The requestCertificate command uses
an implementation class that is passed in to communicate with a certificate
authority (CA) server to request a CA signed certificate. The command
then adds the certificate to a supplied keystore.
The requestCertificate command can use a predefined
certificate request that was created with the createCertRequest command
or it creates the certificate request itself. Depending on the CA
server that the command is targeted for, a completed signed request
can be returned; or the CA server could accept the request and require
that a call be make at a later time to get the certificate with the queryCertificate command.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows:
(The
following command is split on multiple lines for printing purposes.)
requestCertificate -host<caHost> -port<caPort> -username<caUserName> -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias>
-pkiImplClass<customCAClient>[options]
Required Parameters
The following required
parameter are used with the
requestCertifcate command:
- -host caHost
- Specifies the target certificate authority host to which the request
will be sent.
- -port caPort
- Specifies the target port on which to connect.
- -username caUserName
- The user name used to gain access to the certificate authority.
- -password caPassword
- The password used to authenticate with the certificate authority.
- -revocationPassword revocationPassword
- The password that is to be set on the certificate returned by
the certificate authority. The revocation password is sent to the
certificate authority during each request and is associated with each
certificate that is issued. To later revoke a certificate, the same
revocation password must be sent during a revokeCertificate request.
- keyStoreAliaskeyStoreAlias
- The name of the keystore that is located in the ssl.client.props
file for the profile to which the CA signed certificate is added.
This will typically be the ClientDefaultKeyStore file for either a
managed or unmanaged environment.
- -pkiImplClass custom CA client
-
The path to a class that implements the WSPKIClient
interface. The implementation class handles communication to a CA
server to request a CA signed certificate. There is no default WSPKIClient
implementation shipped with the product. Users are expected to provide
their own WSPKIClient implementation to communicate with a give Certificate
Authority. ![[Updated in January 2013]](../../deltaend.gif)
jan2013
-
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=tsec_7dev_WSPKIClient_interface ![[Updated in January 2013]](../../deltaend.gif)
jan2013
Optional Parameters
The following options
are available for the requestCertificate command:
- -certReqPath certificate request
file
- A path to an existing PKCS10 certificate request saved in a BASE64
encoded file. If no request is specified a PKCS10 certificate request
will be created automatically. In that case it is required to specify
a “subjectDN” and “alias” option. By default the request will be
created in the same location as the keyStore specified in the request.
This will typically be in the /profile_name/etc/ directory for
either a managed or unmanaged environment.
- -subjectDN subjectDN
- The distinguished name to be used for the PKCS10 certificate request.
The distinguished name must contain the CN field. This option is
only required if you do not specify the –certReqPath option, or if
the –certReqPath option points to a file that does not exist.
- -alias certificateAlias
- The alias used to store the PKCS10 certificate request certificate
in the keyStore specified on the request. Note that the CA signed
certificate is stored under the same alias and will replace the cert
request certificate when received. This option is only required
if you do not specify the –certReqPath option, or if the –certReqPath
option points to a file that does not exist.
- -keySize key size
- The size of the key. This option is only used valid if creating
a PKCS10 certificate request in-band. Default size is 1024. Valid
values include 512, 1024, and 2048
- -keyUsage
- A semi-colon separated list of extended key usage strings. This
option is only valid if creating a PKCS10 certificate request in-band.
- -extKeyUsage extKeyUse1;extKeyUse2;...
- A semi-colon separated list of extended key usage strings. This
option is only valid if creating a PKCS10 certificate request in-band.
- -customAttrs customAttr1=value;customAttr2=value;...
- A semi-colon separated list of custom name=value pairs to be passed
in to the custom implementation class. This provides a way to pass
custom information to the implementation class. The ‘attr’ and ‘value’
pairs will be converted to a hash map and passed along to the implementation
class.
- -retryInterval retry interval
- The time period in seconds between retires of queries to the CA
for a CA signed certificate.
- -retryLimit retry limit
- The total number of times to retry a query request to the CA.
- -logfile filename
- Overrides the default trace file. By default, the trace appears
in the profiles/profile_name/log/caClient.log. file.
- -trace
- When specified, this enables tracing of the trace specification
necessary to debug this component. By default, the trace will appear
in the profiles/profile_name/log/caClient.log file.
- -replaceLog
- Causes the existing trace file to be replaced when the command
is executed. -quit
- -quiet
- Suppresses most messages from printing out on the console.
- -help
- Prints a usage statement
- -?
- Prints a usage statement
Usage
The following example performs a requestCertificate:
requestCertificate -host localhost -port 1077
-username pkiuser -password webspherepki -revocationPassword webspherepki -keyS
toreAlias ClientDefaultKeyStore -certReqPath C:\opt\WebS
phere\AppClient\etc\certReq26924.req -trace
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0455I: Requesting a CA signed certificate.
CWPKI0456I: CA Signed Certificate Received [Issued By: O=IBM, C=US, Issued To:
CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
After: Sat Feb 16 10:09:19 CST 2008]