tklmCertList

Use the tklmCertList command to return certificate information, which is based on criteria such as a specific state.

Note: The IBM Security Key Lifecycle Manager command-line interface commands will be deprecated in the later versions of IBM Security Key Lifecycle Manager. Use the REST interfaces instead.

Purpose

Use this command to return certificate information, which is based on specified criteria such as a specific state.

You can list a specific certificate by specifying:

uuid
alias and keystore name

Alternatively, you can list all certificates in a specified state. If you do not specify any parameter, you can list all certificates.

Note:

The KMIP interface for IBM Security Key Lifecycle Manager, version 2.5 does not support the certificate object. IBM Security Key Lifecycle Manager creates certificate objects internally, but does not set some KMIP required and optional attributes.
Running the tklmCertList command in verbose mode lists many of the KMIP attributes as NULL. The null values do not affect the IBM Security Key Lifecycle Manager function.
Use the tklmCertList command to find certificates that are marked as CONFLICTED or UNKNOWN. Specify no value for the -usage parameter, or specify a parameter value of 3592, DS8000, or SSLSERVER. For example, this Jython-formatted command lists all certificates for the 3592 device group:
```
print AdminTask.tklmCertList('[-usage 3592 -v y]')
```
The tklmCertList command returns only the first 2000 certificates.

Permissions

Your role must have a permission to the view action and a permission to the appropriate device group. Or, your role must have a permission to the configure action to view an SSL or KMIP certificate.

Syntax

tklmCertList -uuid universalCertID -alias certalias -keyStoreName keystorename -attributes [state value ] -usage {3592 | DS8000 | GPFS | PEER_TO_PEER | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT | SYSLOG } -v {y | n}

Parameters

There are no required parameters.

-alias

Specify a unique name for the certificate.

-attributes

Specify the attributes to search for. Only the state attribute and the trusted attribute are supported; only one state can be specified in a command instance.

state

You can include the following values for the state attribute:

pending: A certificate request entry is pending the return of a certificate that is approved and certified by a certificate authority.
pre-active: Object exists but is not yet usable for any cryptographic purpose, such as migrated certificates with a future use time stamp.
active: Object is in operational use for protecting and processing data that might use Process Start Date and Protect Stop Date attributes. For example, protecting includes encryption and signature issue. Processing includes decryption and signature verification.
compromised: The security of the object is suspect for some reason. A compromised object never returns to an uncompromised state, and cannot be used to protect data. Use the object only to process cryptographically protected information in a client that is trusted to handle compromised cryptographic objects.
IBM Security Key Lifecycle Manager retains the state of the object immediately before it was compromised. To process data that was previously protected, the compromised object might continue to be used.
deactivated: Object is not to be used to apply cryptographic protection such as encryption or signing. However, if extraordinary circumstances occur, the object can be used with special permission to process cryptographically protected information. For example, processing includes decryption or verification.
destroyed: Object is no longer usable for any purpose. This status causes the object to be removed from the product.
destroyed-compromised: Object is no longer usable for any purpose. This status causes the object to be removed from the product.

trusted

Values are y, n, or no value.

Set the value to y to list only trusted certificates. Set this value to n to list only untrusted certificates. Not setting a value lists both trusted and untrusted certificates.

-keyStoreName

Specify the name of the keystore.

-usage

Specify the target application usage, such as SSLSERVER. You can specify the following values:

3592: Specifies the 3592 device group.
DS8000: Specifies the DS8000 device group.
GPFS: Specifies the IBM Spectrum Scale (previously known as GPFS) device group.
PEER_TO_PEER: Specifies the PEER_TO_PEER device group.
GENERIC: Specifies a device family that uses the Key Management Interoperability Protocol to interact with IBM Security Key Lifecycle Manager. The GENERIC device group enables management of KMIP objects.
Do not use the command-line interface to add a device to the GENERIC device group, or to change a GENERIC device group attribute.
SSLCLIENT: Client-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the client device.
SSLSERVER: Server-side certificate that is used in secure communication by using Secure Socket Layer protocol.
SYSLOG: Syslog server-side certificate that is used in secure communication by using Secure Socket Layer protocol to authenticate the syslog server.
userdevicegroup: Specifies a user-defined group that is based on a supported device family.

-uuid

Specify the Universal Unique Identifier of the certificate. For example, CERTIFICATE-b4c70958-446d-42c4-ae3b-8c9e0f44c0fa might be the value.

-v [y | n]

Verbose. The default is n, or no extra information. To list more information about a certificate, specify y (for yes):

-v y

Example

This Jython-formatted command lists certificates that are in active state.

print AdminTask.tklmCertList('[-usage 3592 
	-attributes "{state active}" -v y]')

This command lists the first 2000 certificates.

print AdminTask.tklmCertList()