The KeyTool command-line
program enables you to create a Rational® Certificate Store (RCS) file that contains digital
certificates for use with tests. A Rational Certificate Store (RCS) file is a compressed archive
file that contains one or more PKCS#12 certificates. You can also
use the KeyTool program to remove certificates from a certificate
store.
Procedure
- Type the following command:
java -cp rpt_home/plugins/com.ibm.rational.test.lt.kernel_version.jar com.ibm.rational.test.lt.kernel.dc.KeyTool
--store=file --passphrase=certificate-passphrase --add --remove --generate --cert=certificate-name --subject=subject-name --ca-store=store --ca-cert=ca-certificate-name --ca-passphrase=ca-certificate-passphrase --sign --self-sign --algorithm=algorithm {RSA | DSA} --list
If a value contains spaces, enclose the value in quotation marks.
Option |
Description |
--store |
Required if adding or removing a certificate. The file name
of the Rational Certificate
Store (RCS) file. If the specified certificate store does not have
the RCS extension, this extension will be added. |
--passphrase |
Optional. The passphrase to place on the generated certificate.
The default passphrase is default. |
--add |
Optional. Adds the certificate to the certificate store. Used
with --generate, this generates
a certificate and adds it to the certificate store. |
--remove |
Optional. Removes the certificate from the certificate store.
This option cannot be used with the --add or --generate options. |
--generate |
Optional. Generates a certificate. Used with --add, this generates a certificate and adds
it to the certificate store. |
--cert |
Required. The name of the certificate file to add, remove,
or generate. If you are creating a certificate, the file name will
be given the P12 extension. |
--subject |
Optional. The X.500 Distinguished Name for the certificate.
If no subject is specified, a default subject will be provided. To
learn more about subjects, see Digital certificate creation overview. |
--ca-store |
Required if signing a certificate. The file name of the Rational Certificate Store
(RCS) file from which to retrieve the CA certificate. |
--ca-cert |
Required if signing a certificate. The name of the CA certificate
file to use to sign another certificate. |
--ca-passphrase |
Required if signing a certificate. The passphrase for the
CA certificate. |
--sign |
Optional. Signs the generated certificate using the specified
CA certificate. This option cannot be used with --self-sign. |
--self-sign |
Optional. Self-sign the generated certificate. This option
cannot be used with --sign. |
--algorithm |
Optional. This determines the encryption algorithm to use.
The default is RSA. The options are RSA or DSA. |
--list |
Optional. This prints the names of all certificates in a certificate
store to standard output. This list can be used to create a datapool. |
- Use KeyTool to create and add as many digital certificates
as you want. If you want to create a datapool of the names of certificates
in the certificate store, run KeyTool again with the --list option. This writes a list of names that
can then be imported to a datapool.
Results
You now have a digital certificate store that you can use
with tests. Because the KeyTool program has many options, you might
want to create an alias or script file to use to invoke KeyTool.
You do not have to use the KeyTool command-line program to create
a certificate store. It is possible to use existing PKCS#12 certificates
with Rational Performance Tester. PKCS#12 certificates can be exported from a web browser.
PKCS#12 certificates encode the private key within the certificate
by means of a password.
Note: Do not use certificates associated
with real users. Certificates associated with real users contain private
keys that should not become known by or available to anyone other
than the owner of the certificate. An intruder who gained access to
the certificate store would have access to the private keys of all
certificates in the store. For this reason, you must create, or have
created for you, certificates that are signed by the correct certificate
authority (CA) but that are not associated with real users.