The createCertRequest command creates a PKCS10
certificate request and stores it in a client keystore so that it can be used
to send to a certificate authority (CA) server using the requestCertificate command
line utility.
Location
Issue the command from the profile_root/bin directory.
Syntax
The command syntax is as follows:
createCertRequest -keyStoreAlias<keystoreAlias> -subjectDN<subjectDN> -alias<certificateAlias> [options]
Required Parameters
The following required parameter
are used with the
createCertRequest command:
- -keyStoreAlias keyStoreAlias
- Specifies the name of the keystore that is located in the ssl.client.props
file for the profile to which the CA signed certificate is added. This is
the name of the ClientDefaultKeyStore file for either a managed or unmanaged
environment.
- -subjectDN subjectDN
- Specifies the distinguished name (DN) to be used for the PKCS10 certificate
request. The DN must contain the CN, O and C fields at a minimum.
- -alias certificateAlias
- Specifies the alias used to store the PKCS10 certificate request certificate
in the keystore specified on the request.
Note: the CA signed certificate
is stored under the same alias and replaces the cert request certificate when
received.
Optional Parameters
The following options are available
for the createCertRequest command:
- -keySize key size
- An option that specifies the size of the key. This option is only used
valid if creating a PKCS10 certificate request in-band. Default size is 1024.
Valid values include 512, 1024, and 2048
- -certValidity valid days
- The time period of certificate validity. Time period is measured from
current date. This option is only valid if creating a PKCS10 certificate
request in-band. Default value is 365 days.
- -subjectAltNames altName1;altName2;...
- A semi-colon separated list of subject alternate names. This option is
only used if creating a PKCS10 certificate request in-band.
- -keyUsage keyUse1;keyUse2;...
- A semi-colon separated list of key usage strings. This option is only
valid if creating a PKCS10 certificate request in-band.
- -extKeyUsage extKeyUse1;extKeyUse2;...
- A semi-colon separated list of extended key usage strings. This option
is only valid if creating a PKCS10 certificate request in-band.
- -logfile filename
- The logfile that overrides the default trace file. By default, the trace
appears in the profiles/profile_name/log/caClient.log. file.
- -trace
- When specified, -trace enables tracing of the trace
specification necessary to debug this component. By default, the trace will
appear in the profiles/profile_name/log/caClient.log file.
- -replaceLog
- An option to cause the existing trace file to be replaced when the command
is executed.
- -quiet
- An option to suppress most messages from printing out on the console.
- -help
- The option to print a usage statement
- -?
- The option to print a usage statement
Usage
The following example creates a PKCS10 certificate
request for a client that can be used to send to a CA :
createCertRequest -keyStoreAlias ClientDefaultKeyStore -subjectDN CN=mycn,o=ibm,c=us -alias cert1
CWPKI0403I: Trace is being logged to the following location:
C:\opt\WebSphere\AppClient\logs\caClient.log
CWPKI0422I: Generating a PKCS10 certificate request
CWPKI0421I: A PKCS10 certificate was successfully created. The request
is stored in file:
C:\opt\WebSphere\AppClient\etc\certReq26924.req