cimtrust usage information
You can use this command to manage X.509 certificates in a PEM trust store. A symbolic link in the /QOpenSys/usr/bin directory for this command is provided. You need to ensure that CIMOM is running when you use this command. This command requires *ALLOBJ, *IOSYSCFG and *SECADM authorities to manage certificates.
- Name
cimtrustRemove or list X509 certificates in a PEM format trust store.
- Synopsis
- Usage:
cimtrust -a [ -U certuser ] -f file –T ( a | e | s )cimtrust -r -i issuer ( -n serialnumber | -S subject )cimtrust -l [ -i issuer [ -n serialnumber | -S subject ] ]cimtrust -helpcimtrust -version
- Description
- The add option of the cimtrust command adds an X509 certificate
file of a specified type to the truststore. The certuser specifies
the username to be associated with the certificate in the file. If
no certuser is specified, the certificate may not be used to authenticate
a user.
The remove option of the cimtrust command removes the X509 certificate(s) matching the specified issuer and either serial number or subject from the truststore.
The list option of the cimtrust command lists the X509 certificates in the truststore. The list can be filtered by issuer and either serial number or subject.
Certificates in the trust store may be revoked by adding a Certificate Revocation List to the CRL store. For more information on CRL operations see the cimcrl command.
- Options
- -a
- Add a certificate to the truststore. If the specified file does not contain a valid X509 certificate an error message is returned and no action is taken. If the X509 certificate already exists in the truststore, an error message is returned.
- -r
- Removes certificate(s) from the truststore. If the truststore contains multiple certificates matching the specified issuer and subject, all the matching certificates are removed. If there is no certificate for the specified issuer and either serial number or subject, an error message is returned and no action is taken.
- -l
- Display the X509 certificates in the truststore.
- -f file
- Specify a PEM format file containing an X509 certificate.
- -U certuser
- Specify a username to be associated with the specified certificate. The username specified should be a valid system user on the target system.
- -i issuer
- Specify the issuer name for a certificate.
- -n serialnumber
- Specify a certificate serial number.
- -S subject
- Specify the subject name for a certificate.
- -T
- Specify the type of a certificate. The type must be one of the following: authority (a): root/intermediate authority certificates. Certificates of this type are added to the trusted certificate store. The certuser is optional for authority certificates. If no certuser is specified, the certificate may not be used to authenticate a user. Authority issued end-entity (e): Certificates of this type are not added to the trusted certificate store. The certuser is required for authority issued end-entity certificates. Self-signed identity certificate (s): Certificates of this type are not added to the trusted certificate store. The certuser is required for self-signed identity certificates.
- -help
- Display the command help message.
- -version
- Display the CIM Server version number.
- Remarks
The cimtrust command requires that the CIM Server is running. This command operates on a trust store on the local system only.
- Exit Status
- When an error occurs, an error message is written to stderr and an error value is returned. The following values are returned:
0 Success 1 General error 2 Connection failed 3 Connection timeout 4 Certificate already exists 5 Certificate does not exist 6 Invalid system yser - Usage Notes®
In 5722-UME ssltrustmgr command is used to provide an interface to manage X509 certificates in a trust store or X509 Certificate Revocation Lists in a CRL store. In 5770-UME V1R4M0, it will be split into truststore management and CRL management functionality with two separate commands cimtrust and cimcrl.
The command must be run from a PASE command line, which requires that the PASE product be installed on the system. It also requires that the CIM Server is running. You can run this command from /QOpenSys/usr/bin directory
Examples
- cimtrust -a -U guest -f cert.pem –T s
- Add the X509 self-signed identity certificate in the cert.pem file and associate it to certuser guest. This certificate will be added to the trusted certificate store.
- cimtrust -a -f ca.pem –T a
- Add the X509 authority root CA certificate in the ca.pem file with no certuser association. This certificate will be added to the trusted certificate store but may not be used to authenticate a user.
- cimtrust -a -f user.pem –U pegasus –T e
- Add the X509 authority issued end-entity certificate in the user.pem file and associate it to certuser pegasus. This certificate may be used to authenticate user pegasus but will not be added to the trusted certificate store.
- cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -n 01
- Remove the certificate matching the specified issuer and serial number from the trust store.
- cimtrust -r -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com" –S "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com”
- Remove the certificate(s) matching the specified issuer and subject from the trust store.
- cimtrust -l
- List all the X509 certificates in the trust store.