revokeCertificate command
The revokeCertificate command uses an implementation class that is passed to communicate with a certificate authority (CA) server to revoke a certificate. Processing this command sends a revocation request to the CA server to mark this certificate as revoked.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows. (The command is split on multiple lines for printing purposes.)
![[Linux]](../images/nglinux.svg)
![[AIX]](../images/ngaix.svg)
![[HP-UX]](../images/nghpux.svg)
![[Solaris]](../images/ngsolaris.svg)
revokeCertificate.sh -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> -alias<certificateAlias>
-pkiImplClass<customCAClient>[options]![[Windows]](../images/ngwin.svg)
revokeCertificate.bat -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> -alias<certificateAlias>
-pkiImplClass<customCAClient>[options]![[z/OS]](../images/ngzos.svg)
revokeCertificate.sh -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> -alias<certificateAlias>
-pkiImplClass<customCAClient>[options]![[IBM i]](../images/ngibmi.svg)
revokeCertificate -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> -alias<certificateAlias>
-pkiImplClass<customCAClient>[options]Required Parameters
The following required parameter
are used with the revokeCertifcate command:
- Specifies the target certificate authority host to which the request is sent.
- Specifies the target port to connect to.
- Specifies the user name used to gain access to the certificate authority.
- Specifies the password used to authenticate with the certificate authority.
- Specifies the password that is to be set on the certificate returned by the certificate authority. The revocation password is sent to the certificate authority during each request and is associated with each certificate that is issued. To later revoke a certificate, the same revocation password must be sent during a revokeCertificate request.
- Specifies the name of the keystore that is located in the ssl.client.props file for the profile to which the CA signed certificate is added. This file is usually the ClientDefaultKeyStore file for either a managed or unmanaged environment.
- Specifies The alias of the certificate request to be revoked. The certificate is stored in the keystore specified on the request.
- A class that implements the WSPKIClient interface. The implementation class handles all the communication to the CA server. This can be a custom class or a class provided with the product.
Optional Parameters
The following options are available for the revokeCertificate command:
- The reason for revoking the certificate. The default value is “unspecified”.
- A semi-colon separated list of custom name=value pairs to be passed in to the custom implementation class. This parameter provides a way to pass custom information to the implementation class. The ‘attr’ and ‘value’ pairs are converted to a hash map and passed to the implementation class.
- Overrides the default trace file. By default, the trace appears in the
profiles/profile_name/log/caClient.log. file. - When specified, -trace enables tracing of the trace
specification necessary to debug this component. By default, the trace appears
in the
profiles/profile_name/log/caClient.logfile. - An option to cause the existing trace file to be replaced when the command is executed. -quit
- An option to suppress most messages from printing out on the console.
- The option to print a usage statement
- The option to print a usage statement
Usage
The following example performs a revokeCertificate:
revokeCertificate.sh -host localhost -port 1077
-username pkiuser -password webspherepki -alias cert1 -keyStoreAlias ClientDefau
ltKeyStore -revocationPassword webspherepki
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0461I: Revoking a CA signed certificate.
CWPKI0462I: CA Signed Certificate Revoked [Issued By: O=IBM, C=US, Issued To:
CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
After: Sat Feb 16 10:09:19 CST 2008] for reason: unspecified
C:\opt\WebSphere\AppClient\bin>revokeCertificate.bat -host localhost -port 1077
-username pkiuser -password webspherepki -alias cert1 -keyStoreAlias ClientDefau
ltKeyStore -revocationPassword webspherepki
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0461I: Revoking a CA signed certificate.
CWPKI0462I: CA Signed Certificate Revoked [Issued By: O=IBM, C=US, Issued To:
CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
After: Sat Feb 16 10:09:19 CST 2008] for reason: unspecified
revokeCertificate.sh -host localhost -port 1077
-username pkiuser -password webspherepki -alias cert1 -keyStoreAlias ClientDefau
ltKeyStore -revocationPassword webspherepki
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0461I: Revoking a CA signed certificate.
CWPKI0462I: CA Signed Certificate Revoked [Issued By: O=IBM, C=US, Issued To:
CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
After: Sat Feb 16 10:09:19 CST 2008] for reason: unspecified
revokeCertificate -host localhost -port 1077
-username pkiuser -password webspherepki -alias cert1 -keyStoreAlias ClientDefau
ltKeyStore -revocationPassword webspherepki
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0461I: Revoking a CA signed certificate.
CWPKI0462I: CA Signed Certificate Revoked [Issued By: O=IBM, C=US, Issued To:
CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
After: Sat Feb 16 10:09:19 CST 2008] for reason: unspecified