key

This command creates an alias for a private key.

Syntax

key alias URL [password password]

key alias URL [password-alias password-alias]

no key alias

Parameters

alias

Specifies the alias for the private key.

The name can contain a maximum of 32 characters. The following characters are valid:

a through z
A through Z
0 through 9
Underscore (_)
Dash (-)
Period (.)

Note: Names cannot be a single period or two consecutive periods.

For a z/OS® key, see your z/OS Communications Server for details on label names.

URL

Specifies a URL that identifies the file that contains the private key.

To store the private key in the private cryptographic area, the URL takes the filename form.
To store the private key in the public cryptographic area, the URL takes the pubcert:///filename form.
Note: Do not store private key files in the pubcert: directory. This directory is intended for the storage of public certificate files.
To retrieve the private key from z/OS, the URL takes the saf-key://nssclient/filename form. A saf-key:// must be a SAF key that is not stored in ICSF.
To access the remote private key on the z/OS system, the URL takes the saf-remote-key://nssclient/filename form. A saf-remote-key:// must be a SAF key that is stored in ICSF.

password password

Optional: Identifies the plaintext password that is required to access the private key file.

password-alias password-alias

Optional: Identifies the alias for the encrypted password that is required to access the private key file.

Guidelines

The password or password-alias keyword is required only when a key file is password-protected.

To use the password-alias keyword, you must have created an alias. Use the password-map command to create the password alias.

Use the key command with the certificate and idcred commands to create identification credentials that consist of a certificate, which contains a public key and the corresponding private key.

Use the no key command to delete only the alias for the private key. The file that contains the key material remains on the appliance.

Examples

Create the bob alias for the K2.pem private key. The target key is in the private cryptographic storage area.
```
# key bob K2.pem
Creating key 'bob'
```
Create the bob alias for the K2.der private key. The target key is in the private cryptographic area and is accessed with the annapolis plaintext password.
```
# key bob K2.der password annapolis
Creating key 'bob'
```
Create the bob alias for the K2.der private key. The target key is in the private cryptographic area and is accessed with the towson encrypted password alias.
```
# key bob K2.der password-alias towson
Creating key 'bob'
```
Create the zCert_key alias for the z/OS CERT private key. Use the nssclient NSS client to connect to and retrieve the target key. Cache the target key on the appliance.
```
# key zCert_key saf-key://nssclient/CERT
Creating certificate 'zCert_key'
```
Create the zicsfCert2_key alias for the z/OS ICSFCERT2 private key. Use the nssclient NSS client to connect to and access the ICSFCERT2 private key but does not retrieve or store the z/OS private key on the appliance.
```
# key zicsfCert2_key saf-remote-key://nssclient/ICSFCERT2
Creating certificate 'zicsfCert2_key'
```
Delete the bob private key alias.
```
# no key bob
Key 'bob' deleted
```