tklmCertCreate

Use the tklmCertCreate command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.

Note: The IBM Security Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Key Lifecycle Manager. Use the REST interfaces instead.

Purpose

Use this command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.

Do not use other key-generating tools such as keytool or the iKeyman utility to create or to modify keys or certificates. Use IBM Security Key Lifecycle Manager.

Note: If you additionally want to specify that a certificate is used as the:

System default or partner certificate
You must use the tklmDeviceGroupAttributeList and tklmDeviceGroupAttributeUpdate commands to view and change values for use as the system default or partner certificate. These values were previously stored in the obsolete drive.default.alias1 (for system default) or drive.default.alias2 (for system partner) properties.
SSLSERVER
Use the tklmConfigUpdateEntry command to update the value of the config.keystore.ssl.certalias property entry in the SKLMConfig.properties file.

Permissions

Your role must have a permission to the create action and permission to the appropriate device group. Or, your role must have a permission to the configure action to create an SSL or KMIP certificate. To make this certificate the default, your role must have permission to the modify action.

Syntax

tklmCertCreate -type type -alias certalias -cn commonname -ou organizationunit -o organization -locality locality -state state -country country -keyStoreName keystorename -usage {3592 | DS8000 | PEER_TO_PEER | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT } -validity integerindays

Parameters

-alias

Required. Specify a unique name for the certificate. The name is not case-sensitive. If you specify MY Cert1, the value is stored as my cert1.

Note: Do not use a value such as aaa000000000000000002 where the value begins with three alphabetic characters followed by 18 numeric characters. IBM Security Key Lifecycle Manager uses this format to generate a key group with symmetric keys.

Do not use forward slash (/) or backslash (\) characters in the value.

-cn

Required. Specify the common name.

-country

Specify a country as a two-letter country code.

-keyStoreName

Required. Specify the name of an existing keystore.

-locality

Specify a locality, such as a city.

-o

Specify the organization. For example, o=myCompanyName.

-ou

Specify the organizational unit. For example, ou=marketing.

-state

Specify a state or province.

-type

Required. Specify a certificate type. You can specify the following certificate types:

Self-signed
The subject name and the issuer name of the certificate are the same. To create a request for a certificate that is not self-signed, use the tklmCertGenRequest command to create a user certificate in which the certificate issuer name represents a certificate authority, and the subject name represents a user or an end entity.

-usage

Required. Specify the target application usage, such as SSLSERVER. You can specify the following values:

3592: Specifies the 3592 device group.
DS8000: Specifies the DS8000 device group.
PEER_TO_PEER: Specifies the PEER_TO_PEER device group.
GENERIC: Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
SSLCLIENT: Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
SSLSERVER: Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
userdevicegroup: Specifies a user-defined group that is based on a supported device family.

-validity

Required. Specify the interval of time in days during which the certificate is valid. The interval can range from a minimum of one day to a maximum of 9000 days.

Example

This Jython-formatted command creates a self-signed certificate with an alias of tklmCertificate that is valid for 999 days.

print AdminTask.tklmCertCreate ('[-type selfsigned 
	-alias sklmCertificate -cn sklm -ou sales -o myCompanyName 
		 -usage 3592 -country US -keyStoreName defaultKeyStore 
				-validity 999]')

This Jython-formatted command creates a certificate for SSL authentication.

print AdminTask.tklmCertCreate ('[-type selfsigned 
	-alias sklmSSLCertificate -cn sklmssl -ou accounting -o myCompanyName 
		 -country US -keyStoreName defaultKeyStore 
				-usage SSLSERVER -validity 999]')

Table 1. Topic change log
Date	Change description
03 Sept 2021	Removed `GPFS` from the values list of the usage parameter.
13 Dec 2018	Initial version.