tklmCertImport

Use the tklmCertImport command to import a certificate.

Note: The IBM Security Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Key Lifecycle Manager. Use the REST interfaces instead.

Purpose

Use this command to import a certificate file.

If the specified alias exists in the specified keystore, then the specified file name must contain a certificate response that was generated by a certificate authority in response to a certificate request that the tklmCertGenRequest command generates. The specified alias must have been created by using a tklmCertGenRequest command. The subject DN fields in the specified file must match the values that are specified in the request that the tklmCertGenRequest command generates. A CA-issued certificate that is stored in IBM Security Key Lifecycle Manager cannot have a string representation of the integer value of the serial number greater than 64 characters.

If the specified alias does not exist in the specified keystore, then the specified file name must contain a certificate to load into the keystore.

You cannot import certificates that exceed 2048 bits in length. If you encounter this problem, you might want to generate a certificate that has a key length less than or equal to 2048 bits, or use alternate certificates.

Note: If you additionally want to specify that a certificate is used as the:
  • System default or partner certificate

    You must use the tklmDeviceGroupAttributeList and tklmDeviceGroupAttributeUpdate commands to view and change values for use as the system default or partner certificate. These values were previously stored in the obsolete drive.default.alias1 (for system default) or drive.default.alias2 (for system partner) properties.

  • SSLSERVER

    Use the tklmConfigUpdateEntry command to update the value of the config.keystore.ssl.certalias property entry in the SKLMConfig.properties file.

Permissions

Your role must have a permission to the create action and a permission to the appropriate device group. Or, your role must have a permission to the configure action to import an SSL or KMIP, certificate.

Syntax

tklmCertImport -filename certfilename -format {base64 | DER | PEM} -alias certalias -keyStoreName keystorename -usage {3592 | DS8000 | GPFS | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT | SYSLOG }

Parameters

-alias
Required. Specify a unique name for the certificate.
-fileName
Required. Specify the file name to import containing the certificate data. The imported file is stored in IBM Security Key Lifecycle Manager in a keystore location relative to the SKLM_HOME directory.
-format
Specify any of the following formats for file content:
  • base64
  • DER (Distinguished Encoding Rules)
  • PEM (Privacy Enhanced Mail)
-keyStoreName
Required. Specify the name of the keystore.
-usage
Required. Specify the target application usage, such as SSLSERVER. You can specify the following values:
3592
Specifies the 3592 device group.
DS8000
Specifies the DS8000 device group.
GPFS
Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
GENERIC
Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.

Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.

SSLCLIENT
Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
SSLSERVER
Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
SYSLOG
Syslog server-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the syslog server.
userdevicegroup
Specifies a user-defined group that is based on a supported device family.

Example

These Jython-formatted commands import certificates.

  • SSL communication
    print AdminTask.tklmCertImport 
	('[-fileName myTempPath\\mySSLCertRequest1.cer 
 		-alias sklmSSLCertificate1 -format base64 
  			-keyStoreName defaultKeyStore -usage SSLSERVER]')
  • 3592 tape drives
    print AdminTask.tklmCertImport \
	('[-fileName myTempPath\\myCertRequest2.cer 
 		-alias sklmCertificate2 -format base64 
  			-keyStoreName defaultKeyStore -usage 3592]')
  • DS8000 Turbo drives
    print AdminTask.tklmCertImport 
	('[-fileName myTempPath\\myCertRequest3.cer 
 		-alias sklmCertificate3 -format base64 
  			-keyStoreName defaultKeyStore -usage DS8000]')