Command mode is entered when the gskkyman utility is entered
with parameters. The requested token/database function is
performed and then the utility exits.
- Store the database password in the stash file
gskkyman -s -k filename
The
database password is masked and written to the key stash file. The
file name is the same as the key database file name but has an extension
of '.sth'. You are prompted for the key database file name if the
'-k' option is not specified. The '-t' option is invalid for the
'-s' function.
- Export a certificate and the associated private key
gskkyman -e -k filename -l label -p filename
The
certificate and associated private key that is identified by the record
label are exported to a file in PKCS #12 Version 3 format using strong
encryption. The default key is exported if the '-l' option is not
specified. You are prompted for the key database file name if the
'-k' and the '-t' option is not specified. You are prompted
for the export file name if the '-p' option is not specified.
- Import a certificate and associated private key
gskkyman -i -t token-name -l label -p filename
A
certificate and associated private key are imported from a file in
PKCS #12 format. You are prompted for the label if the '-l' option
is not specified. You are prompted for the key database file name
if the '-k' and the '-t' option is not specified. You are
prompted for the import file name if the '-p' option is not specified.
- Create a signed certificate for a certificate request
gskkyman -g -x days -cr filename -ct filename -k filename -l label -kt keytype -ca -ic
The
certificate request that is identified by the -cr parameter is processed
and a signed certificate is created and written to the certificate
file identified by the -ct parameter. The -x parameter specifies
the number of days until the certificate expires and defaults to 365
days. The certificate is signed using the default key if the -l parameter
is not specified. You are prompted for the key database file name
if the '-k' option is not specified. You are prompted for the certificate
request file name if the '-cr' option is not specified. You are prompted
for the signed certificate file name if the '-ct' option is not specified.
The
signed certificate is an end user certificate unless the -ca option
is specified. A certification authority certificate has basic constraints
and key usage extensions that allow the certificate to be used to
sign other certificates and certificate revocation lists.
An
end user certificate has basic constraints and key usage extensions
that allow the certificate to be used as follows:- An RSA key can be used for authentication, digital signature,
and data encryption.
- A DSS key can be used for authentication and digital signature.
- An ECC key depends on the keytype option supplied. A general ECC
key (-kt ecgen) can be used for authentication, digital signature,
and key agreement. An ECDSA key (-kt ecdsa) can be used for authentication
and digital signature. An ECDH key (-kt ecdh) can be used for key
agreement. The default option is ecgen.
Any certificate can be used to sign the new certificate
if the certificate has a private key, the basic constraints certificate
extension (if present) has the CA indicator set, and the key usage
certificate extension (if present) allows signing certificates. However,
depending upon how the new certificate is then used, it might fail
the validation checking if the signing certificate is not a valid
certification authority certificate.
The signature algorithm
that are used to sign the new certificate is based on the key algorithm
of the signing certificate. An RSA signature uses the most secure
and compatible SHA-based hash in use in the signature algorithm of
either the signing certificate or the certificate request. A DSA
signature with a 1024-bit DSA key uses SHA-1. A DSA signature with
a 2048-bit DSA key uses SHA-256. An ECC signature uses the suggested
digest for the key size of the ECC private key, as specified in Table 1.
Possible signature
algorithms are:
- x509_alg_sha1WithRsaEncryption
- x509_alg_sha224WithRsaEncryption
- x509_alg_sha256WithRsaEncryption
- x509_alg_sha384WithRsaEncryption
- x509_alg_sha512WithRsaEncryption
- x509_alg_dsaWithSha1
- x509_alg_dsaWithSha256
- x509_alg_ecdsaWithSha256
- x509_alg_ecdsaWithSha384
- x509_alg_ecdsaWithSha512
The certificate file contains the generated X.509 certificate
in DER-encoded Base64 format if the -ic option is not specified. The
certificate file contains the generated X.509 certificate and the
certification chain certificates as a PKCS #7 message in Base64 format
if the -ic option is specified.
- Display all certificates in a key database
gskkyman -dc -k filename
After
you are prompted for the key database password, the certificates will
be displayed. You are prompted for the key database file name if the -k option
is not specified. Because of the number of certificates that can exist
in a key database file, it is suggested that you redirect the output
to a file. This allows for easy review of the certificates and any
post-processing of the certificate output.
- Display key database expiration date:
gskkyman -dk -k filename
After
you are prompted for the key database password, the full key database
path and file name, expiration date and record length are displayed.
You are prompted for the key database file name if the -k option is
not specified.