tklmCertCreate
Use the tklmCertCreate command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.
Purpose
Use this command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.Do not use other key-generating tools such as keytool or the iKeyman utility to create or to modify keys or certificates. Use IBM Security Key Lifecycle Manager.
- System default or partner certificate
You must use the tklmDeviceGroupAttributeList and tklmDeviceGroupAttributeUpdate commands to view and change values for use as the system default or partner certificate. These values were previously stored in the obsolete drive.default.alias1 (for system default) or drive.default.alias2 (for system partner) properties.
SSLSERVER
Use the tklmConfigUpdateEntry command to update the value of the config.keystore.ssl.certalias property entry in the SKLMConfig.properties file.
Permissions
Your role must have a permission to the create action and permission to the appropriate device group. Or, your role must have a permission to the configure action to create an SSL or KMIP certificate. To make this certificate the default, your role must have permission to the modify action.
Syntax
tklmCertCreate -type type -alias certalias -cn commonname -ou organizationunit -o organization -locality locality -state state -country country -keyStoreName keystorename -usage {3592 | DS8000 | PEER_TO_PEER | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT } -validity integerindays
Parameters
- -alias
- Required. Specify a unique name for the certificate. The name is not case-sensitive. If you
specify
MY Cert1
, the value is stored asmy cert1
.Note: Do not use a value such asaaa000000000000000002
where the value begins with three alphabetic characters followed by 18 numeric characters. IBM Security Key Lifecycle Manager uses this format to generate a key group with symmetric keys.Do not use forward slash (/) or backslash (\) characters in the value.
- -cn
- Required. Specify the common name.
- -country
- Specify a country as a two-letter country code.
- -keyStoreName
- Required. Specify the name of an existing keystore.
- -locality
- Specify a locality, such as a city.
- -o
- Specify the organization. For example,
o=myCompanyName
. - -ou
- Specify the organizational unit. For example,
ou=marketing
. - -state
- Specify a state or province.
- -type
- Required. Specify a certificate type. You can specify the following
certificate types:
- Self-signed
The subject name and the issuer name of the certificate are the same. To create a request for a certificate that is not self-signed, use the tklmCertGenRequest command to create a user certificate in which the certificate issuer name represents a certificate authority, and the subject name represents a user or an end entity.
- Self-signed
- -usage
- Required. Specify the target application usage, such as SSLSERVER.
You can specify the following values:
- 3592
- Specifies the 3592 device group.
- DS8000
- Specifies the DS8000 device group.
- PEER_TO_PEER
- Specifies the PEER_TO_PEER device group.
- GENERIC
- Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
- SSLCLIENT
- Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
- SSLSERVER
- Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
- userdevicegroup
- Specifies a user-defined group that is based on a supported device family.
- -validity
- Required. Specify the interval of time in days during which the certificate is valid. The interval can range from a minimum of one day to a maximum of 9000 days.
Example
This Jython-formatted command creates
a self-signed certificate with an alias of tklmCertificate
that
is valid for 999 days.
print AdminTask.tklmCertCreate ('[-type selfsigned
-alias sklmCertificate -cn sklm -ou sales -o myCompanyName
-usage 3592 -country US -keyStoreName defaultKeyStore
-validity 999]')
This Jython-formatted command creates a certificate for SSL authentication.
print AdminTask.tklmCertCreate ('[-type selfsigned
-alias sklmSSLCertificate -cn sklmssl -ou accounting -o myCompanyName
-country US -keyStoreName defaultKeyStore
-usage SSLSERVER -validity 999]')
Date | Change description |
03 Sept 2021 | Removed GPFS from the values list of the usage parameter. |
13 Dec 2018 | Initial version. |