.kdb:
"Thawte Server CA"
bash-4.2$
2. Change Password
for Key Database
The change password command
allows the user to change the password associated with the specified key
database.
Syntax:
gskcmd -keydb -changepw -db <name> -new_pw <password> [-pw
<passwd>] [-type< cms>] [-expire <days>] [-stash]
Below table give the various options that can be used with the action "changepw"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-new_pw
|
Required
|
|
|
-pw
|
Optional
|
|
|
-type
|
Optional
|
<cms | jceks | jks | kdb | p12 | pkcs12 | pkcs12s2>
|
|
-expire
|
Optional
|
<0 - 7300> (20 years)
|
|
-stash
|
Optional
|
|
Example:
bash-4.2$ ./gskcmd -keydb -changepw -db sample.kdb
-pw pass -new_pw pass1
The above command will
change the password of the key database from "pass" to
"pass1".
3. Display Key
Database Password Expiry
The Command will simply
displays the expiry date of the password associated with the identified key
database.
Syntax:
gskcmd -keydb -expiry -db <name> [-pw
<passwd>] [-type< cms>]
Below table give the
various options that can be used with the action "expiry"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-pw
|
Optional
|
|
|
-type
|
Optional
|
<cms
| jceks | jks | kdb | p12 | pkcs12 | pkcs12s2>
|
Example:
bash-4.2$ ./gskcmd -keydb -expiry -db samp.kdb
-pw pass
The password doesn't expire.
bash-4.2$
The password doesn't expire.
bash-4.2$
The above command will
display the password expiry for the key db "sample.kdb". The password
of key database has been set to never expire.
4. List Supported Key
Databases
The list command
will simply lists all of the key database types that gskcmd command supports.
Syntax:
gskcmd -keydb -list
Example:
bash-4.2$
./gskcmd -keydb -list
Currently supported key database types:
CMS
JKS
JCEKS
PKCS12
PKCS12S2
JCEKS
PKCS12
PKCS12S2
PKCS11Direct
bash-4.2$
5. Convert Key
Database
It will converts an old
version CMS key database to the new version of CMS key database. The latest
version of CMS is more secure because it uses more secure algorithms to secure
the contents of the key databases during creation.
Syntax:
gskcmd -keydb -convert -db <name> [-pw <passwd>] [-type< cms>] -new_format <CMS> [-target <db name>] [-new_pw <passwd>] [-expire <days>] [-stash]
gskcmd -keydb -convert -db <name> [-pw <passwd>] [-type< cms>] -new_format <CMS> [-target <db name>] [-new_pw <passwd>] [-expire <days>] [-stash]
Below table give the
various options that can be used with the action "convert"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-new_format
|
Required
|
<cms | jceks | jks | kdb | p12 | pkcs12 |
pkcs12s2>
|
|
-pw
|
Optional
|
|
|
-target
|
Optional
|
|
|
-new_pw
|
Optional
|
|
|
-old_format or -type
|
Optional
|
|
|
-expire
|
Optional
|
<0 - 7300> (20 years)
|
|
-stash
|
Optional
|
|
Example:
bash-4.2$ ./gskcmd -keydb -convert -db samp.kdb -pw pass -new_format jks -target sample1.jks -new_pw pass1 -expire 7300
The above command will convert the samp.kdb to sample1.jks with expiry for 20 years and a new password as "pass1".
note:
if we don't use -expire, then the password for new key database will be set to
never expire.
The usage of "-stash" option will be suitable for cms/kdb type of key database where password will be stashed to a file.
6. Stash the Password
for Key Database
The stash password command
takes an existing key databases password and stashes it to a specified file so
that password can be recovered when automatic login is required.
Syntax:
gskcmd -keydb -stashpw -db <name> [-pw
<password>] [-type <cms>]
Below table give the
various options that can be used with the action "stashpw"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-pw
|
Optional
|
|
|
-type
|
Optional
|
<cms | jceks | jks | kdb | p12 | pkcs12 | pkcs12s2>
|
Example:
./gskcmd -keydb -stashpw -db
sample1.kdb -pw pass
The above command will
stash the password "pass" to a single file with the name of the key
database with the extension ".sth" which is "sample1.sth".
7. Delete Key
Database
The command will simply deletes
the identified key database.
Syntax:
gskcmd -keydb -delete -db <name> [-pw
<password>] [-type <cms>]
Below table
give the various options that can be used with the action "delete"
|
Options
|
Required/optional
|
value
|
|
-db
|
Required
|
|
|
-pw
|
Optional
|
|
|
-type
|
Optional
|
<cms | jceks | jks | kdb | p12 | pkcs12 | pkcs12s2>
|
Example:
./gskcmd -keydb -delete -db sample1.kdb -pw passThe above command will delete the key database “sample1.kdb”. This will automatically delete the file “sample1.rdb” but not the sample1.sth file if it exists.
In next post (Certificate Management Using Command - Part 3 Certificate Management) , I will be covering the Certificate management using the gskcmd command with examples.
