ThirdPartyCertificateTool command-line reference
Not supported in v2.0.6 Some of the tasks to use a certificate from another certificate authority use a command-line tool named ThirdPartyCertificateTool.
This tool is located in the following <PA_install_directory>\bin location.
On UNIX or Linux® operating systems, use the following format:
ThirdPartyCertificateTool.sh parameters
On Microsoft Windows operating systems, use the following format:
ThirdPartyCertificateTool.bat parameters
The following tables list the options for this command-line tool.
| Command | Description |
|---|---|
-c |
Create a certificate signing request. |
-i |
Import a certificate. |
-E |
Export a certificate. |
| Command | Description |
|---|---|
-s |
Work with the signing identity. |
-e |
Work with the encryption identity. |
-T |
Work with the trust store (only with -i and -E operation modes). |
| Command | Description |
|---|---|
-d |
DN to use for certificate. |
-r |
CSR or certificate file location (depends on mode). |
-t |
Certificate authority chain file (PEM or binary PKCS#7 certificate authority chain or single DER-format certificate authority) |
-p |
Key Store password. If missing, use the default password. |
-a |
Key pair algorithm: Either RSA or DSA. RSA is the default value. |
| -P | Create a certificate authority keystore including the certificate authorities trusted by the current JRE. |
-N |
Set the certificate authority trust store to NIST SP800-131a standard. |
| -R | Restore non-Nist SP800-131a certificates back to trust store. |
These parameters create a signing key pair and PKCS#10 CSR:
-c -s -d cn=Me,o=MyCompany,c=CA -r sign.csr -a DSA -p passwordThese parameters import the third-party CA generated encryption certificate and PKCS#7 CA certificate chain:
-i -e -r encr.cer -p password -t cacert.p7bThese parameters import the third-party CA generated signing certificate and PEM CA certificate chain:
-i -s -r sign.cer -p password -t cacert.pemThese parameters add ca.cer as a trusted certificate:
-i -T -r ca.cer -p password -t cacert.cerThese parameters export the signing certificate to sign.cer:
-E -s -r sign.cer -p passwordThese parameters export the IBM® Cognos® CA certificate to ca.cer (when you are not using a third-party certificate authority):
-E -T -r ca.cer -p passwordThese parameters remove all non-NIST SP800-131a CA certificates and set the CA trust store to NIST SP800-131a standard:
-N -D ../configuration -p passwordThese parameters restore JRE non-NIST SP800-131a certificates back to the CA trust store:
-R -D ../configuration -p password