requestCertificate 命令

requestCertificate 命令使用实现类(传递以与认证中心 (CA) 服务器通信)以请求 CA 签署的证书。命令随后将该证书添加到提供的密钥库。

requestCertificate 命令可以使用通过 createCertRequest 命令创建的预定义证书请求,也可以自己创建证书请求。根据命令针对的 CA 服务器,可能会返回完成的已签署请求;或者 CA 服务器可能接受该请求,并要求在稍后进行调用以使用 queryCertificate 命令获取证书。

位置

profile_root/bin 目录发出该命令。

语法

命令语法如下所示:

(为了便于打印,将以下命令拆分为多行。)[AIX][HP-UX][Linux][Solaris]
requestCertificate.sh -host<caHost> -port<caPort> -username<caUserName> -password<caPassword> 
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> 
-pkiImplClass<customCAClient>[options]
[Windows]
requestCertificate.bat -host<caHost> -port<caPort> -username<caUserName> -password<caPassword> 
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> 
-pkiImplClass<customCAClient>[options]
[z/OS]
requestCertificate.sh -host<caHost> -port<caPort> -username<caUserName>  -password<caPassword> 
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias>
 -pkiImplClass<customCAClient>[options]
[IBM i]
requestCertificate -host<caHost> -port<caPort> -username<caUserName>  -password<caPassword>
-revocationPassword<revocationPassword> -keystoreAlias<keystoreAlias> 
-pkiImplClass<customCAClient>[options]

Required Parameters

The following required parameter are used with the requestCertifcate command:
-host caHost
Specifies the target certificate authority host to which the request will be sent.
-port caPort
Specifies the target port on which to connect.
-username caUserName
The user name used to gain access to the certificate authority.
-password caPassword
The password used to authenticate with the certificate authority.
-revocationPassword revocationPassword
The password that is to be set on the certificate returned by the certificate authority. The revocation password is sent to the certificate authority during each request and is associated with each certificate that is issued. To later revoke a certificate, the same revocation password must be sent during a revokeCertificate request.
keyStoreAliaskeyStoreAlias
The name of the keystore that is located in the ssl.client.props file for the profile to which the CA signed certificate is added. This will typically be the ClientDefaultKeyStore file for either a managed or unmanaged environment.
-pkiImplClass custom CA client
The path to a class that implements the WSPKIClient interface. The implementation class handles communication to a CA server to request a CA signed certificate. There is no default WSPKIClient implementation shipped with the product. Users are expected to provide their own WSPKIClient implementation to communicate with a give Certificate Authority.
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-zos&topic=tsec_7dev_WSPKIClient_interface

Optional Parameters

The following options are available for the requestCertificate command:

-certReqPath certificate request file
A path to an existing PKCS10 certificate request saved in a BASE64 encoded file. If no request is specified a PKCS10 certificate request will be created automatically. In that case it is required to specify a “subjectDN” and “alias” option. By default the request will be created in the same location as the keyStore specified in the request. This will typically be in the /profile_name/etc/ directory for either a managed or unmanaged environment.
-subjectDN subjectDN
The distinguished name to be used for the PKCS10 certificate request. The distinguished name must contain the CN field. This option is only required if you do not specify the –certReqPath option, or if the –certReqPath option points to a file that does not exist.
-alias certificateAlias
The alias used to store the PKCS10 certificate request certificate in the keyStore specified on the request. Note that the CA signed certificate is stored under the same alias and will replace the cert request certificate when received. This option is only required if you do not specify the –certReqPath option, or if the –certReqPath option points to a file that does not exist.
-keySize key size
The size of the key. This option is only used valid if creating a PKCS10 certificate request in-band. Default size is 1024. Valid values include 512, 1024, and 2048
-keyUsage
A semi-colon separated list of extended key usage strings. This option is only valid if creating a PKCS10 certificate request in-band.
-extKeyUsage extKeyUse1;extKeyUse2;...
A semi-colon separated list of extended key usage strings. This option is only valid if creating a PKCS10 certificate request in-band.
-customAttrs customAttr1=value;customAttr2=value;...
A semi-colon separated list of custom name=value pairs to be passed in to the custom implementation class. This provides a way to pass custom information to the implementation class. The ‘attr’ and ‘value’ pairs will be converted to a hash map and passed along to the implementation class.
-retryInterval retry interval
The time period in seconds between retires of queries to the CA for a CA signed certificate.
-retryLimit retry limit
The total number of times to retry a query request to the CA.
-logfile filename
Overrides the default trace file. By default, the trace appears in the profiles/profile_name/log/caClient.log. file.
-trace
When specified, this enables tracing of the trace specification necessary to debug this component. By default, the trace will appear in the profiles/profile_name/log/caClient.log file.
-replaceLog
Causes the existing trace file to be replaced when the command is executed. -quit
-quiet
Suppresses most messages from printing out on the console.
-help
Prints a usage statement
-?
Prints a usage statement

Usage

The following example performs a requestCertificate:

[AIX][HP-UX][Linux][Solaris]
requestCertificate.sh -host localhost -port 1077
 -username pkiuser -password webspherepki -revocationPassword webspherepki -keyS
toreAlias ClientDefaultKeyStore -certReqPath C:\opt\WebS
phere\AppClient\etc\certReq26924.req -trace
CWPKI0403I: Trace is being logged to the following location:
           C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0455I: Requesting a CA signed certificate.
CWPKI0456I: CA Signed Certificate Received [Issued By: O=IBM, C=US, Issued To:
           CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
           After: Sat Feb 16 10:09:19 CST 2008]
[Windows]
C:\opt\WebSphere\AppClient\bin>requestCertificate.bat -host localhost -port 1077
 -username pkiuser -password webspherepki -revocationPassword webspherepki -keyS
toreAlias ClientDefaultKeyStore -certReqPath C:\opt\WebS
phere\AppClient\etc\certReq26924.req -trace
CWPKI0403I: Trace is being logged to the following location:
           C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0455I: Requesting a CA signed certificate.
CWPKI0456I: CA Signed Certificate Received [Issued By: O=IBM, C=US, Issued To:
           CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
           After: Sat Feb 16 10:09:19 CST 2008]
[z/OS]
requestCertificate.sh -host localhost -port 1077
 -username pkiuser -password webspherepki -revocationPassword webspherepki -keyS
toreAlias ClientDefaultKeyStore -certReqPath C:\opt\WebS
phere\AppClient\etc\certReq26924.req -trace
CWPKI0403I: Trace is being logged to the following location:
           C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0455I: Requesting a CA signed certificate.
CWPKI0456I: CA Signed Certificate Received [Issued By: O=IBM, C=US, Issued To:
           CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
           After: Sat Feb 16 10:09:19 CST 2008]
[IBM i]
requestCertificate -host localhost -port 1077
 -username pkiuser -password webspherepki -revocationPassword webspherepki -keyS
toreAlias ClientDefaultKeyStore -certReqPath C:\opt\WebS
phere\AppClient\etc\certReq26924.req -trace
CWPKI0403I: Trace is being logged to the following location:
           C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0455I: Requesting a CA signed certificate.
CWPKI0456I: CA Signed Certificate Received [Issued By: O=IBM, C=US, Issued To:
           CN=mycn, O=ibm, C=us, Not Before: Thu Feb 22 09:07:53 CST 2007, Not
           After: Sat Feb 16 10:09:19 CST 2008]

指示主题类型的图标 参考主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rsec_7requestcacertcmd
文件名:rsec_7requestcacertcmd.html