|
|
|
The smkeytool utility lets you modify the smkeydatabase. Be aware of the following when making database changes:
The smkeytool command options and arguments are as follows:
Creates an new key database to store keys and certificates. By default, the directory is named smkeydatabase. Additionally, an empty alias store is created and named keyaliases.ser file in the smkeydatabase directory. You can change the key store location by modifying the smkeydatabase.properties file.
Important! To store multiple keys in the database, you must define the first key you add with the alias defaultenterpriseprivatekey before you can add subsequent keys.
Options for -createDB are as follows:
Required. The password is used to store all data in an encrypted format in the key database. It can be a value from 6 to 32 characters. It is encrypted using the policy store key and added to the smkeydatabase.properties file.
Optional. Imports the default Certificate Authority (CA) certificates during the creation of the database. These certificates are imported from the cacerts.keystore file, which is installed with the [set to your product name] and contains all default CA certificates. This option is the same as executing the -importDefaultCACerts option.
Adds the specified private keys and corresponding certificates to the key database. You can have multiple private keys and certificates in the database. Only RSA keys are supported. When you use the -addPrivKey command, you can specify the key data by combining the -keyfile and -certfile options or by using the
-keycertfile option alone.
The Policy Server at the producing authority uses a single enterprise private key to sign SAML messages and to decrypt encrypted SAML messages received from the consuming authority. Typically, the enterprise key is the first private key found in the smkeydatabase.
Note: The entire smkeydatabase is encrypted; however, the individual private keys are not.
Options for -addPrivKey are as follows:
Required. Alias associated with a single certificate in the database. Must be a unique string and should contain only alphanumeric characters.
Full path to the location of the certificate associated with this private key. Required for keys in PKCS1, PKCS5, and PKCS8 format.
Full path to the location of the the private key file. Required for keys in PKCS1, PKCS5, and PKCS8 format.
Full path to the location of the PKCS12 file that contains the private key and public certificate data. Required for keys in PKCS12 format.
Optional. Private key files are typically encrypted prior to be added to the smkeydatabase. When added to the smkeydatabase, the key needs to be decrypted. The password value represents the password used to decrypt the private key data. This password is not stored in the smkeydatabase.
Adds a certificate to the key database.V1, V2, and V3 versions for X.509 certificate format are supported DER and PEM encoding formats are supported.
Note: For the Policy Server to recognize the new certificate immediately, restart the Policy Server. Otherwise, the database updates based on the frequency you configure in the smkeydatabase.properties file.
If you indicate that you want to trust the certificate as a Certificate Authority, this certificate is always treated as a CA certificate.
Options for -addCert are as follows:
Required. Alias to the certificate associated with this private key in the database. Must be a unique string and should contain only alphanumeric characters.
Required. Full path to the location of the newly added certificate.
Optional. Checks that the user provider certificate being added is a CA certificate. Smkeytool checks that the certificate has a digital signature extension and that the certificate has the same IssuerDN and Subject DN values.
Optional. The user will not be prompted to confirm the addition of the certificate.
Specifies the location of a CRL so the smkeydatabase can locate the list during the SAML authentication process. The smkeydatabase does not store the contents of a CRL, but merely reads the CRL contents when the Policy Server starts and after a refresh interval has elapsed.
Important! If you add a CRL entry to the smkeydatabase, you must restart the Policy Server.
Options for -addRevocationInfo are as follows:
Required. Alias name of the Certificate Authority who issues the CRL.
Example: -issueralias verisignCA
Required. Specifies whether the list is a certificate file or an LDAP CRL. The options are ldapcrl or filecrl.
Required. Specifies the location of the CRL. For a file, specify the full path to the file. For an LDAP CRL, specify the full path to the LDAP server node.
Example of file location: -location c:\crls\siteminder_root_ca.crl
Example of LDAP CRL location: -location "http://localhost:880/sn=siteminderroot, dc=crls,dc=com"
Deletes a CRL from the database.
Options for -deleteRevocationInfo are as follows:
Required. Name of the Certificate Authority who issues the CRL.
Optional. The user will not be prompted to confirm the deletion of the CRL from the database.
Deletes the smkeydatabase based on configuration data in the smkeydatabase.properties file. All the entries in the key database and the aliases data store file will be deleted.
Option for -deleteDB is as follows:
Optional. The user will not be prompted to confirm the deletion of the database.
Deletes an existing certificate from the smkeydatabase. If the certificate has an associated private key, the key is also deleted.
Option for -delete is as follows:
Required. Alias of the certificate to be removed.
Optional. The user will not be prompted to confirm the deletion of the database.
Exports an existing certificate or a private key from the smkeydatabase. Certificate data is exported using PEM encoding. Private key data is exported using DER encoded PKCS8 format.
Options for -export are as follows:
Required. Identifies the certificate/key to be exported.
Required. Full path to the output certificate/key file.
Optional. Indicates whether a certificate or key is being exported. If no option is specified, a certificate is the default.
Required when exporting a private key. Although the entire smkeydatabase is encrypted, individual private keys are stored in unencrypted form. This password encrypts the private key before it is exported.
Imports all default trusted Certificate Authority certificates from the cacerts.keystore file, which is installed with the [set to your product name], into the smkeydatabase. Certificate Authority certificates are used to verify the server certificate associated with the producing authority's web server.
Note: For the Policy Server to recognize the updates to the smkeydatabase immediately, restart the Policy Server. Otherwise, the database updates based on the frequency you configure in the smkeydatabase.properties file.
Determines the alias associated with a certificate that is already in the smkeydatabase.
Option for -findAlias is as follows:
Required. Full path to the certificate file associated with the alias you want to find
Password required only when a password-protected P12 file is specified as the certificate file.
Lists some metadata of all the certificates stored in key database.
Option for -listCerts is as follows:
Optional. Lists the metadata details of the certificate and key associated with the alias specified. This option supports the asterisk (*) as a wildcard character. You can use this wildcard at the beginning and/or at the end of an alias value. Always enclose the asterisk in quotes to avoid a command shell from interpreting the wildcard character.
Displays a list of current CRLs in the smkeydatabase. The -listRevocationInfo option only prints the CRL name, type (file or ldap), and the location of all the CRLs in the database.
Option for -listRevocationInfo is as follows:
Optional. Name of the Certificate Authority who issues the CRL. This option supports the asterisk (*) as a wildcard character. You can use this wildcard at the beginning and/or at the end of an alias value. Always enclose the asterisk in quotes to avoid a command shell from interpreting the wildcard character.
Displays some metadata of the specified certificate. This command is especially useful for UNIX systems, where it is difficult to see the certificate properties.
Options for -printCert are as follows:
Required. Location of the certificate file.
Password required only when a password-protected P12 file is specified as the certificate file.
Renames an existing alias associated with a certificate.
Options for -renameAlias are as follows:
Required. Current alias associated with a certificate.
Required. New alias name. Value must be a unique string and should contain only alphanumeric characters.
Optional. Indicates whether a certificate is revoked or not.
Option for -validateCert is as follows:
Required. Alias to the certificate associated with this private key in the database. Must be a unique string and should contain only alphanumeric characters.
Optional. Specifies the CRL file that you want smkeytool to look in for the certificate to validate it.
Shows how to use the smkeytool utility.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |