ThirdPartyCertificateTool commands and usage examples

The ThirdPartyCertificateTool is used to create a certificate signing request (CSR), import a certificate or private key, and export a certificate.

This tool can be used with both the internal (default) and external certificate authority (CA).

The tool is located in the Cognos® Analytics install_location/bin directory.

The sections in this topic provide descriptions of commands and usage examples for the ThirdPartyCertificateTool.

Tip: The same information can be accessed by using the -help parameter with the tool. For example, ThirdPartyCertificateTool.bat -help

ThirdPartyCertificateTool commands

Use the following commands to specify the main operation mode for the tool.

-c
Creates a certificate signing request (CSR).
-i
Imports a certificate or a private key.
-E
Exports a certificate.
Note: If the built-in Cognos certificate authority (CA) is used, the export command exports the certificate that was issued by the local CA. This might not be the latest CA certificate, if one was remotely regenerated and both local certificates are still valid.

Use the following commands to specify the operation modifiers:

-T
Works with the trust store. Use only with the -i and -E commands.
-e
Works with the crypto identity.

Use the following commands to specify the information flags:

-p
Keystore password. If this command is not included, the default password is used.
-a
Key pair algorithm, which is either RSA (default) or ECC.
-r
CSR or certificate file location (depends on the operation mode).
-t
Certificate authority chain file. It can be PEM, binary PKCS#7 CA certificate chain, or a single DER-format CA certificate.
-d
The certificate distinguished name (DN), such as CN=product name, OU= unit, O=company, C=country.
-w
Private key source (PKCS#8, PKCS#12) password.
-H
Subject Alternative Name DNS names, such as DNS_host_1 [DNS_host_n]
-I
Subject Alternative Name IP addresses (IPv4, IPv6), such as IP_address_1 [IP_address_n].
-j
JRE certificates key store password. If this command is not included, the JRE certificates keystore default password is used.
-k
PKCS#8 private key file location.
-K
PKCS#12 private key and certificate authority chain file location.
-M
Subject Alternative Name e-mail addresses, such as email_1 [email_n].

ThirdPartyCertificateTool usage examples

This section contains examples of commands that you can run using the ThirdPartyCertificateTool.

Note: The examples include the keystore_password placeholder. This password must match the Key store password that is set in IBM Cognos Configuration, under Security > Cryptography > Cognos. The default key store password is NoPassWordSet. If you changed the default key store password, use the password that you specified.

The following list specifies the tasks that you can accomplish by using the ThirdPartyCertificateTool, and the related command syntax:

  • Generate a certificate signing request (CSR).
    ThirdPartyCertificateTool.(bat|sh) -c -e 
    [-p keystore_password] -a key_pair_algorithm 
    -r path_to_cert_or_csr 
    -d dn 
    [-H subject_alternative_nameDns_name_dn] 
    [-I subject_alternative_ip_addresses] 
    [-M subject_alternative_email_addresses]
  • Import the crypto target certificate.
    ThirdPartyCertificateTool.(bat|sh) -i -e [-p keystore_password] 
    -r path_to_cert_or_csr -t path_to_cert_chain
  • Import the trusted certificate.
    ThirdPartyCertificateTool.(bat|sh) -i -T [-p keystore_password] 
    -r path_to_cert_or_csr
  • Import the crypto key using separate entries.
    ThirdPartyCertificateTool.(bat|sh) -i -e [-p keystore_password] 
    -a key_pair_algorithm -r path_to_cert_or_csr 
    -t path_to_cert_chain 
    -w private_key_source_password -k path_to_PKCS#8
  • Import the crypto key from PKCS#12.
    ThirdPartyCertificateTool.(bat|sh) -i -e [-p keystore_password] 
    -a key_pair_algorithm -w private_key_source_password 
    -K path_to_PKCS#12
  • Export the CA certificate.
    ThirdPartyCertificateTool.(bat|sh) -E -T [-p keystore_password] 
    -r path_to_cert_or_csr
    Note: If the built-in Cognos certificate authority (CA) is used, the export -E command exports the certificate that was issued by the local CA. This might not be the latest CA certificate, if one was remotely regenerated and both local certificates are still valid.
  • Export the crypto certificate.
    ThirdPartyCertificateTool.(bat|sh) -E -e [-p keystore_password] 
    -r path_to_cert_or_csr