key
This command creates an alias for a private key.
Syntax
key alias URL [password password]
key alias URL [password-alias password-alias]
no key alias
Parameters
- alias
- Specifies the alias for the private key.The name can contain a maximum of 32 characters. The following characters are valid:For a z/OS® key, see your z/OS Communications Server for details on label names.
a
throughz
A
throughZ
0
through9
- Underscore (
_
) - Dash (
-
) - Period (
.
)
Note: Names cannot be a single period or two consecutive periods. - URL
- Specifies a URL that identifies the file that contains the private
key.
- To store the private key in the private cryptographic area, the
URL takes the
filename
form. - To store the private key in the public cryptographic area, the
URL takes the
pubcert:///filename
form.Note: Do not store private key files in the pubcert: directory. This directory is intended for the storage of public certificate files. - To retrieve the private key from z/OS,
the URL takes the
saf-key://nssclient/filename
form. Asaf-key://
must be a SAF key that is not stored in ICSF. - To access the remote private key on the z/OS system, the URL takes the
saf-remote-key://nssclient/filename
form. Asaf-remote-key://
must be a SAF key that is stored in ICSF.
- To store the private key in the private cryptographic area, the
URL takes the
password
password- Optional: Identifies the plaintext password that is required to access the private key file.
password-alias
password-alias- Optional: Identifies the alias for the encrypted password that is required to access the private key file.
Guidelines
The password
or password-alias
keyword
is required only when a key file is password-protected.
To use the password-alias keyword, you must have created an alias.
Use the password-map
command to create the password alias.
Use the key command with the certificate and idcred commands to create identification credentials that consist of a certificate, which contains a public key and the corresponding private key.
Use the no key command to delete only the alias for the private key. The file that contains the key material remains on the appliance.
Examples
- Create the
bob
alias for theK2.pem
private key. The target key is in the private cryptographic storage area.# key bob K2.pem Creating key 'bob'
- Create the
bob
alias for theK2.der
private key. The target key is in the private cryptographic area and is accessed with theannapolis
plaintext password.# key bob K2.der password annapolis Creating key 'bob'
- Create the
bob
alias for theK2.der
private key. The target key is in the private cryptographic area and is accessed with thetowson
encrypted password alias.# key bob K2.der password-alias towson Creating key 'bob'
- Create the
zCert_key
alias for the z/OSCERT
private key. Use thenssclient
NSS client to connect to and retrieve the target key. Cache the target key on the appliance.# key zCert_key saf-key://nssclient/CERT Creating certificate 'zCert_key'
- Create the
zicsfCert2_key
alias for the z/OSICSFCERT2
private key. Use thenssclient
NSS client to connect to and access theICSFCERT2
private key but does not retrieve or store the z/OS private key on the appliance.# key zicsfCert2_key saf-remote-key://nssclient/ICSFCERT2 Creating certificate 'zicsfCert2_key'
- Delete the
bob
private key alias.# no key bob Key 'bob' deleted