WAS v8.5 > Reference > Command-line utilities
createCertRequest command
The createCertRequest command creates a PKCS10 certificate request and stores it in a client keystore so that it can be used to send to a certificate authority (CA) server using the requestCertificate command line utility.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows:
- createCertRequest.sh -keyStoreAlias<keystoreAlias> -subjectDN<subjectDN> -alias<certificateAlias> [options]
- createCertRequest.bat -keyStoreAlias<keystoreAlias> -subjectDN<subjectDN> -alias<certificateAlias> [options]
Required Parameters
The following required parameter are used with the createCertRequest command:
- Name of the keystore located in the ssl.client.props file for the profile to which the CA signed certificate is added. This is the name of the ClientDefaultKeyStore file for either a managed or unmanaged environment.
- Distinguished name (DN) to be used for the PKCS10 certificate request. The DN must contain the CN, O and C fields at a minimum.
- Alias used to store the PKCS10 certificate request certificate in the keystore specified on the request.
the CA signed certificate is stored under the same alias and replaces the cert request certificate when received.
Optional Parameters
The following options are available for the createCertRequest command:
- An option that specifies the size of the key. This option is only used valid if creating a PKCS10 certificate request in-band. Valid values include 512, 1024 2048, 4096 and 8192. Thd default size is 2048.
- The time period of certificate validity. Time period is measured from current date. This option is only valid if creating a PKCS10 certificate request in-band. Default is 365 days.
- A semi-colon separated list of subject alternate names. This option is only used if creating a PKCS10 certificate request in-band.
- A semi-colon separated list of key usage strings. This option is only valid if creating a PKCS10 certificate request in-band.
- A semi-colon separated list of extended key usage strings. This option is only valid if creating a PKCS10 certificate request in-band.
- The logfile that overrides the default trace file. By default, the trace appears in the profiles/profile_name/log/caClient.log. file.
- When specified, -trace enables tracing of the trace specification necessary to debug this component. By default, the trace will appear in the profiles/profile_name/log/caClient.log file.
- An option to cause the existing trace file to be replaced when the command is executed.
- An option to suppress most messages from printing out on the console.
- The option to print a usage statement
- The option to print a usage statement
Usage
The following example creates a PKCS10 certificate request for a client that can be used to send to a CA :
createCertRequest.sh -keyStoreAlias ClientDefaultKeyStore -subjectDN CN=mycn,o=ibm,c=us -alias cert1
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0422I: Generating a PKCS10 certificate request CWPKI0421I: A PKCS10 certificate was successfully created. The request is stored in file:
C:\opt\WebSphere\AppClient\etc\certReq26924.req
C:\opt\WebSphere\AppClient\bin>createCertRequest.bat -keyStoreAlias ClientDefaultKeyStore
-subjectDN CN=mycn,o=ibm,c=us -alias cert1
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0422I: Generating a PKCS10 certificate request CWPKI0421I: A PKCS10 certificate was successfully created. The request is stored in file:
C:\opt\WebSphere\AppClient\etc\certReq26924.req
Related
Use command-line tools
Related information:
requestCertificate command