Sunday, January 18, 2015

Manage SSL Certificates - gsk7cmd - WebSphere Administration

Hello Guys,


While working on WebSphere Application Server SSL management, I found a nice link to  go through gsk7cmd command tool which is used to manage SSL cerficates in WebSphere Application Server environment.

Link is : http://www.websphereusergroup.org/pvnambiar/blog/2012/08/28/certificate_management_by_using_gsk7cmd_command

Certificate Management by using gsk7cmd command

Command: gsk7cmd

Purpose: gsk7cmd is a command line tool for certificate management.
Prerequisite: set JAVA_HOME varriable.
Example: export JAVA_HOME=/usr/IBM/WebSphere/AppServer/java (this depends on your environment)

Parameters for below examples:

keystore Name: testcacerts.jks / test.kdb
password: changeit / testit

NOTE:- If you are practicing below examples kindly practice it in the sequence because there might be a dependancy.

Command usage

# gsk7cmd -help

Object Action Description
------ ------ -----------
-keydb
            -changepw Change the password for a key database
            -convert Convert the format of a key database
            -create Create a key database
            -delete Delete a key database
            -expiry Display password expiry
            -list Currently supported types of key database.
            -stashpw Stash the password of a key database into a file

-cert
             -add Add a CA Certificate
             -create Create a self-signed certificate
             -delete Delete a certificate
             -details Show the details of a specific certificate
             -export Export a personal certificate and associated private key into a PKCS12 file or a key
                                                                                                                                              database
             -extract Extract a certificate from a key database
             -getdefault Show the default personal certificate
             -import Import a certificate from a key database or a PKCS12 file
             -list List certificates in a key database
             -listsigners List signer certificates delivered with ikeyman
            -modify Modify a certificate (NOTE: the only field that may be modified is the trust field)
            -populate Populate with included CA Certificates
            -receive Receive a certificate
            -rename Rename a certificate
            -setdefault Set the default personal certificate
            -sign Sign a certificate

-certreq

              -create Create a certificate request
              -delete Delete a certificate request from a certificate request database
              -details Show the details of a specific certificate request
              -extract Extract a certificate from a certificate request database
              -list List all certificate requests in a certificate request database
              -recreate Recreate a certificate request

-seckey

             -create Create a secret key
             -delete Delete a secret key
             -details Show the details of a specific secret key
             -export Export secret keys to a file
             -import Import secret keys from a file
             -list List all secret keys in a key database
             -rename Rename a secret key

-version   Display iKeyman version information

-help        Display this help text


Keystore Management  (-keydb)

Creating keystore by specifying password expiry

Example 1

#gsk7cmd -keydb -create -db test.kdb -pw changeit -type kdb -expire 7300

The above command creates a keystore file (test.kdb) of kdb type and keep the password expiry to 7300 days

Example 2

# gsk7cmd -keydb -expiry -db test.kdb -pw changeit

This will list the password expiry of keystore test.kdb

Output:

Password expiry time: Aug 9, 2032 2:05:51 AM

Deleting the keystore

Example 3

#gsk7cmd -keydb -delete -db test.kdb -pw changeit

This deletes the keystore file test.kdb

Creating a default keystore


Example 4
#gsk7cmd -keydb -create -db testcacerts.jks -pw testit

The above command creates a keystore file with the name testcacerts.jks and the password testit in the current directory

Changing the keystore password

Example 5

#gsk7cmd -keydb -changepw -db testcacerts.jks -pw testit -new_pw changeit

This changes the password from testit to changeit

Certificate Management (-cert)

Adding certificate to a keystore with out specifying label

Example 6

#gsk7cmd -cert -add -file test.cer -db testcacerts.jks -pw changeit

This adds the certificate file test.cer in testcacerts.jks keystore, If label is not specified it will generate a label (kindly note the label details in example 7).

Example 7

#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This command will list the details of certificate with label "cn=TESTCERT, o=IBM, c=us" (The certificate which was added in example 6)

Output

Label: cn=TESTCERT, o=IBM, c=us
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Deleting a certificate from the keystore

Example 8

#gsk7cmd -cert -delete -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This command deletes the certificate with the label "cn=TESTCERT, o=IBM, c=us" (the certificate which was added in example 6)

Example 9

#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit

This commands confirms the delete operation in example 8, The below output says the certificate with the label 'cn=TESTCERT, o=IBM, c=us' does not exists

Output

The database doesn't contain an entry with label 'cn=TESTCERT, o=IBM, c=us'.
Check the label and try again.

Adding certificate to a keystore with the label

Example 10

#gsk7cmd -cert -add -file test.cer -label "This is a cert" -db testcacerts.jks -pw changeit

This adds the certificate 'test.cer' with the label "This is a cert". (in example 6 we have added the certificate without specifying the label)

Example 11

#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit

This confirms that the certificate test.cer has been added with the label "This is a cert", check the output below/

Output

Label: this is a cert
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Renaming the label of a certificate

Example 12

#gsk7cmd -cert -rename -label "This is a cert" -new_label "The_new_label" -db testcacerts.jks -pw changeit

This renames the lable "This is a cert" with new name "The_new_label".

Example 13

#gsk7cmd -cert -details -label "The_new_label" -db testcacerts.jks -pw changeit

Example 13 and Example 14 confirms example 12,Check the output below.

Output

Label: the_new_label
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled

Example 14

#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit

Example 14 and Example 13 confirms example 12, because in the output of example 13 testcacerts.jks keystore contains a certificate with the label "The_new_label" and the output of example 14 says the testcacerts.jks keystore does not have an with the label "This is a cert" (label name before rename).

Output

The database doesn't contain an entry with label 'This is a cert'.
Check the label and try again.

Extracting a certificate from the keyfile

Example 15

#gsk7cmd -cert -extract -label "The_new_label" -target "this_is_extracted_cert.cer" -db testcacerts.jks -pw changeit

This will extracrt the certificate with label "The_new_label" into a file this_is_extracted_cert.cer, check the below output for file confirmation

#ls this_is_extracted_cert.cer
this_is_extracted_cert.cer

Creating a self signed certificate

Example 16

gsk7cmd -cert -create -db testcacerts.jks -pw changeit -label 'New_Self_Signed' -dn CN=testSELFSIGN,O=ibm,C=in -expire 7300 -size 1024 -x509version 3

This creates a self signed certificate with the label 'New_Self_Signed'

Example 17

# gsk7cmd -cert -details -label 'New_Self_Signed' -db testcacerts.jks -pw changeit

This confirms the self signed certificate creation ,Verify the certificate in the below output

Output

Label: new_self_signed
Key Size: 1024
Version: X509 V3
Serial Number: 50 29 68 22
Issued by: CN=testSELFSIGN, O=ibm, C=in
Subject: CN=testSELFSIGN, O=ibm, C=in
Valid: From: Tuesday, August 14, 2012 2:18:34 AM IST To: Monday, August 9, 2032 2:18:34 AM IST
Fingerprint: 0C:D5:A0:6A:54:76:6B:3E:D0:3E:2E:42:1C:D0:32:43:66:82:FE:70
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled

No comments: