Use the GENCERT command to create a digital certificate and potentially a public/private key pair.
The DIGICERT keyword is required. If both DCDSN and SUBJECTN are specified, the SUBJECTN information overrides the request data set name. If SUBJECTN is specified, only one of the SUBJECTN sub fields is required.
To generate a certificate, enter the command:
TSS GENCERT (CERTAUTH|CERTSITE|acid]
DIGICERT(8‑byte‑name)
[DCDSN(request‑data‑set‑name)\]
[SUBJECTN ('CN=“common‑name”
T=“title”
OU=“organizational‑unit‑name1,
organizational‑unit‑name2”
O=“organizational‑name”
L=“locality”
ST=“state-or-province”
C=“2-digit-only country code”')]
[ALTNAME('IP=numeric‑IP‑address DOMAIN=internet‑domain‑name
EMAIL=email‑address
URI=universal‑resource‑identifier')]
[ICSF|PCICC|DSA|NISTECC|BPECC]
[FROMICSF(label-name)]
[KEYSIZE(key‑size)]
[KEYUSAGE('HANDSHAKE DATAENCRYPT DOCSIGN CERTSIGN KEYAGREE')]
[LABLCERT(label‑name)]
[LABLPKDS(PKDS-label|*]
[NBDATE(mm/dd/yy) NBTIME(hh:mm:ss)]
[NADATE(mm/dd/yy) NATIME(hh:mm:ss)]
[SIGNALG{SHA1|SHA256)]
[SIGNWITH(acid,digicert)]
A user ACID.
Is an ACID in which your installation can maintain certificates that were generated by a third party certificate authority (CA). This ACID is pre‑defined in CA Top Secret. You cannot add a KEYRING to this ACID.
An ACID in which your installation can maintain site‑generated certificates. This ACID is pre‑defined in CA Top Secret. You cannot add a KEYRING to this ACID.
Specifies a case sensitive character ID that identifies the certificate with the user ACID. The DIGICERT must be entered as part of all GENCERT commands since this keyword indicates the name to be used in the digital certificate.
Range: 1 to 8
Specifies the name of an optional data set that contains the PKCS#10 certificate request data. The request data set name can be the output from a TSS GENREQ command. The request data contains the user's generated public key and X.509 distinguished name. The request data must be signed, DER‑encoded, and then Base64 encoded according to PKCS#10 standard. The data set must be cataloged.
If DCDSN is specified, CA Top Secret does not generate a key pair (meaning private and public key) because this data set contains the user's public key. SIGNWITH must also be specified because the request‑data‑set‑name (in DCDSN) does not contain a private key.
Range: Up to 44 characters
You can use A‑Z and 0‑9. The only exception is C=COUNTRY. This is a 2‑digit value field. If DCDSN or SUBJECTN is not specified, the SUBJECTN will default to the ACID name field.
[SUBJECTN ('CN="common‑name"
T="title"
OU="organizational‑unit‑name1,organizational‑unit‑name2"
O="organizational‑name"
L="locality"
ST="state-or-province"
C="2‑digit‑only‑country code"')]
Notes:
Range:
Specifies the appropriate values for the SubjectAltname extension, of which one or more values might be coded. There is no default. The following are possible values that can be used:
Specifies a string containing a fully qualified numeric IP address in:
141.202.1.255
1080:23B4:324:4:3BCD:26:39F4:332
0:0:0:0:0:FFFF:141.202.1.255
The maximum field size is 45 bytes
Specifies a string containing a fully qualified internet domain name.
For example: ALTNAME(DOMAIN=CA.COM)
Specifies a string containing a fully qualified email address.
For example: ALTNAME(EMAIL=JAMES@Kingdom.net)
Specifies the universal resource identifier.
For example: ALTNAME(URI=WWW.CA.COM)
Notes:
When you specify multiple parameters to ALTNAME, you must include one single quote at the beginning and end of parameter list.
For example: ALTNAME('IP=201.100.10.9 EMAIL=my.email@test.net')
Multiple parameters are separated with a space (see example above).
If ICSF is specified and the IBM ICSF feature is enabled, the private key is stored in the ICSF data facility.
(Optional) Specifies that the key pair is generated using the PCI Cryptographic Coprocessor and that the private key is stored in ICSF. When PCICC is not specified, the key pair is generated using software. PCICC cannot be used with the DSA, DSN, or ICSF parameters.
If a PCI cryptographic coprocessor is not present or operational or if ICSF is not active or configured for PKA operations, an error message is displayed and processing terminates. If ICSF, PCICC, or LABLPKDS is not specified, the key pair is generated using software and stored in the security file as a non-ICSF key.
(Optional) Specifies that the key pair is generated using the Digital Signature Algorithm instead of the RSA algorithm. The DSA algorithm creates key pairs that can be only used for signing data. The RSA algorithm creates key pairs that can be used to sign data and to encrypt data. This parameter cannot be used in conjunction with the ICSF, PCICC, NISTECC, or BPECC parameters. When specifying the DSA parameter, the KEYSIZE parameter can be as high as 2048.
(Optional) Specifies the key pair should be generated using National Institute of Standards and Technology (NIST) algorithm instead of the RSA algorithm. This parameter cannot be used with the ICSF, DSA, or BPECC parameters.
(Optional) Specifies to generate the key pair using the brainpool ECC algorithm instead of the RSA algorithm. This parameter cannot be used with the ICSF, DSA, or NISTECC parameters.
(Optional) Specifies that the public key for this certificate will be obtained from ICSF using the specified PKDS label. The private key of the source certificate, if one exists, will not be associated with the new certificate. FROMICSF cannot be specified with the DCDSN or LABLPKDS parameters. SIGNWITH must be specified when FROMICSF is specified.
The maximum key size is dependent on the private key type.
Private key type maximum key sizes are:
Shorter ECC keys have key strengths comparable to longer RSA keys. The following table displays the comparable strength of each key type:
|
RSA Key Size (in bits) |
NISTECC Key Size (in bits) |
BPECC Key Size (in bits) |
|---|---|---|
|
1024 |
192 |
160 or 192 |
|
2048 |
224 |
224 |
|
3072 |
256 |
256 or 320 |
|
7680 |
384 |
384 |
|
15360 |
521 |
512 |
Currently, the standard key sizes for RSA keys are as follows:
Specifies key attribute information, including the appropriate values for the KeyUsage certificate extension, of which one or more of the values might be coded. For certificate authority certificates (CERTAUTH) the default is CERTSIGN and is always set. There is no default for certificates that are not certificate‑authority certificates. Valid values for KEYUSAGE include:
Facilitates identification and key exchange during security handshakes, such as SSL, which set the digital signature and key encipherment indicators. When the key pair is generated with the DSA algorithm, only the digitalSignature bit is set because the keys cannot be used for encryption.
Encrypts data, which sets the data encipherment indicator. When the key pair is generated using the DSA algorithm, you cannot use the DATAENCRYPT keyword in the Keyusage parameter.
Specifies a legally‑binding signature, which set the non‑repudiation indicator.
Specifies a signature for the other digital certificates and CRLs, which sets the keyCertSign an cRLSign indicators.
Note: Include single quotes if specifying more than one value with KEYUSAGE. For example:
KEYUSAGE('HANDSHAKE DATAENCRYPT')
Facilitates key exchange, which sets the keyAgreement indicator. This usage is valid only for NISTECC and BPECC keys. A certificate with no keyUsage value other than keyAgreement cannot be used for signing.
Specifies an optional and case‑sensitive label to be associated with the certificate being added to the user. Spaces are allowed if you use single quotes. This label is used as a handle instead of the serial number and issuer's distinguished name, and must be unique for the individual user. If a label is not specified, the label field will default to the value specified within the DIGICERT keyword.
Range: Up to 32 characters
(Optional) Specifies the PKDS label of the record created in the ICSF Public Key Data Set (PKDS). The field can be used with the ICSF, PCICC, NISTECC, or BPECC, but many of these keywords cannot be used together (see individual keyword descriptions for details). If neither ICSF or PCICC is specified, a PCICC key is generated by the hardware and saved in CRT format in the ICSF PKDS. If NISTECC or BPECC is specified, an ECC key is generated, otherwise an RSA key is generated.
Specify (*) to take the value from the LABLCERT keyword. In that case, LABLCERT is specified along side LABLPKDS(*). If LABLPKDS(*) is specified without the LABLCERT keyword, an error message is displayed.
In either case, the PKDS label must conform to ICSF label syntax rules. The first character must be alphabetic or national. The field is folded to uppercase.
Valid characters: Alphanumeric, national (@,#,$) or period(.).
Limits: Up to 64 characters
Specifies the effective dates and times to not be used in the digital certificate. The NADATE specifies the “not after” date after which a digital certificate cannot be used. The NATIME specifies the “not after” time after which the certificate cannot be used. The certificate is deactivated after this date and time.
Date and time fields are optional, except if time is specified, date is required. If NADATE is omitted, the default is one year from the date the certificate is generated.
If an expire date is not also specified, the NBDATE year specified must fall within the range 1950-2048, since the NADATE date defaults to the active day and time plus one year.
The certificate DATE FORMAT are not govern by the DATE parm in CA Top Secret. The format will be MM/DD/YY.
Year Range: 1950-2049
Specifies the effective dates and times to be used in the digital certificate. The NBDATE specifies the not before date which a digital certificate can be used. The NBTIME specifies the not before time which the certificate can be used. The certificate is activated at the specified date and time.
Date and time fields are optional, except if time is specified, date is required.
If an expire date is not also specified, the NBDATE year specified must fall within the range 1950–2048, because the NADATE date defaults to the active day and time plus one year.
The certificate DATE FORMAT is not governed by the DATE parameter in CA Top Secret. The format is MM/DD/YY.
Year Range: 1950–2049
(Optional) Specifies the digital certificate signing algorithm to be used when generating a new certificate. Possible values are SHA1 and SHA256.
Default: SHA1 or SHA256 for RSA certificates when key size is 2048 or larger.
Note: SHA256 cannot be used when DSA is specified.
Specifies the certificate with a private key that is signing the certificate. If not specified, the default is to sign the certificate with a private key of the certificate that is being generated. This creates a self‑signed certificate. If SIGNWITH is specified, it must refer to a certificate that has a private key associated with it. If no private key is associated with the certificate, an informational message is generated and processing stops. If DCDSN is specified on the GENCERT command, the SIGNWITH keyword is required.
Self‑signed certificates are always trusted, while all other certificates are created with the trust status of the certificate specified in the SIGNWITH keyword. If the certificate specified in the SIGNWITH keyword is not trusted, an informational message is issued, but the certificate is still generated.
The length of the SUBJECTN field on the certificate specified for SIGNWITH cannot exceed 229 if SDNSIZE(225) is specified, or 1007 if SDNSIZE(1024) is specified.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|