Reference Guide › DXtools › DXcertgen Tool › dxcertgen certs Command—Create DSA and User Certificates

dxcertgen certs Command—Create DSA and User Certificates

The command dxcertgen certs creates DSA and user certificates, and signs these using a root certificate.

If DXcertgen can use a keystore, it stores the root certificate and the private key there. If it cannot use keystore, it stores the root certificate (but not the private key) in a file.

If DXcertgen uses a keystore to hold the root certificate then it re-uses that root certificate when it creates new DSA and user certificates.

If DXcertgen does not use a keystore, it creates a new root certificate each time it creates new DSA or user certificates, and invalidates all certificates it had previously created. It also deletes the private key of the root certificate it has just created, to ensure that no more certificates will be created from that key and so ensure the integrity of the encryption.

Note: DXcertgen uses a keystore if (and only if) it finds keystore software in JAVA_HOME/bin/keytool.

DXcertgen can only create DSA certificates for DSAs that already exist.

It always stores DSA certificates in DXHOME/ssld/personalities. It stores user certificates in a keystore if one is specified in the -c option, or in the path specified in the -p option.

This command has the following syntax:

dxcertgen [-a rootalias] [-c cert-ks-path -C cert-ks-password ] [-d days] [-D dsaname] [-i issuer] -p cert-file-path [-P rootcert-pk-ks-password][-s rootcert-ks-path [-S rootcert-ks-password]] [-u users] certs

• -a rootalias

  Specifies the root key in the keystore. Only use this if you use a root certificate keystore.

  Default: dxcertgen

• -c cert-ks-path -C cert-ks-password
  • cert-ks-path

    Specifies the path to a keystore to use to store the created user certificates given by the -u option.

    Default: DXHOME/config/ssld/javakeystores

  • cert-ks-password

    Specifies the existing password to access the user certificate keystore. You should have set this password when you created the keystore.

• -d days

  Specifies the number of days for which the certificate will be valid.

  Default: 365

• -D dsaname

  Specifies the DSA for which a new certificate will be created. If you do not use this option, DXcertgen will create certificates for all DSAs.

  Only use this if you use a root certificate keystore.

• -i issuer

  Specifies the name to use if you are creating a root certificate. DXcertgen generates a root certificate with the name given here. Usually this will be your company name.

  Default: "CN=DXCertGenCA,O=DXCertGenPKI,C=AU"

• -p cert-file-path

  Specifies the path to a file to use to store created user certificates.

  Default: DXHOME/config/ssld/personalities

• -P rootcert-pk-ks-password

  Specifies a password to protect the private key in the root certificate keystore. You set this password here.

• -s rootcert-ks-path [-S rootcert-ks-password]
  • rootcert-ks-path

    Specifies the path to the root certificate keystore.

    Default: DXHOME/config/ssld/javakeystores

  • rootcert-ks-password

    Specifies the password to access the root certificate keystore. You should have set this password when you created the keystore.

    Default: changeit

• -u users

  Specifies an LDIF file that contains a list of users to create certificates for.