CERTMGR Command

Read syntax diagramSkip visual syntax diagram CERTMGR HELPQueryTypeFilter(Option)
Type
Read syntax diagramSkip visual syntax diagramALLENTITYINTERmediateROOT
Filter
Read syntax diagramSkip visual syntax diagramLABelpatternEXPiresdaysTRUstedYESNOSELfsignYESNO
Option
Read syntax diagramSkip visual syntax diagramNOHEADERCHAIN1CSVfnREPlaceDATAbasedbpath
Notes:
  • 1 When the CHAIN option is specified, the CSV option and all of the Type and Filter options are not applicable.

Purpose

The CERTMGR command provides a front-end interface to the GSKKYMAN utility, which is used for key database management. You can use CERTMGR to query the certificates that are associated with the IBM-defined GSKADMIN user ID, which serves as a designated key database administrative user ID.

Operands

HELP
Displays information about the CERTMGR command. This is the default operand.
Query
Displays certificate information within a specific certificate database.

Type: This section provides information about the types of certificates you can query.

ALL
Lists all certificates.
ENTITY
Lists server and user certificates.
INTERmediate
Lists certificate authority (CA) certificates that are not self-signed.
ROOT
Lists CA certificates that are self-signed.

Filter: This section provides information about the filters you can apply to display the certificates.

LABel pattern
Lists certificates with labels that match pattern. pattern is the Transport Layer Security (TLS) label of the certificate. The wildcard asterisk character (*) matches zero or more characters. The wildcard percent sign character (%) matches any any single character in the input range. pattern can be multiple words.
EXPires days
Lists the certificates that will expire within the specified number of days, where the value of days is a whole number (0 or higher). If 0 is specified, all expired certificates are displayed.
TRUsted
Lists certificates with the specified trust status. Valid values are YES and NO.
SELfsign
Lists certificates with the specified self-signed status. Valid values are YES and NO.

Option: This section provides information about the options you can specify when querying certificates.

NOHEADER
Excludes any header lines.
CHAIN
Lists certificate chains as tree topologies that are linked by the CA certificate.
When the CHAIN option is specified:
  • The CSV option and all of the Type and Filter options are not applicable.
  • If a certificate chain contains any expired (E) or untrusted (U) certificates, the letter E or U is displayed in the column to the right of the expiration date for the corresponding certificate, along with a warning message (DTCCER2208W for E, DTCCER2209W for U) preceding the certificate list. A vertical bar (|) in this column indicates that the certificate is valid, but not usable, because the signer of that certificate is expired or untrusted.
CSV fn
Generates output in comma-separated values (CSV) format and writes the CSV output to a file. fn is the CMS file name. The file type is CSV. The file mode is the first R/W minidisk that is accessed. If the value of fn is CONS, the CSV output is written to the console. The CSV file name can be one to eight characters in length.
REPlace
Replaces the existing CSV file on the first R/W minidisk that is accessed.
DATAbase dbpath
Lists certificates from the specified database. dbpath is the database name. The default value of dbpath is /etc/gskadm/Database.kdb.

Return Codes

  • 0 - Successful execution; no errors encountered.
  • 2 - Internal logic error
  • 4 - No certificate matched the pattern
  • 8 - Syntax error
  • 10 - Command processing error(s) encountered
  • 12 - Error trying to read certificate data
  • 16 - Unexpected error trying to read certificate data
  • 20 - Unexpected error processing certificate data

Examples

  1. To list all of the certificates from /etc/gskadm/certmgr2.kdb that will expire today (10 November 2021, for example) through two days from now, issue the following command: 
    certmgr query expires 2 (database /etc/gskadm/certmgr2.kdb
    The output would look something like this: 
    Database /etc/gskadm/certmgr2.kdb

Enter database password (press ENTER to cancel):

<----- Certificate ----> <- Key -> <-Signature-> Self
 Type    Expires   Trust Type Size Type   Hash   Sign            Label
------ ----------- ----- ---- ---- ----- ------- ---- ---------------------
Root   10 Nov 2021  Yes  DSA  2048 DSA   SHA-224 Yes  R1_Self
Root   11 Nov 2021  Yes  RSA  1024 RSA   SHA-256 Yes  R2_Self
Root   12 Nov 2021  Yes  RSA  2048 RSA   SHA-1   Yes  R3_Self
Ready; T=0.04/0.05 16:55:30
  2. To list all of the certificates from /etc/gskadm/Database.kdb, issue the following command: 
    certmgr query (database /etc/gskadm/Database.kdb
    The output would look something like this: 
    <----- Certificate ----> <- Key -> <-Signature-> Self
 Type    Expires   Trust Type Size Type   Hash   Sign            Label

------ ----------- ----- ---- ---- ----- ------- ---- ---------------------
Entity 31 Dec 2012  Yes  ECC   192 ECDSA SHA-256 No   E10 signed by R2 (ECC)
Inter  22 Sep 2018  Yes  RSA  4096 RSA   SHA-224 No   I1-2 signed by I1 (RSA)
Inter  12 Nov 2020  Yes  ECC   256 RSA   SHA-224 No   I1-1 signed by I1 (ECC)
Inter  02 Feb 2021  Yes  ECC   521 RSA   SHA-224 No   I2 signed by R1 (RSA)
Inter  25 Feb 2021  Yes  RSA  2048 RSA   SHA-224 No   I1 signed by R1 (RSA)
Inter  18 Sep 2021  Yes  ECC   192 RSA   SHA-256 No   I6-1 signed by I6 (ECC)
Entity 19 Oct 2021  Yes  RSA  1024 RSA   SHA-256 No   E9 signed by I6 (RSA)
Inter  04 Jul 2022  Yes  RSA  2048 RSA   SHA-224 No   CA1 - no Root in DB
Inter  04 Jul 2022  Yes  RSA  2048 RSA   SHA-224 No   Signed by CA1
Root   04 Jul 2022  Yes  RSA  2048 RSA   SHA-224 Yes  R1 Root certificate (self-signed user) - RSA
Inter  01 Jan 2023  Yes  RSA  1024 RSA   SHA-224 No   I1-3 signed by I1 (RSA)
Entity 07 Feb 2023  Yes  ECC   320 RSA   SHA-224 No   E1 signed by I1-2 (ECC)
Entity 03 Mar 2023  Yes  ECC   192 ECDSA SHA-512 No   E2 signed by I2 (ECC)
Inter  04 Apr 2024  Yes  RSA  1024 RSA   SHA-224 No   I3 signed by R1 (RSA)
Inter  05 May 2025  Yes  RSA  1024 RSA   SHA-224 No   I3-1 signed by I3 (RSA)
Entity 06 Jun 2026  Yes  ECC   224 RSA   SHA-224 No   E3 signed by R1 (ECC)
Root   13 Jun 2027  Yes  ECC   192 ECDSA SHA-256 Yes  R2 Root certificate (self-signed user) - ECC
Inter  16 Aug 2028  Yes  RSA  1024 ECDSA SHA-256 No   I6 signed by R2 (RSA)
Root   23 Sep 2028  Yes  RSA  1024 RSA   SHA-1   Yes  VeriSign Class 3 Public
Root   30 Nov 2028  Yes  RSA  1024 RSA   SHA-1   Yes  VeriSign Class 2 Public Primary CA - G2
Root   12 Jan 2029  Yes  RSA  1024 RSA   MD2     Yes  VeriSign Class 1 Public Primary CA
Root   18 Sep 2032  Yes  RSA  2048 RSA   SHA-1   Yes  VeriSign Class 1 Public Primary CA - G3
Root   12 Apr 2034  Yes  RSA  2048 RSA   SHA-1   Yes  VeriSign Class 2 Public Primary CA - G3
Root   01 Jul 2034  Yes  RSA  2048 RSA   SHA-1   Yes  VeriSign Class 3 Public Primary CA - G5
Root   19 May 2037  Yes  RSA  2048 RSA   SHA-1   Yes  VeriSign Class 4 Public Primary CA - G3
Root   22 Jun 2040  Yes  RSA  2048 RSA   SHA-1   Yes  VeriSign Class 3 Public Primary CA - G3
  3. To list all of the certificate chains for /etc/gskadm/Database.kdb, issue the following command: 
    certmgr query (chain database /etc/gskadm/Database.kdb
    The output would look something like this: 
    DTCCER2208W Found one or more expired certificates (E)
DTCCER2209W Found one or more untrusted certificates (U)

  Expires                                 Label
-----------   ------------------------------------------------------------
04 Jul 2022   R1 Root certificate (self-signed user) - RSA
25 Feb 2021 E   I1 signed by R1 (RSA)
22 Sep 2018 E     I1-2 signed by I1 (RSA)
07 Feb 2023 |       E1 signed by I1-2 (ECC)
12 Nov 2020 E     I1-1 signed by I1 (ECC)
01 Jan 2023 |     I1-3 signed by I1 (RSA)
02 Feb 2021 E   I2 signed by R1 (RSA)
03 Mar 2023 |     E2 signed by I2 (ECC)
06 Jun 2026     E3 signed by R1 (ECC)
04 Apr 2024 U   I3 signed by R1 (RSA)
05 May 2025 |     I3-1 signed by I3 (RSA)

13 Jun 2027   R2 Root certificate (self-signed user) - ECC
16 Aug 2028     I6 signed by R2 (RSA)
19 Oct 2021       E9 signed by I6 (RSA)
18 Sep 2021       I6-1 signed by I6 (ECC)
31 Dec 2012 E   E10 signed by R2 (ECC)

Messages

  • DTCCER2204W Certificate not found in the Database database_name
  • DTCCER2205E Database database_name not found
  • DTCCER2206E A required option has not been specified
  • DTCCER2207E GSKKYMAN error
  • DTCCER2208W Found one or more expired certificates (E)
  • DTCCER2209W Found one or more untrusted certificates (U)
  • DTCCER2210W No certificate chain found in the Database database_name
  • DTCCER2211E No R/W filemode disk available for copying CSV file
  • DTCCER2212E No operands or CSV option allowed with CHAIN option
  • DTCCER2213E Command 'text' is not recognized
  • DTCCER2214E A required operand has not been specified
  • DTCCER2215E {Operand|Option} 'text' is not recognized or is not valid
  • DTCCER2216E Unexpected result from command: 'command'
    RC=rc
  • DTCCER2217E The CMS DEFAULTS EXEC version does not match the current version of the CERTMGR command. Default database '/etc/gskadm/Database.kdb' will be used.
  • DTCCER2218E File 'filename CSV filetype' already exists; specify REPLACE option