Tuesday, 14 June 2016

Certificate Management using commands - Part 1



There are various command line tool to manage keys, certificates and certificate requests. Below are the commands available for certificate management:
- gskcmd and gskcapicmd ( Version 8 onwards)
- gsk7cmd and gsk7capicmd (version 7)


Syntax for the gsk cmds :

gskcmd <object> <action> [options]
where
object includes one of the following:

    • -keydb: Actions taken on the key database (either a CMS key database file, a WebDB key ring file, or SSLight class)
    • -cert: Actions taken on a certificate
    • -certreq: Actions taken on a certificate request
    • -help: Displays help for the gsk7cmd invocations
    • -version: Displays version information for gsk7cmd
action represents the specific action to take on the object.
options represents the options, both required and optional, specified for the object and action pair


Note: The object and action keywords are positional and you must specify them in the selected order. However, options are not positional and you can specify them in any order, as an option and operand pair.
The following table describes each action possible on a specified object that you can use with the gsk commands .


commands Object Action Description
gskcapicmd, gsk7capicmd,gskcmd gsk7cmd -keydb -changepw Change the password for a key database
-convert Convert the format of a key database
-create Create a key database
-delete Delete a key database
-expiry Display password expiry
-list Currently supported types of key database
-stashpw Stash the password of a key database into a file
gskcapicmd, gsk7capicmd, gskcmd, gsk7cmd -cert -add Add a CA Certificate
-create  Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export  Export a personal certificate and associated private key into a PKCS12 file or a key database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-listsigners List signer certificates delivered with ikeyman (not avaliable in gskcapicmd /gsk7capicmd)
-modify Modify a certificate (NOTE: the only field that may be modified is the trust field)
-populate Populate with included CA Certificates (not avaliable in gskcapicmd /gsk7capicmd)
-receive Receive a certificate
-rename Rename a certificate
-setdefault Set the default personal certificate
-sign  Sign a certificate
Available only in gskcmd and gskcapicmd -validate Validate a certificate path
gskcapicmd, gsk7capicmd, gskcmd and gsk7cmd -certreq -create  Create a certificate request
-delete Delete a certificate request from a certificate request database
-details Show the details of a specific certificate request
-extract Extract a certificate from a certificate request database
-list List all certificate requests in a certificate request database
-recreate Recreate a certificate request
Available only gskcmd and gsk7cmd -seckey -create  Create a secret key
-delete Delete a secret key
-details Show the details of a specific secret key
-export Export secret keys to a file
-import  Import secret keys from a file
-list List all secret keys in a key database
-rename Rename a secret key
gskcapicmd, gsk7capicmd, gskcmd and gsk7cmd -version   Display iKeyman version information
-help   Display this help text
avaliable only in gskcapicmd -secretkey -add Add a secret key
-extract Extract a secret key from a key database
-random -create Create a random password


The following table describes the options that you can use with the gsk  commands.


Option  Description
-db Fully qualified path name of a key database
-default_cert Sets a certificate to use as the default certificate for client authentication (yes or no). Default is no.
-dn X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required): "CN=Reena,O=IBM,OU=WebSphere,L=Bangalore, ST=KA,ZIP=13760,C=country" 
encryption Strength of encryption used in certificate export command (strong or weak). Default is strong.
-expire Expiration time of either a certificate or a database password (in days).
-file File name of a certificate or certificate request (depending on specified object).
-format Format of a certificate (either ASCII for Base64_encoded ASCII or binary for Binary DER data). Default is ASCII.
-label Label attached to a certificate or certificate request
-new_format New format of key database
-new_pw New database password
-old_format Old format of key database
-pw Password for the key database or PKCS#12 file
-size Key size (512, 1024, or 2048). Default is 1024. The 2048 key size is available if you are using Global Security Kit (GSKit) Version 7.0.4.14 and later.
-stash Indicator to stash the key database password to a file. If specified, the password will be stashed in a file.
-target Destination file or database
-target_pw Password for the key database if -target specifies a key database. 
-target_type Type of database specified by -target operand (see -type)
-trust Trust status of a CA certificate (enable or disable). Default is enable.
-type Type of database. Allowable values are CMS (indicates a CMS key database), webdb (indicates a keyring), sslight (indicates an SSLight .class), or pkcs12 (indicates a PKCS#12 file).
-x509version Version of X.509 certificate to create (1, 2 or 3). Default is 3.


Procedure

  1. You can invoke the gsk7cmd from the <ihsinst>/bin/ directory.
    • gsk7cmd.bat /gsk7capicmd.bat /gskcmd.bat /gskcapicmd.bat  (windows)
    • gsk7cmd /gsk7capicmd /gskcmd /gskcapicmd ( unix)
  2. Perform the certificate management tasks that you want to complete.
Example:
Create keystore with expiry for 20 years:
gsk7cmd -keydb -create -db test.kdb -pw password -type kdb -expire 7300

In next post (Certificate Management Using Command - Part 2 Keystore Management) , I will be covering the keystore management using the command with examples
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)