Manage keys from the command line (Distributed systems)
The Java™ command line interface to IKEYMAN, gskcapicmd, provides the necessary options to create and manage keys, certificates and certificate requests. The native utility /bin/gskcapicmd is always preferred over /bin/gskcmd. gskcapicmd is faster and some features are added to gskcapicmd before gskcmd
About this task
Global Security Kit (GSKit) certificate management tools are installed in the <ihsinst>/bin/ directory. These tools should only be run from the installation directory. Examples for the following commands should include the full directory path, such as <ihsinst>/bin/gskcapicmd.- gskver.bat, ikeyman.bat, gskcmd.bat, gskcmd, and gskcapicmd.
- gskver, ikeyman, and gskcmd.
To have a secure network connection, create a key for secure network communications and receive a certificate from a certificate authority (CA) that is designated as a trusted CA on your server. Use gskcapicmd, the utility command line interface, for configuration tasks that are related to public and private key creation and management.
The gskcapicmd user interface uses Java and native command line invocation, enabling IKEYMAN task scripting.
We cannot use gskcapicmd for configuration options that update the server configuration file, httpd.conf. For options that update the server configuration file, use the IBM HTTP Server administration server.
Procedure
- Use gskcapicmd to create key databases, public and private key pairs, and certificate requests using the command-line interface.
- If you act as your own certificate authority (CA), we can use gskcapicmd to create self-signed certificates.
- If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.
- Manage the database password using the command line.
- Create a public and private key pair and certificate request using the gskcapicmd command-line interface or GSKCapiCmd.
- Import and export keys using the command line. To reuse an existing key from another database, we can import that key. Conversely, we can export your key into another database or to a PKCS12 file. PKCS12 is a standard for securely storing private keys and certificates. We can use the gskcapicmd command-line interface or GSKCapiCmd tool.
- Display default keys and certificate authorities within a key database.
- Store a certificate authority certificate from a certificate authority (CA) that is not a trusted CA.
- Store the encrypted database password in a stash file.
- Use gskcapicmd to create key databases, public and private key pairs, and certificate requests.
- If you act as your own certificate authority (CA), we can use gskcapicmd to create self-signed certificates.
- If you act as your own CA for a private Web network, you have the option to use the server CA utility to generate and issue signed certificates to clients and servers in your private network.
What to do next
For more information about the gskcapicmd command line interface, see the GSKCapicmd User's
Guide on the WebSphere® Application
Server Library page. For more information about the gskcmd (ikeycmd) command, see the IBM Developer Kit and Runtime Environment, Java 2 Technology Edition,
Version 6.0 iKeyman 8.0 User's Guide .
The gskcapicmd command provides a command line interface for certificate management tasks that might otherwise be provided by the ikeyman command. (The gskcmd command is a Java-based alternative.)
This topic contains a description of the syntax that we can use with the gskcmd command.
A key database is a file that the server uses to store one or more key pairs and certificates. We can use one key database for all your key pairs and certificates, or create multiple databases.
This topic describes passwords for key databases. A key database is used to store public keys that are used for secure connections.
You find key pairs and certificate requests stored in a key database. This topic provides information on how to create a key pair and certificate request.
This topic describes how to import and export keys.
A self-signed certificate provides a certificate to enable SSL sessions between clients and the server, while waiting for the officially-signed certificate to be returned from the certificate authority (CA). A private and public key are created during this process. Creating a self-signed certificate generates a self-signed X509 certificate in the identified key database. A self-signed certificate has the same issuer name as its subject name.
This topic describes how to receive an electronically mailed certificate from a certificate authority (CA) that is designated as a trusted CA on your server. A certificate authority is a trusted third-party organization or company that issues digital certificates that are used to create digital signatures and public-private key pairs.
This section describes how to view trusted certificate authorities and display default keys within a key database.
This topic describes how to store a certificate from a certificate authority (CA) that is not a trusted CA.
For a secure network connection, we can store the CMS encrypted database password in a stash file.
Related concepts
Related tasks