Hello Guys,
While working on WebSphere Application Server SSL management, I found a nice link to go through gsk7cmd command tool which is used to manage SSL cerficates in WebSphere Application Server environment.
Link is : http://www.websphereusergroup.org/pvnambiar/blog/2012/08/28/certificate_management_by_using_gsk7cmd_command
Command:
gsk7cmd
Purpose: gsk7cmd is a command line tool for certificate management.
Prerequisite: set JAVA_HOME varriable.
Example: export JAVA_HOME=/usr/IBM/WebSphere/AppServer/java (this depends on your environment)
Parameters for below examples:
keystore Name: testcacerts.jks / test.kdb
password: changeit / testit
NOTE:- If you are practicing below examples kindly practice it in the sequence because there might be a dependancy.
Command usage
# gsk7cmd -help
Object Action Description
------ ------ -----------
-keydb
-changepw Change the password for a key database
-convert Convert the format of a key database
-create Create a key database
-delete Delete a key database
-expiry Display password expiry
-list Currently supported types of key database.
-stashpw Stash the password of a key database into a file
-cert
-add Add a CA Certificate
-create Create a self-signed certificate
-delete Delete a certificate
-details Show the details of a specific certificate
-export Export a personal certificate and associated private key into a PKCS12 file or a key
database
-extract Extract a certificate from a key database
-getdefault Show the default personal certificate
-import Import a certificate from a key database or a PKCS12 file
-list List certificates in a key database
-listsigners List signer certificates delivered with ikeyman
-modify Modify a certificate (NOTE: the only field that may be modified is the trust field)
-populate Populate with included CA Certificates
-receive Receive a certificate
-rename Rename a certificate
-setdefault Set the default personal certificate
-sign Sign a certificate
-certreq
-create Create a certificate request
-delete Delete a certificate request from a certificate request database
-details Show the details of a specific certificate request
-extract Extract a certificate from a certificate request database
-list List all certificate requests in a certificate request database
-recreate Recreate a certificate request
-seckey
-create Create a secret key
-delete Delete a secret key
-details Show the details of a specific secret key
-export Export secret keys to a file
-import Import secret keys from a file
-list List all secret keys in a key database
-rename Rename a secret key
-version Display iKeyman version information
-help Display this help text
Keystore Management (-keydb)
Creating keystore by specifying password expiry
Example 1
#gsk7cmd -keydb -create -db test.kdb -pw changeit -type kdb -expire 7300
The above command creates a keystore file (test.kdb) of kdb type and keep the password expiry to 7300 days
Example 2
# gsk7cmd -keydb -expiry -db test.kdb -pw changeit
This will list the password expiry of keystore test.kdb
Output:
Password expiry time: Aug 9, 2032 2:05:51 AM
Deleting the keystore
Example 3
#gsk7cmd -keydb -delete -db test.kdb -pw changeit
This deletes the keystore file test.kdb
Creating a default keystore
Example 4
#gsk7cmd -keydb -create -db testcacerts.jks -pw testit
The above command creates a keystore file with the name testcacerts.jks and the password testit in the current directory
Changing the keystore password
Example 5
#gsk7cmd -keydb -changepw -db testcacerts.jks -pw testit -new_pw changeit
This changes the password from testit to changeit
Certificate Management (-cert)
Adding certificate to a keystore with out specifying label
Example 6
#gsk7cmd -cert -add -file test.cer -db testcacerts.jks -pw changeit
This
adds the certificate file test.cer in testcacerts.jks keystore, If
label is not specified it will generate a label (kindly note the label
details in example 7).
Example 7
#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit
This
command will list the details of certificate with label "cn=TESTCERT,
o=IBM, c=us" (The certificate which was added in example 6)
Output
Label: cn=TESTCERT, o=IBM, c=us
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled
Deleting a certificate from the keystore
Example 8
#gsk7cmd -cert -delete -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit
This command deletes the certificate with the label "cn=TESTCERT, o=IBM, c=us" (the certificate which was added in example 6)
Example 9
#gsk7cmd -cert -details -label "cn=TESTCERT, o=IBM, c=us" -db testcacerts.jks -pw changeit
This
commands confirms the delete operation in example 8, The below output
says the certificate with the label 'cn=TESTCERT, o=IBM, c=us' does not
exists
Output
The database doesn't contain an entry with label 'cn=TESTCERT, o=IBM, c=us'.
Check the label and try again.
Adding certificate to a keystore with the label
Example 10
#gsk7cmd -cert -add -file test.cer -label "This is a cert" -db testcacerts.jks -pw changeit
This
adds the certificate 'test.cer' with the label "This is a cert". (in
example 6 we have added the certificate without specifying the label)
Example 11
#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit
This confirms that the certificate test.cer has been added with the label "This is a cert", check the output below/
Output
Label: this is a cert
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled
Renaming the label of a certificate
Example 12
#gsk7cmd -cert -rename -label "This is a cert" -new_label "The_new_label" -db testcacerts.jks -pw changeit
This renames the lable "This is a cert" with new name "The_new_label".
Example 13
#gsk7cmd -cert -details -label "The_new_label" -db testcacerts.jks -pw changeit
Example 13 and Example 14 confirms example 12,Check the output below.
Output
Label: the_new_label
Key Size: 1024
Version: X509 V3
Serial Number: 12 57 4F 87 1B F8 69 DD
Issued by: CN=TESTCERT, O=IBM, C=US
Subject: CN=TESTCERT, O=IBM, C=US
Valid: From: Wednesday, May 12, 2010 2:01:04 AM IST To: Wednesday, May 8, 2030 2:01:04 AM IST
Fingerprint: BE:87:67:14:AD:FD:64:B9:CC:08:CF:3E:76:05:2A:DC:BB:EB:DF:69
Signature Algorithm: MD5withRSA (1.2.840.113549.1.1.4)
Trust Status: enabled
Example 14
#gsk7cmd -cert -details -label "This is a cert" -db testcacerts.jks -pw changeit
Example
14 and Example 13 confirms example 12, because in the output of example
13 testcacerts.jks keystore contains a certificate with the label
"The_new_label" and the output of example 14 says the testcacerts.jks
keystore does not have an with the label "This is a cert" (label name
before rename).
Output
The database doesn't contain an entry with label 'This is a cert'.
Check the label and try again.
Extracting a certificate from the keyfile
Example 15
#gsk7cmd -cert -extract -label "The_new_label" -target "this_is_extracted_cert.cer" -db testcacerts.jks -pw changeit
This
will extracrt the certificate with label "The_new_label" into a file
this_is_extracted_cert.cer, check the below output for file confirmation
#ls this_is_extracted_cert.cer
this_is_extracted_cert.cer
Creating a self signed certificate
Example 16
gsk7cmd
-cert -create -db testcacerts.jks -pw changeit -label 'New_Self_Signed'
-dn CN=testSELFSIGN,O=ibm,C=in -expire 7300 -size 1024 -x509version 3
This creates a self signed certificate with the label 'New_Self_Signed'
Example 17
# gsk7cmd -cert -details -label 'New_Self_Signed' -db testcacerts.jks -pw changeit
This confirms the self signed certificate creation ,Verify the certificate in the below output
Output
Label: new_self_signed
Key Size: 1024
Version: X509 V3
Serial Number: 50 29 68 22
Issued by: CN=testSELFSIGN, O=ibm, C=in
Subject: CN=testSELFSIGN, O=ibm, C=in
Valid: From: Tuesday, August 14, 2012 2:18:34 AM IST To: Monday, August 9, 2032 2:18:34 AM IST
Fingerprint: 0C:D5:A0:6A:54:76:6B:3E:D0:3E:2E:42:1C:D0:32:43:66:82:FE:70
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled