InfoCenter Home > 5.5.6.3.2: Administering key pair entriesAdministrators use the Keytool utility to perform tasks that apply the keystore database or to the keystore entries: key pairs and trusted certificates. Administering a keystore database discusses the tasks that apply to the keystore database; Administering trusted certificates discusses tasks that only apply to trusted certificates entries, and Administering both certificate and key pair entries discusses the tasks that are common to both entry types. Understanding how the Keytool utility works provides conceptual information about the Keytool utility. This article discusses the administrative tasks that apply only to managing key pair entries in a keystore: Options used with the keytool command provides reference information for the options that are used with the Keytool utility. Generating a key pair entryThe -genkey option adds data to a keystore or creates the keystore if one does not already exist. It generates a key pair (public key and associated private key) and places the public key in an X.509 v1 self-signed certificate. That certificate is stored as a single-element certificate chain, which is placed, along with the private key, into a new keystore entry. The keystore entry is identified by an alias. The following command is an example of the use of the -genkey option in combination with other options: keytool -genkey -dname "cn=Sandra Smith, ou=IBMPITT, o=IBM, c=US" -alias sandra -keypass acc100 -keystore C:\Winnt\Profiles\sandra -storepass PITTNV -validity 180 Note that the command must be entered as single line. Multiple lines are used in the example due to space constraints. This command does the following:
The -genkey option is combined with the following options:
See Options used with the keytool command for a description of these options. Modifying a key pair entryChanges can occur that affect the Distinguished Name of a keystore entry, for example, an employee can change departments within the same organization. In such a case, the organization unit (OU) subcomponent of the employee's Distinguished Name is changed. It can be desirable to update an entry's Distinguished Name while still retaining its existing key pair. To do this, follow these steps:
The combination of the -keyclone and -dest options also can be used to establish multiple certificate chains for a key pair, or for backup purposes. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|