The createCertRequest command creates
a PKCS10 certificate request and stores it in a client keystore so
that it can be used to send to a certificate authority (CA) server
using the requestCertificate command line utility.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows:
createCertRequest.sh -keyStoreAlias<keystoreAlias> -subjectDN<subjectDN> -alias<certificateAlias> [options]
Required Parameters
The following required
parameter are used with the
createCertRequest command:
- -keyStoreAlias keyStoreAlias
- Specifies the name of the keystore that is located in the ssl.client.props
file for the profile to which the CA signed certificate is added.
This is the name of the ClientDefaultKeyStore file for either a managed
or unmanaged environment.
- -subjectDN subjectDN
- Specifies the distinguished name (DN) to be used for the PKCS10
certificate request. The DN must contain the CN, O and C fields
at a minimum.
- -alias certificateAlias
- Specifies the alias used to store the PKCS10 certificate request
certificate in the keystore specified on the request.
Note: the CA
signed certificate is stored under the same alias and replaces the
cert request certificate when received.
Optional Parameters
The following options
are available for the createCertRequest command:
- -keySize key size
- An option that specifies the size of the key. This option is
only used valid if creating a PKCS10 certificate request in-band.
Valid values include 512, 1024 2048, 4096 and 8192. Thd default size
is 2048.
- -certValidity valid days
- The time period of certificate validity. Time period is measured
from current date. This option is only valid if creating a PKCS10
certificate request in-band. Default value is 365 days.
- -subjectAltNames altName1;altName2;...
- A semi-colon separated list of subject alternate names. This
option is only used if creating a PKCS10 certificate request in-band.
- -keyUsage keyUse1;keyUse2;...
- A semi-colon separated list of key usage strings. This option
is only valid if creating a PKCS10 certificate request in-band.
- -extKeyUsage extKeyUse1;extKeyUse2;...
- A semi-colon separated list of extended key usage strings. This
option is only valid if creating a PKCS10 certificate request in-band.
- -logfile filename
- The logfile that overrides the default trace file. By default,
the trace appears in the profiles/profile_name/log/caClient.log.
file.
- -trace
- When specified, -trace enables tracing of
the trace specification necessary to debug this component. By default,
the trace will appear in the profiles/profile_name/log/caClient.log file.
- -replaceLog
- An option to cause the existing trace file to be replaced when
the command is executed.
- -quiet
- An option to suppress most messages from printing out on the console.
- -help
- The option to print a usage statement
- -?
- The option to print a usage statement
Usage
The following example creates a PKCS10
certificate request for a client that can be used to send to a CA
:
createCertRequest.sh -keyStoreAlias ClientDefaultKeyStore -subjectDN CN=mycn,o=ibm,c=us -alias cert1
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0422I: Generating a PKCS10 certificate request
CWPKI0421I: A PKCS10 certificate was successfully created. The request
is stored in file:
C:\opt\WebSphere\AppClient\etc\certReq26924.req