The gskkyman utility is used for key database management and z/OS® PKCS #11 token management.

Parameters

function

The function to be performed. It must follow the command name. The acceptable values are:

-dc

Display certificate details

-dcv

Display certificate verbose details

-dk

Display key database expiration and record length

-e

Export a certificate and its associated private key

-g

Sign a certificate for a certificate request

-h

Display the command syntax

-i

Import a certificate and its associated private key

-s

Store the database password in the stash file

-?

Display the command syntax

option

The parameters necessary to accomplish the function. If the option provides a value, then the value must follow the option:

The acceptable values are:

-ca

A certification authority certificate is generated if -ca is specified. An end user certificate is generated if -ca is not specified.

-cr

Specifies the name of the certificate request file. You are prompted for the file name if this option is not specified.

-ct

Specifies the name of the output generated signed certificate file. You are prompted for the file name if this option is not specified. You may specify any name. If you specify an existing file name, the file is overwritten.

-ic

The certification chain certificates are included in the certificate file if -ic is specified. Otherwise, just the signed certificate is included in the certificate file.

-k

Specifies the name of the key database. This option is mutually exclusive with the -t option. You are prompted for the key database file name if either this option or the -t option is specified. The length of the fully qualified file name cannot exceed 251 characters. If the file name does not end with an extension of 1-3 characters, the length of the fully qualified file name cannot exceed 247 characters. Finally, the key database name cannot end with .rdb or .sth.

-kt

Specifies the key type of the certificate to be created. This option is valid when signing an end user certificate or certificate request containing an ECC public key and affects the settings of the keyUsage extension of the certificate created. Valid key type options are ecgen, ecdsa and ecdh. ecgen creates a certificate with digitalSignature, nonRepudiation and keyAgreement set, ecdsa creates a certificate with digitalSignature and nonRepudiation set, and ecdh creates a certificate with keyAgreement set. If the -kt option is not specified for an end user ECC certificate or certificate request, the default option is ecgen. For other certificate types the -kt option is ignored.

-l

Specifies the certificate label. The label must be enclosed in double quotation marks if it contains one or more spaces. If the certificate is being used to sign a certificate request (sign function), the certificate must be a CA. The label for the default key is used if this option is not specified (export or sign function) or you are prompted for the label (import function). If more than one certificate with the specified label exists (can occur for tokens), the user is prompted to either cancel or choose the required certificate from a list that summarizes significant fields in the certificate.

-p

Specifies the name of the PKCS #12 file. You are prompted for the file name if this option is not specified.

-t

Specifies the name of the token to be managed. This option is mutually exclusive with the -k option. The name must consist of characters that are alphanumeric, national (@ x5B, # x7B, $ x7C) or period (.x4B). The first character must be alphabetic or national. Lowercase letters areallowed but are folded to uppercase.

-x

Specifies the number of days until the signed certificate expires and must be between 1 and 9999 days. The certificate expires in 365 days if this option is not specified.

Results

If gskkyman is specified with no arguments the interactive menu-driven interface is used.

Usage

The gskkyman utility is used to manage a token or a key database and its associated request database. Interactive menus are displayed if no command options are specified. Otherwise, the requested token/database function is performed and the gskkyman utility exits.

If the command specifies the -t (token name) option, then the requested function is performed for the identified token. If the specified PKCS #11 token certificate contains a secure private key, then only display functions -dc and -dcv are supported. If the gskkyman utility supplies both the -t and -l (label name) options, then only the PKCS #11 certificate with the matching label is checked for a secure private key. If the certificate does not have a secure private key, then both the -e (export) or -g (sign) functions can be processed.

If the command does not specify the -t option, then it is assumed that the function is to be performed for a key database. If the -k option and the -t option are not supplied, the user is prompted for a key database file name.

If both -k and -t are specified, the command is rejected and an error message is displayed.

For commands applied to a key database:

The key database contains certificates and private keys and normally has a file name extension of '.kdb'. The request database contains requests for new certificates and always has a file name extension of '.rdb'. The database stash file contains the masked database password and always has a file name extension of '.sth'. Access to these files should be restricted to the database owner.

A certificate or request database consists of fixed-length records. The record length is specified when the database is created and must be large enough to contain the largest certificate entry. A record length of 5000 should be sufficient for most applications. The record length can be increased if necessary after the database is created.

A temporary database file is created when a database is updated during gskkyman processing. The temporary database file is created using the same name as the database file with ".new" appended to the name. The database file is then rewritten and the temporary database file is deleted upon successful completion of the rewrite operation. The temporary database file is not deleted if an error occurs while rewriting the database file. If this happens, you can replace the database file with the temporary database file to recover from the error. If an error does occur and you do not rename or delete the temporary file, you receive an error on the next database update operation indicating the backup file exists.

If all certificates in a key database are displayed with the -dc or -dcv command, then all certificates with private keys are outputted, followed by all certificates without private keys. When displaying all certificates in a token, the certificates are displayed in the order that is returned from the token so that certificates with private keys might be interspersed with certificates without private keys.