{"id":6343,"date":"2016-10-12T16:01:04","date_gmt":"2016-10-12T08:01:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=6343"},"modified":"2016-10-12T16:01:04","modified_gmt":"2016-10-12T08:01:04","slug":"certificate-management-by-using-gsk7cmd-command","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6343","title":{"rendered":"Certificate Management by using gsk7cmd command"},"content":{"rendered":"

Certificate Management by using gsk7cmd command<\/h3>\n
<\/div>\n
\n
Command: gsk7cmd<\/p>\n

Purpose: gsk7cmd is a command line tool for certificate management.
\nPrerequisite: set JAVA_HOME varriable.
\nExample: export JAVA_HOME=\/usr\/IBM\/WebSphere\/AppServer\/java (this depends on your environment)<\/p>\n

Parameters for below examples:<\/p>\n

keystore Name: testcacerts.jks \/ test.kdb
\npassword: changeit \/ testit<\/p>\n

NOTE:- If you are practicing below examples kindly practice it in the sequence because there might be a dependancy.<\/p>\n

Command usage<\/p>\n

# gsk7cmd -help<\/p>\n

Object Action Description
\n—— —— ———–
\n-keydb
\n-changepw Change the password for a key database
\n-convert Convert the format of a key database
\n-create Create a key database
\n-delete Delete a key database
\n-expiry\u00a0Display password expiry
\n-list Currently supported types of key database.
\n-stashpw Stash the password of a key database into a file<\/p>\n

-cert
\n-add Add a CA Certificate
\n-create Create a self-signed certificate
\n-delete Delete a certificate
\n-details Show the details of a specific certificate
\n-export Export a personal certificate and associated private key\u00a0into a PKCS12 file or a key
\ndatabase
\n-extract Extract a certificate from a key database
\n-getdefault Show the default personal certificate
\n-import Import a certificate from a key database or a PKCS12 file
\n-list List certificates in a key database
\n-listsigners List signer certificates delivered with ikeyman
\n-modify Modify a certificate (NOTE: the only field that may be modified is the trust field)
\n-populate Populate with included CA Certificates
\n-receive Receive a certificate
\n-rename Rename a certificate
\n-setdefault Set the default personal certificate
\n-sign Sign a certificate<\/p>\n

-certreq<\/p>\n

-create Create a certificate request
\n-delete Delete a certificate request from a certificate request database
\n-details Show the details of a specific certificate request
\n-extract Extract a certificate from a certificate request database
\n-list List all certificate requests in a certificate request database
\n-recreate Recreate a certificate request<\/p>\n

-seckey<\/p>\n

-create Create a secret key
\n-delete Delete a secret key
\n-details Show the details of a specific secret key
\n-export Export secret keys to a file
\n-import Import secret keys from a file
\n-list List all secret keys in a key database
\n-rename Rename a secret key<\/p>\n

-version\u00a0\u00a0\u00a0Display iKeyman version information<\/p>\n

-help\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Display this help text<\/p>\n

Keystore Management<\/u>\u00a0 (-keydb)<\/strong><\/p>\n

Creating keystore by specifying password expiry<\/u><\/strong><\/p>\n

Example 1<\/em><\/strong><\/p>\n

#gsk7cmd -keydb -create -db test.kdb -pw changeit -type kdb -expire 7300<\/p>\n

The above command creates a keystore file (test.kdb) of kdb type and keep the password expiry to 7300 days<\/p>\n

Example 2<\/em><\/strong><\/p>\n

# gsk7cmd -keydb -expiry -db test.kdb -pw changeit<\/p>\n

This will list the password expiry of keystore test.kdb<\/p>\n

Output:<\/p>\n

Password expiry time: Aug 9, 2032 2:05:51 AM<\/p>\n

Deleting the keystore<\/u><\/strong><\/p>\n

Example 3<\/em><\/strong><\/p>\n

#gsk7cmd -keydb -delete -db test.kdb -pw changeit<\/p>\n

This deletes the keystore file test.kdb<\/p>\n

Creating a default keystore<\/u><\/strong><\/p>\n


\n<\/em><\/div>\n

Example 4<\/em><\/strong>
\n#gsk7cmd -keydb -create -db testcacerts.jks -pw testit<\/p>\n

The above command creates a keystore file with the name testcacerts.jks and the password testit in the current directory<\/p>\n

Changing the keystore password<\/strong><\/p>\n

Example 5<\/em><\/strong><\/p>\n

#gsk7cmd -keydb -changepw -db testcacerts.jks -pw testit -new_pw changeit<\/p>\n

This changes the password from testit to changeit<\/p>\n

Certificate Management<\/u> (-cert)<\/strong><\/p>\n

Adding certificate to a keystore with out specifying label<\/strong><\/p>\n

Example 6<\/em><\/strong><\/p>\n

#gsk7cmd -cert -add -file test.cer -db testcacerts.jks -pw changeit<\/p>\n

This adds the certificate file test.cer in testcacerts.jks keystore, If label is not specified it will generate a label (kindly note the label details in example 7).<\/p>\n

Example 7<\/em><\/strong><\/p>\n

#gsk7cmd -cert -details -label “cn=TESTCERT, o=IBM, c=us” -db testcacerts.jks -pw changeit<\/p>\n

This command will list the details of certificate with label “cn=TESTCERT, o=IBM, c=us” (The certificate which was added in example 6)<\/p>\n

Output <\/em><\/strong><\/p>\n

Label: cn=TESTCERT, o=IBM, c=us
\nKey Size: 1024
\nVersion: X509 V3
\nSerial Number: 12 57 4F 87 1B F8 69 DD
\nIssued by: CN=TESTCERT, O=IBM, C=US
\nSubject: CN=TESTCERT, O=IBM, C=US
\nValid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
\nFingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
\nSignature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
\nTrust Status: enabled<\/p>\n

Deleting a certificate from the keystore<\/strong><\/p>\n

Example 8<\/em><\/strong><\/p>\n

#gsk7cmd -cert -delete -label “cn=TESTCERT, o=IBM, c=us” -db testcacerts.jks -pw changeit<\/p>\n

This command deletes the certificate with the label “cn=TESTCERT, o=IBM, c=us” (the certificate which was added in example 6)<\/p>\n

Example 9<\/em><\/strong><\/p>\n

#gsk7cmd -cert -details -label “cn=TESTCERT, o=IBM, c=us” -db testcacerts.jks -pw changeit<\/p>\n

This commands confirms the delete operation in example 8, The below output says the certificate with the label ‘cn=TESTCERT, o=IBM, c=us’ does not exists<\/p>\n

Output<\/em><\/strong><\/p>\n

The database doesn’t contain an entry with label ‘cn=TESTCERT, o=IBM, c=us’.
\nCheck the label and try again.<\/p>\n

Adding certificate to a keystore with the label <\/strong><\/p>\n

Example 10<\/em><\/strong><\/p>\n

#gsk7cmd -cert -add -file test.cer -label “This is a cert” -db testcacerts.jks -pw changeit<\/p>\n

This adds the certificate ‘test.cer’ with the label “This is a cert”. (in example 6 we have added the certificate without specifying the label)<\/p>\n

Example 11<\/em><\/strong><\/p>\n

#gsk7cmd -cert -details -label “This is a cert” -db testcacerts.jks -pw changeit<\/p>\n

This confirms that the certificate test.cer has been added with the label “This is a cert”, check the output below\/<\/p>\n

Output<\/em><\/strong><\/p>\n

Label: this is a cert
\nKey Size: 1024
\nVersion: X509 V3
\nSerial Number: 12 57 4F 87 1B F8 69 DD
\nIssued by: CN=TESTCERT, O=IBM, C=US
\nSubject: CN=TESTCERT, O=IBM, C=US
\nValid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
\nFingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
\nSignature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
\nTrust Status: enabled<\/p>\n

Renaming the label of a certificate<\/strong><\/p>\n

Example 12<\/em><\/strong><\/p>\n

#gsk7cmd -cert -rename -label “This is a cert” -new_label “The_new_label” -db testcacerts.jks -pw changeit<\/p>\n

This renames the lable “This is a cert” with new name “The_new_label”.<\/p>\n

Example 13<\/em><\/strong><\/p>\n

#gsk7cmd -cert -details -label “The_new_label” -db testcacerts.jks -pw changeit<\/p>\n

Example 13 and Example 14 confirms example 12,Check the output below.<\/p>\n

Output<\/em><\/strong><\/p>\n

Label: the_new_label
\nKey Size: 1024
\nVersion: X509 V3
\nSerial Number: 12 57 4F 87 1B F8 69 DD
\nIssued by: CN=TESTCERT, O=IBM, C=US
\nSubject: CN=TESTCERT, O=IBM, C=US
\nValid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
\nFingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
\nSignature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
\nTrust Status: enabled<\/p>\n

Example 14<\/em><\/strong><\/p>\n

#gsk7cmd -cert -details -label “This is a cert” -db testcacerts.jks -pw changeit<\/p>\n

Example 14 and Example 13 confirms example 12, because in the output of example 13 testcacerts.jks keystore contains a certificate with the label “The_new_label” and the output of example 14 says the testcacerts.jks keystore does not have an with the label “This is a cert” (label name before rename).<\/p>\n

Output<\/em><\/strong><\/p>\n

The database doesn’t contain an entry with label ‘This is a cert’.
\nCheck the label and try again.<\/p>\n

Extracting a certificate from the keyfile<\/strong><\/p>\n

Example 15<\/em><\/strong><\/p>\n

#gsk7cmd -cert -extract -label “The_new_label” -target “this_is_extracted_cert.cer” -db testcacerts.jks -pw changeit<\/p>\n

This will extracrt the certificate with label “The_new_label” into a file this_is_extracted_cert.cer, check the below output for file confirmation<\/p>\n

#ls this_is_extracted_cert.cer
\nthis_is_extracted_cert.cer<\/p>\n

Creating a self signed certificate<\/strong><\/p>\n

Example 16<\/em><\/strong><\/p>\n

gsk7cmd -cert -create -db testcacerts.jks -pw changeit -label ‘New_Self_Signed’ -dn CN=testSELFSIGN,O=ibm,C=in -expire 7300 -size 1024 -x509version 3<\/p>\n

This creates a self signed certificate with the label ‘New_Self_Signed’<\/p>\n

Example 17<\/em><\/strong><\/p>\n

# gsk7cmd -cert -details -label ‘New_Self_Signed’ -db testcacerts.jks -pw changeit<\/p>\n

This confirms the self signed certificate creation ,Verify the certificate in the below output<\/p>\n

Output<\/em><\/strong><\/p>\n

Label: new_self_signed
\nKey Size: 1024
\nVersion: X509 V3
\nSerial Number: 50 29 68 22
\nIssued by: CN=testSELFSIGN, O=ibm, C=in
\nSubject: CN=testSELFSIGN, O=ibm, C=in
\nValid: From: Tuesday, August 14, 2012 2:18:34 AM IST To: Monday, August 9, 2032 2:18:34 AM IST
\nFingerprint: 0C:D5:A0:6A:54:76:6B:3E:D0:3E:2E:42:1C:D0:32:43:66:82:FE:70
\nSignature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
\nTrust Status: enabled<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Certificate Management by using gsk7cmd command Command: gsk7cmd<\/p>\n

Purpose: gsk7cmd is a command line tool for certificate management. Prerequisite: set JAVA_HOME varriable. Example: export JAVA_HOME=\/usr\/IBM\/WebSphere\/AppServer\/java (this depends on your environment)<\/p>\n

Parameters for below examples:<\/p>\n

keystore Name: testcacerts.jks \/ test.kdb password: changeit \/ testit<\/p>\n

NOTE:- If you are practicing below examples kindly practice it in the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6343"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6343"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6343\/revisions"}],"predecessor-version":[{"id":6344,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6343\/revisions\/6344"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}