-certreq {-alias alias} {-sigalg sigalg} {-file certreq_file} [-keypass keypass] {-storetype storetype} {-keystore keystore} {-dname distinguished_name } { -ext X.509_certificate_extensions } [-storepass storepass] {-providerName provider_name} {-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protected} {-Jjavaoption}

Generates a Certificate Signing Request (CSR), using the PKCS#10 format.

A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

The private key and X.500 Distinguished Name associated with alias are used to create the PKCS#10 certificate request. Except for RACF® keystores, in order to access the private key, the appropriate password must be provided, since private keys are protected in the keystore with a password. If keypass is not provided at the command line, and is different from the password used to protect the integrity of the keystore, the user is prompted for it.

sigalg specifies the algorithm that should be used to sign the CSR.

The CSR is stored in the file certreq_file. If no file is given, the CSR is output to stdout.

Use the importcert command to import the response from the CA.

The X.509_certificate_extensions variable specifies the optional X.509 extensions that are embedded in the certificate. See Common Options for the syntax to use with the -ext option.

The distinguished_name variable specifies the X.500 Distinguished Name and replaces the distinguished name that is associated with the private key.