mkcert command

Use the mkcert command to create either a certificate signing request (CSR) or a self-signed certificate.

Synopsis

mkcert [--help]

To create a certificate signing request in the default keystore :

mkcert -r -l cert_request_label -d distinguished_name -s size -f request_filename -p keystore_password

To create a self-signed certificate:

mkcert -c -k keystore_name -n cert_label -p keystore_password -d distinguished_name -e cert_expiry -s size

Description

Users with smadmin authority can use the mkcert command to create either a certificate signing request (CSR) or a self-signed certificate.

A CSR will be created in the default keystore file. The CSR file is created in the specified location and can be sent to any authority that is trusted to obtain the CA-signed certificate. You can import the received CA-signed certificate into the default keystore. Refer to the Web site of the trusted authority that is issuing the certificate for details about how to obtain a trusted certificate using the CSR file.

If the certificate is self-signed, the command creates a type .jks keystore in which it stores the self-signed certificate. You can then use the updcert command to import the self-signed certificate into the default keystore.

Ensure that the host name that is specified in the Common Name (CN) field of the certificate matches the host name that is specified in the URL that is used to access the targets. For example, if a long name is specified for the host name in the Common Name field of the certificate, a long name should be specified in the URL. If these host names do not match, an error might occur while accessing targets. If the certificate is self-signed, the command creates a type jks keystore in which it stores the self-signed certificate. You can import the self-signed certificate into the default keystore.
Note: If you are creating a self-signed certificate, you can use the DNS host name of the IBM® Flex System Manager for the "CN" attribute. If you do not know the DNS host name, use a tool, such as nslookup, to determine the DNS host name from the IP address.

Operands

There are no operands.

Options

-c | --selfsigneddb
Creates a self-signed certificate. If you specify -c, you must also specify the following additional parameters:
  • -n to specify a unique name (label) for the certificate
  • -d to specify identity information for the certificate in the form of a distinguished name
  • -s to specify a key size
  • -e to specify an expiration date for the certificate
  • -k to create a keystore file in which to store the certificate
  • -p to specify a password for the keystore file
After you create the certificate, you can import it into the default keystore.
-d | --distinguishedname distinguished_name
Specifies the identity information for the certificate request or the self-signed certificate in the form of a distinguished name, which you specify as a quoted string. You must use the following format, where only CN, O, and C are required: "CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country". Refer to the Web site of the trusted authority that is issuing the certificate to determine the required fields for -d. This parameter is required when using either the -r parameter to create a certificate request or the -c parameter to create a self-signed certificate.
-e | --expire cert_expiry
Specifies the number of days in which the self-signed certificate that you are creating expires. The minimum value that you can specify is one day. The maximum value is 7300 days. This parameter is required when you use the -c parameter to create a self-signed certificate.
-f | --csrfilename request_filename
Specifies the location of a new file in which the certificate request is to be stored. You must specify the full path and file name for this new file. This parameter is required when you use the -r parameter to create a certificate request.
--help
Displays detailed information about the command, including the syntax, a description of the command, a description of the options and operands, error codes, and examples.
-k | --selfsignedkeystore keystore_name
Specifies the location of a new keystore file in which the self-signed certificate is to be stored. You must specify the full path and file name for this new keystore file. This parameter is required when you use the -c parameter to create a self-signed certificate.
-l | --csrlabel cert_request_label
Specifies a unique name (label) for the certificate request. This parameter is required when you use the -r parameter to create a certificate request.
-n | --selfsignedcertlabel cert_label
Specifies a unique name (label) for the self-signed certificate in the keystore file specified by the -k parameter. This parameter is required when you use the -c parameter to create a self-signed certificate.
-p | --keystorepassword keystore_password
Specifies the password for the keystore file to be accessed. When used with -r, the password is the password for the default keystore file. When used with -c parameter, the password is the password to be assigned to the keystore file that is used to store the self-signed certificate.
-r | --certreq
Creates a certificate request in the default keystore. If you specify -r, you must also specify the following additional parameters:
  • -l to specify a unique name for the certificate request
  • -d to specify the identity information for the certificate request in the form of a distinguished name
  • -s to specify a key size
  • -f to create a file that contains the request
  • -p to specify the password of the default keystore file
You can use the information in the file to obtain a certificate from the certificate authority of your choice. When you obtain the certificate, you can import it into the default keystore.
-s | --size size
Specifies a key size for the certificate request or the self-signed certificate that you are creating. You can specify a key size of 512, 1024, or 2048. This parameter is required when you use the -r parameter to create a certificate request or the -c parameter to create a self-signed certificate.

Exit status

The following codes are returned by this command.
  • 0: The operation completed.
  • 1: A usage error occurred.
  • 2: The command or bundle was not found.
  • 3: The command was not performed because either authentication failed or you are not authorized to perform the action.

Examples

  1. Create a self-signed certificate in a new keystore and assign a keystore password

    This example illustrates how to create a self-signed certificate "selfsignedcert" in a new keystore "sample.jks" in the location /opt/ibm/director/vmi/data and assign the keystore password as "password". The command creates the keystore "sample.jks" in the given location and creates the certificate "selfsignedcertlabel" inside the keystore. 

    mkcert -c  -k /opt/ibm/director/vmi/data/sample.jks 
  -p password -n selfsignedcert 
  -d "CN=wl.loc.con.com,O=con,OU=IBMHTTPServer,L=RTP,ST=NC,C=US" 
  -s 512 -e 365
  2. Generate a certificate signing request (CSR) and save the request file

    This example illustrates how to generate a certificate signing request (CSR) with the label "csrfordirector" and save the request file with the name "dirservercsr.arm" in the location /opt/ibm/director/vmi/data. The command creates the request file in the specified location and with the name "dirservercsr.arm". The command also creates the request in the default keystore. The request file can be sent to any certificate authority (CA) for signing. The trusted certificates received from the CA can be imported into the keystore.

    mkcert -r -l csrfordirector 
  -d "CN=wl.loc.con.com,O=ibm,OU=IBMHTTPServer,L=RTP,ST=NC,C=US"
  -s 512 -f /opt/ibm/director/vmi/data/dirservercsr.arm -p passw0rd
Related reference:
How to read syntax diagrams