tklmCertCreate
Use the tklmCertCreate command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.
Purpose
Use this command to create a certificate and a public and private key pair, and store the certificate in an existing keystore.請勿使用其他金鑰產生工具(例如 keytool 或 iKeyman 公用程式)來建立或修改金鑰或憑證。 請使用 IBM Security Key Lifecycle Manager。
- 系統預設憑證或夥伴憑證
您必須使用 tklmDeviceGroupAttributeList 和 tklmDeviceGroupAttributeUpdate 指令來檢視及變更要用作系統預設或夥伴憑證的值。 這些值先前儲存在已作廢的 drive.default.alias1(對於系統預設憑證)或 drive.default.alias2(對於系統夥伴憑證)內容中。
- SSLSERVER
使用 tklmConfigUpdateEntry 指令來更新 SKLMConfig.properties 檔案中 config.keystore.ssl.certalias 內容項目的值。
Permissions
您的角色必須具有建立動作的許可權,以及具有適當裝置群組的許可權。 或者,您的角色必須具有配置動作的許可權,才能建立 SSL 或 KMIP 憑證。 若要將此憑證設為預設憑證,您的角色必須具有修改動作的許可權。
Syntax
tklmCertCreate -type type -alias certalias -cn commonname -ou organizationunit -o organization -locality locality -state state -country country -keyStoreName keystorename -usage {3592 | DS8000 | GPFS | PEER_TO_PEER | GENERIC | userdevicegroup | SSLSERVER | SSLCLIENT } -validity integerindays
Parameters
- -alias
- Required. Specify a unique name for the certificate. The name is not case-sensitive. If you
specify MY Cert1, the value is stored as my cert1.
Note: 請勿使用 aaa000000000000000002 之類的值,其中,該值以 3 個英文字母開頭,後接 18 個數值字元。 IBM Security Key Lifecycle Manager 會使用此格式來產生具有對稱金鑰的金鑰群組。
請勿在值中使用正斜線(/)或反斜線(\)字元。
- -cn
- Required. Specify the common name.
- -country
- Specify a country as a two-letter country code.
- -keyStoreName
- Required. Specify the name of an existing keystore.
- -locality
- Specify a locality, such as a city.
- -o
- Specify the organization. For example, o=myCompanyName.
- -ou
- Specify the organizational unit. For example, ou=marketing.
- -state
- Specify a state or province.
- -type
- Required. Specify a certificate type. You can specify the following
certificate types:
- Self-signed
The subject name and the issuer name of the certificate are the same. To create a request for a certificate that is not self-signed, use the tklmCertGenRequest command to create a user certificate in which the certificate issuer name represents a certificate authority, and the subject name represents a user or an end entity.
- Self-signed
- -usage
- Required. Specify the target application usage, such as SSLSERVER.
You can specify the following values:
- 3592
- Specifies the 3592 device group.
- DS8000
- Specifies the DS8000 device group.
- GPFS
- 指定 IBM Spectrum Scale(之前稱為 GPFS)裝置群組。
- PEER_TO_PEER
- Specifies the PEER_TO_PEER device group.
- GENERIC
- 指定使用金鑰管理交互作業能力通訊協定來與 IBM Security Key Lifecycle Manager 互動的裝置系列。
GENERIC 裝置群組能夠管理KMIP物件。
請勿使用指令行介面來將裝置新增至 GENERIC 裝置群組或變更 GENERIC 裝置群組屬性。
- SSLCLIENT
- 用戶端憑證,用於透過 Secure Socket Layer 通訊協定來鑑別用戶端裝置的安全通訊中。
- SSLSERVER
- 伺服器端憑證,用於透過 Secure Socket Layer 通訊協定進行的安全通訊中。
- userdevicegroup
- 指定基於受支援裝置系列的使用者定義群組。
- -validity
- Required. Specify the interval of time in days during which the certificate is valid. The interval can range from a minimum of one day to a maximum of 9000 days.
Example
This Jython-formatted command creates a self-signed certificate with an alias of tklmCertificate that is valid for 999 days.
print AdminTask.tklmCertCreate ('[-type selfsigned
-alias sklmCertificate -cn sklm -ou sales -o myCompanyName
-usage 3592 -country US -keyStoreName defaultKeyStore
-validity 999]')This Jython-formatted command creates a certificate for SSL authentication.
print AdminTask.tklmCertCreate ('[-type selfsigned
-alias sklmSSLCertificate -cn sklmssl -ou accounting -o myCompanyName
-country US -keyStoreName defaultKeyStore
-usage SSLSERVER -validity 999]')