z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


gskkyman command line mode examples

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

Command mode is entered when the gskkyman utility is entered with parameters. The requested token/database function is performed and then the utility exits.

  • Store the database password in the stash file 
    gskkyman -s -k filename

    The database password is masked and written to the key stash file. The file name is the same as the key database file name but has an extension of '.sth'. You are prompted for the key database file name if the '-k' option is not specified. The '-t' option is invalid for the '-s' function.

  • Export a certificate and the associated private key 
    gskkyman -e -k filename -l label -p filename

    The certificate and associated private key that is identified by the record label are exported to a file in PKCS #12 Version 3 format using strong encryption. The default key is exported if the '-l' option is not specified. You are prompted for the key database file name if the '-k' and the '-t' option is not specified. You are prompted for the export file name if the '-p' option is not specified.

  • Import a certificate and associated private key 
    gskkyman -i -t token-name -l label -p filename

    A certificate and associated private key are imported from a file in PKCS #12 format. You are prompted for the label if the '-l' option is not specified. You are prompted for the key database file name if the '-k' and the '-t' option is not specified. You are prompted for the import file name if the '-p' option is not specified.

  • Create a signed certificate for a certificate request 
    gskkyman -g -x days -cr filename -ct filename -k filename -l label -kt keytype -ca -ic

    The certificate request that is identified by the -cr parameter is processed and a signed certificate is created and written to the certificate file identified by the -ct parameter. The -x parameter specifies the number of days until the certificate expires and defaults to 365 days. The certificate is signed using the default key if the -l parameter is not specified. You are prompted for the key database file name if the '-k' option is not specified. You are prompted for the certificate request file name if the '-cr' option is not specified. You are prompted for the signed certificate file name if the '-ct' option is not specified.

    The signed certificate is an end user certificate unless the -ca option is specified. A certification authority certificate has basic constraints and key usage extensions that allow the certificate to be used to sign other certificates and certificate revocation lists. An end user certificate has basic constraints and key usage extensions that allow the certificate to be used as follows:
    • An RSA key can be used for authentication, digital signature, and data encryption.
    • A DSS key can be used for authentication and digital signature.
    • An ECC key depends on the keytype option supplied. A general ECC key (-kt ecgen) can be used for authentication, digital signature, and key agreement. An ECDSA key (-kt ecdsa) can be used for authentication and digital signature. An ECDH key (-kt ecdh) can be used for key agreement. The default option is ecgen.

    Any certificate can be used to sign the new certificate if the certificate has a private key, the basic constraints certificate extension (if present) has the CA indicator set, and the key usage certificate extension (if present) allows signing certificates. However, depending upon how the new certificate is then used, it might fail the validation checking if the signing certificate is not a valid certification authority certificate.

    The signature algorithm that are used to sign the new certificate is based on the key algorithm of the signing certificate. An RSA signature uses the most secure and compatible SHA-based hash in use in the signature algorithm of either the signing certificate or the certificate request. A DSA signature with a 1024-bit DSA key uses SHA-1. A DSA signature with a 2048-bit DSA key uses SHA-256. An ECC signature uses the suggested digest for the key size of the ECC private key, as specified in Table 1.

    Possible signature algorithms are:
    • x509_alg_sha1WithRsaEncryption
    • x509_alg_sha224WithRsaEncryption
    • x509_alg_sha256WithRsaEncryption
    • x509_alg_sha384WithRsaEncryption
    • x509_alg_sha512WithRsaEncryption
    • x509_alg_dsaWithSha1
    • x509_alg_dsaWithSha256
    • x509_alg_ecdsaWithSha256
    • x509_alg_ecdsaWithSha384
    • x509_alg_ecdsaWithSha512

    The certificate file contains the generated X.509 certificate in DER-encoded Base64 format if the -ic option is not specified. The certificate file contains the generated X.509 certificate and the certification chain certificates as a PKCS #7 message in Base64 format if the -ic option is specified.

  • Display all certificates in a key database 
    gskkyman -dc -k filename

    After you are prompted for the key database password, the certificates will be displayed. You are prompted for the key database file name if the -k option is not specified. Because of the number of certificates that can exist in a key database file, it is suggested that you redirect the output to a file. This allows for easy review of the certificates and any post-processing of the certificate output.

  • Display key database expiration date:
    gskkyman -dk -k filename

    After you are prompted for the key database password, the full key database path and file name, expiration date and record length are displayed. You are prompted for the key database file name if the -k option is not specified.

Parent topic: gskkyman command line mode syntax

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014