certificate

This command creates an alias for an X.509 certificate.

Syntax

certificate alias URL [password password] [ignore-expiration]

certificate alias URL [password-alias password-alias] [ignore-expiration]

no certificate alias

Parameters

alias

Specifies the alias for the certificate.

The name can contain a maximum of 32 characters. The following characters are valid:

a through z
A through Z
0 through 9
Underscore (_)
Dash (-)
Period (.)

Note: Names cannot be a single period or two consecutive periods.

For a z/OS® certificate, see your z/OS Communications Server documentation.

URL

Specifies a URL that identifies the file that contains the certificate.

If stored in the public cryptographic area, takes the pubcert:///filename form.
If stored in the private cryptographic area, takes the filename form.
If retrieved from z/OS, takes the saf-cert://nssclient/filename form.

password password

Specifies the plaintext password to access the certificate file.

password-alias password-alias

Specifies the alias for the encrypted password to access the certificate file.

ignore-expiration

Specifies an optional keyword to allow the creation of a certificate before its activation date (the NotBefore value in the certificate) or after its expiration date (the NotAfter value in the certificate). Although the certificate is in the up operational state, any configuration that references the certificate uses the internal expiration values.

In other words, the certificate itself is in the up operational state, but validation credentials, firewall credentials, or identification credentials that reference the certificate adhere to the internal expiration values.

If the certificate is for certificate chain validation from validation credentials and the certificate is invalid, validation fails.
If the certificate is for certificate chain validation from identification credentials, the appliance sends the certificate to the SSL peer for a connection. The peer can reject the certificate as invalid.

Guidelines

The certificate command creates an alias for an X.509 certificate.

The password or password-alias keyword is required only when a certificate file is password-protected.

To use the password-alias keyword, you must have created an alias. Use the password-map command to create the password alias.

Use the certificate command with the key and idcred commands to create identification credentials. Identification credentials consist of a certificate, which contains a public key, and the corresponding private key.

Use the certificate command with the valcred command to create validation credentials. Validation credentials can be used, but are not required, during the SSL handshake to authenticate the certificate from the remote SSL peer.

Use the no certificate command to delete only the alias for the certificate. The file that contains the certificate material remains on the appliance.

Examples

Create the bob alias for the bob.pem X.509 certificate. Store the target certificate in the public cryptographic area.
```
# certificate
bob pubcert:bob.pem
Creating certificate 'bob'
```
Create the bob alias for the bob.pem certificate. Store the target certificate in the public cryptographic area. Allow the certificate to be accessed with the pikesville plaintext password.
```
# certificate bob pubcert:bob.pem
password pikesville
Creating certificate 'bob'
```
Create the bob alias for the bob.pem certificate. Store the target certificate in the public cryptographic area. Allow the certificate to be accessed with the dundaulk encrypted password alias.
```
# certificate bob pubcert:bob.pem
password-alias dundaulk
Creating certificate 'bob'
```
Create the zicsfCert5 alias for the z/OS ICSFCERT5 certificate. Use the nssclient NSS client to connect to z/OS to retrieve the target certificate from z/OS. Store the target certificate in memory.
```
# certificate zicsfCert5 saf-cert://nssclient/ICSFCERT5
Creating certificate 'zicsfCert5'
```

Delete the bob certificate alias.

# no certificate bob
Certificate 'bob' deleted