Home
gsk7cmd, runmqckm, and gsk7capicmd options
Table 1 lists the options that can be present on the command line. Note that the meaning of an option can depend on the object and action specified in the command.
Options that can be used with gsk7cmd, runmqckm , and gsk7capicmd Option Description -crypto Name of the module to manage a PKCS #11 cryptographic device. The value after –crypto is optional if you specify the module name in the properties file. Properties files are provided for gsk7cmd and runmqckm only.
-db Fully qualified path name of a key database. -default_cert Sets a certificate as the default certificate. The value can be yes or no. The default is no. -dn X.500 distinguished name. The value is a string enclosed in double quotes, for example "CN=John Smith,O=IBM,OU=Test,C=GB". Note that only the CN attribute is required. We can use multiple OU attributes in distinguished names when you create self-signed certificates. Add additional OU key and value pairs to the specified distinguished name. For example: "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,OU=GSKit\\, Gold Coast,L=RTP,ST=NC,C=US"
-encryption Strength of encryption used in certificate export command. The value can be strong or weak. The default is strong. -expire Expiration time in days of either a certificate or a database password. The default is 365 days for a certificate password. There is no default time for a database password: use the -expire option to set a database password expiration time explicitly.
-file File name of a certificate or certificate request. -fips specifies that the command is run in FIPS mode. This mode disables the use of the BSafe cryptographic library. Only the ICC component is used and this component must be successfully initialized in FIPS mode. When in FIPS mode, the ICC component uses algorithms that have been FIPS 140-2 validated. If the ICC component does not initialize in FIPS mode, the gsk7capicmd command fails. -format Format of a certificate. The value can be ascii for Base64_encoded ASCII or binary for Binary DER data. The default is ascii. -label Label attached to a certificate or certificate request. -new_format New format of key database (applicable to gsk7cmd and runmqckm only).. -new_label Used on a certificate import command, this option allows a certificate to be imported with a different label from the label it had in the source key database. -new_pw New database password. -old_format Old format of key database (applicable to gsk7cmd and runmqckm only). -pw Password for the key database or PKCS #12 file. -secondaryDB Name of a secondary key database for PKCS #11 device operations. -secondaryDBpw Password for the secondary key database for PKCS #11 device operations. -showOID Displays the full certificate or certificate request. -sigalg The hashing algorithm used during the creation of a certificate request, a self-signed certificate, or the signing of a certificate. This hashing algorithm is used to create the signature associated with the newly-created certificate or certificate request. The value can be md5, sha1, sha224, sha256, sha384, or sha512. The default is sha1. -size Key size. For gsk7cmd, runmqckm, the value can be 512 or 1024. The default is 1024.
For the gsk7capicmd command, the value can be 512, 1024, or 2048. The default is 1024.
-stash Stash the key database password to a file. -strong Check that the password entered satisfies the minimum requirements for the passwords strength. The minimum requirements for a password are as follows:
- The password must be a minimum length of 14 characters.
- The password must contain a minimum of one lower case character, one upper case character, and one digit or special character. Special characters include the asterisk (*), the dollar sign ($), the number sign (#) and the percent sign (%). A space is classified as a special character.
- Each character can only occur a maximum of three times in a password.
- A maximum of two consecutive characters in the password can be identical.
- All characters described above are in the standard ASCII printable character set within the range from 0x20 to 0x7E inclusive.
-target Destination file or database. -target_pw Password for the key database if -target specifies a key database. -target_type Type of database specified by -target operand. See -type option for permitted values. -tokenLabel Label of a PKCS #11 cryptographic device. -trust Trust status of a CA certificate. The value can be enable or disable. The default is enable. -type Type of database. The value can be:
- cms for a CMS key database
- pkcs12 for a PKCS #12 file.
-x509version Vof X.509 certificate to create. The value can be 1, 2, or 3. The default is 3.
Parent topic:
Managing keys and certificates
fa16170_
Home