Previous Topic

Next Topic

Book Contents

Book Index

Maintaining certificates

The following sslcmd utility functions are described in this topic:

To view information about CA certificates:

Use this option to display the following data about CA certificates:

  1. Run the sslcmd utility (see sslcmd menu).
  2. In the sslcmd Main menu, select 9 View CA to display data about a CA certificate in the key database. You are prompted for the CA certificate number. After the data is displayed, the message, Command View CA successful indicates that the display is complete. Data similar to the following is displayed:

    Enter CA number to view:1

    ***CA number 1, Label unknown

    Subject Distinguished Name:

    CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US

    Subject Distinguished Name:

    CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US

    Issuer Distinguished Name:

    CN=WWWQA Testing Certificate Authority,OU=WEBDEV,O=BMC Software,L=Houston,ST=Texas,C=US

    Certificate Serial=2cc4384b1000128f11d2e2e0a91681d4

    RSA public key length: 512 bits

    Valid Begin: Thu Mar 25 20:44:14 1999

    Valid End: Thu Mar 25 20:44:14 2004

    Status: TRUSTED_ROOT

    The following Certificate Extensions exist:

    Key Usage

    OID: 551d0f

    Criticality Bit: Off

    Data: 03 02 00 c4

    Basic Constraints

    OID: 551d13

    Criticality Bit: Off

    Data: 30 03 01 01 ff

    Subject Key Identifier

    OID: 551d0e

    Criticality Bit: Off

    Data: 04 14 9f 09 f8 37 ed 00 9d 4a 55 93 31 53 80 7b a1 42 e0 04 94 25

    Command View CA successful

    Enter to proceed

To delete a trusted root authority certificate:

  1. Run the sslcmd utility (see sslcmd menu).

    NOTE: To list all the certificates (including certificate numbers) in the SSL key database, select option 8 List CA from the sslcmd menu.

  2. In the ssclmd Main menu, select 10 Delete CA to generate a prompt followed by a confirmation prompt. Enter the number of the certificate you want to delete.

    Enter CA number:1

    Confirm deletion of:1

    (Y/N):y

    Command Delete CA successful

  3. The message Command Delete CA successful
    is displayed when the certificate is successfully deleted.

To delete a public-private key pair and certificate:

Deleting a public-private key pair automatically deletes the associated certificate.

  1. Run the sslcmd utility (see sslcmd menu).
  2. In the sslcmd Main menu, select 6 Delete key. A prompt and confirmation prompt for the alias name of the key pair you want to delete are displayed:

    Enter alias name:CODN

    Confirm deletion of:CODN   (Y/N):y

    Command Delete key successful

  3. Enter the alias name of the key pair to delete from the SSL key database. The message Command Delete key successful indicates that the key pair and associated certificate were successfully deleted.

To install a new certificate revocation list (CRL):

  1. Obtain the new CRL from the trusted CA.
  2. Run the sslcmd utility (see sslcmd menu).
  3. In the sslcmd Main menu, select 11 Add CRL. You are prompted for the new CRL file name. Enter the file name of the CRL you want to install. A message similar to this one is displayed:

    Enter crl file name ctm.crl

    -----BEGIN X509 CRL-----

    MIICEjCCAXsCAQEwDQYJKoZIhvcNAQEEBQAwgYkxCzAJBgNVBAYTAkZKMQ0wCwYD

    VQQIEwRGaWppMQ0wCwYDVQQHEwRTdXZhMQ4wDAYDVQQKEwVTT1BBQzEMMAoGA1UE

    CxMDSVRVMRYwFAYDVQQDEw1TT1BBQyBSb290IENBMSYwJAYJKoZIhvcNAQkBFhdh

    ZG1pbmlzdHJhdG9yQHNvcGFjLm9yZxcNMDIwNTEwMDI1NTQxWhcNMDIwNTE3MDI1

    NTQxWqCBvDCBuTCBtgYDVR0jBIGuMIGrgBQ6oBOW0mqGuX8tVL5QO9PxpOxRr6GB

    j6SBjDCBiTELMAkGA1UEBhMCRkoxDTALBgNVBAgTBEZpamkxDTALBgNVBAcTBFN1

    dmExDjAMBgNVBAoTBVNPUEFDMQwwCgYDVQQLEwNJVFUxFjAUBgNVBAMTDVNPUEFD

    IFJvb3QgQ0ExJjAkBgkqhkiG9w0BCQEWF2FkbWluaXN0cmF0b3JAc29wYWMub3Jn

    ggEAMA0GCSqGSIb3DQEBBAUAA4GBAJTHD+rITdqtTFV7bcinmtAqUaYbgADvHfwW

    WXt5BDe9no2t0C6N637BxELfm6FAlsiOuN1y136d8lJAf0qbWDJcT+iF7EvlyBM8

    gUYC1J8Q6AJ8X/x2fcslW1HR9+lNKMSsdZmM0J/rjqxSpMsOnDIa3zbqtvFzCNjl

    WQXbXCys

    -----END X509 CRL-----

    Command Add CRL successful

    The named CRL is added to the SSL key database.

To change the key database password:

Use your own encrypted password for Control-M/Server for the ctmkey.jks by following the procedure referred to below (see To use your Own Encrypted password for Control-M/Server for the ctmkey.jks).

Perform the following procedure to change the key database password using the sslcmd utility.

  1. Run the sslcmd utility (see sslcmd menu).

    The SSL directories for UNIX are:

    or

    For Control-M/Agent: <Control-M/Agent_directory>/ctm/data/SSL/cert

    The Encryptor directories for UNIX are:

    The SSL directory for Windows is:

  2. In the sslcmd Main menu, select 12 Change KDB password. The following prompt is displayed:

    Enter new key file SSL_directory/keyfile_name password (at least 8 characters):

  3. Enter the new password. You are prompted to retype the password. When you retype the new password, this message is displayed:

    Command Change password successful

    Enter to proceed

    Press Enter. After the menu is displayed, select 19 to exit the sslcmd utility.

  4. To generate an encrypted version of the new password, enter the command: bmcryptpw -m Encryptor_directory/tree.bin -e
    The Enter password prompt is displayed. Enter the new password used in
    step 3 above. An encoded password similar to this one is generated:

    Encoded passwd: e2447186b2854c59258c5061f04ef1f1a72ed785e8819854

  5. Use an editor to update the encrypted password.