The queryCertificate command uses an implementation
class that is passed to communicate with a certificate authority (CA) server
and query a certificate.
The queryCertificate command checks to see if the certificate
is complete. If the certificate is complete, then the CA certificate is stored
in the client keystore. If the certificate is not complete, the certificate
request remains in the keystore and the queryCertificate command
can be called at some later time to determine if the certificate is complete.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows:
(The
command is split on multiple lines for printing purposes.)
queryCertificate -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-alias<certificateAlias> -keystoreAlias<keystoreAlias>
-pkiImplClass<customCAClient>[options]
Required Parameters
The following required parameter
are used with the
queryCertifcate command:
- -host caHost
- Specifies the target certificate authority host to which the request is
sent.
- -port caPort
- Specifies the target port to connect to.
- -username caUserName
- Specifies the user name used to gain access to the certificate authority.
- -password caPassword
- Specifies the password used to authenticate with the certificate authority.
- -alias certificateAlias
- Specifies The alias of the certificate to be queried.
- keyStoreAliaskeyStoreAlias
- Specifies the name of the keystore that is located in the ssl.client.props
file for the profile to which the CA signed certificate is added. This name
is the ClientDefaultKeyStore file for either a managed or unmanaged environment.
- -pkiImplClass custom CA client
- A class that implements the WSPKIClient interface. The implementation
class handles all the communication to the CA server. This can be a custom
class or a class provided with the product.
Optional Parameters
The following options are available
for the queryCertificate command:
- -customAttrs customAttr1=value;customAttr2=value;...
- A semi-colon separated list of custom name=value pairs to be passed in
to the custom implementation class. This parameter provides a way to pass
custom information to the implementation class. The ‘attr’ and ‘value’ pairs
arel be converted to a hash map and passed along to the implementation class.
- -retryInterval retry interval
- The time period in seconds between retries of queries to the CA server
for a CA signed certificate.
- -retryLimit retry limit
- The total number of times to retry a query request to the CA server.
- -logfile filename
- The logfile that overrides the default trace file. By default, the trace
appears in the profiles/profile_name/log/caClient.log. file.
- -trace
- When specified, -trace enables tracing of the trace
specification necessary to debug this component. By default, the trace appears
in the profiles/profile_name/log/caClient.log file.
- -replaceLog
- An option to cause the existing trace file to be replaced when the command
is executed.
- -quiet
- An option to suppress most messages from printing out on the console.
- -help
- The option to print a usage statement
Usage
The following example performs a queryCertificate:
queryCertificate -host localhost -port 1077 -
username pkiuser -password webspherepki -alias C:\opt\WebSphere\AppClient\
etc\certReq26924.req -keyStoreAlias ClientDefaultKeyStore
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0418E: The following error occurred while querying the CA for a signed
certificate: CWPKI0463I: Action "query" not supported by this
implementation.