Certificate management with ikeycmd command

 

Many tools are available to manage the certificates. ikeycmd is one of the powerful tool shipped with java for managing certificate.

 Below are few examples where you can utilize this command.

 

1.) Creating keydatabase file.

 ./ikeycmd -keydb -create -db /tmp/mykeydb.p12 -pw test@123 -type pkcs12

Above command creates a key database called mykeydb.p12

$ls -ltr /tmp/mykeydb.p12 


-rw-rw-r--. 1 techmech techmech 510 Sep 21 20:34 /tmp/mykeydb.p12

 

2.) Listing all certificates in a key database.

 $./ikeycmd -cert -list -db /tmp/mykeydb.p12 -pw test@123


No key was found in the key database.

Since we just created the db there will not be any certificate existing in the key database.

3.) Creating a Self Signed Certificate.

issue below command in single line.

$./ikeycmd -cert -create -db /tmp/mykeydb.p12 -pw test@123 -label tecmechcert -dn "CN=techmechanica.com,O=TechMechanica,OU=Training,L=Bangalore, ST=KA,ZIP=560001,C=IN" -size 2048

Above command creates a self signed certificate with provided details. Please note that the kesize will be 2048.

You can also provide details like below

 -sig_alg   -->  Algorithm

-san_dnsname  ---> SAN DNS name if any needed

-san_emailaddr  --> email address

To mark or not mark the certificate as default, add below switch to the command

-default_cert yes  ---> mark the certificate as default.

-default_cert no ---> if you dont want to mark it as default.

After issuing the command, certificate with above details will get added to the provided key database.

If you list the key database again you will see the newly created self signed certificate.

$./ikeycmd -cert -list -db /tmp/mykeydb.p12 -pw test@123
Certificates in database /tmp/mykeydb.p12:
   tecmechcert

4.) Listing certificate with specific label.

$./ikeycmd -cert -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Label: tecmechcert
Key Size: 2048

Version: X509 V3
Serial Number: 5F 68 C4 6D
Issued by: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN
Subject: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN
Valid: From: Monday, September 21, 2020 8:49:09 PM IST To: Tuesday, September 21, 2021 8:49:09 PM IST
Fingerprint:
    SHA1: 01:39:9B:46:A2:00:41:2B:37:BA:A5:40:E1:14:0D:63:7F:39:4F:F8
    SHA256: 40:63:77:0B:06:CB:2A:B8:4D:00:DA:81:31:23:7E:A0:0F:08:CF:AF:31:99:C9:64:89:CE:87:0E:B4:8F:FB:7E

Extensions: 
  - AuthorityKeyIdentifier: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 84 1b ea 6a cc bc 7d a0                           ...j....
]

]

  - SubjectKeyIdentifier: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 84 1b ea 6a cc bc 7d a0                           ...j....
]
]

Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
Trust Status: enabled
----------------------------------------------

Please note that the above marked details are provided by you while creating the cerificate.

5.) Deleting the certificate.

Issue below command to delete a certificate with specified label

$./ikeycmd -cert -delete -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

You will not be able to list the specified certificate as it does not exists in the key database 


$./ikeycmd -cert -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

The database doesn't contain an entry with label 'tecmechcert'.

Check the label and try again.

 

6.) Creating CSR with ikeycmd

Below command will create a CSR and store the request in a file called myreq.csr. You can provide/upload it to the CA to get your certificate.

$./ikeycmd -certreq -create -db /tmp/mykeydb.p12 -pw test@123 -label tecmechcert -file /tmp/myreq.csr -dn "CN=techmechanica.com,O=TechMechanica,OU=Training,L=Bangalore, ST=KA,ZIP=560001,C=IN" -size 2048

7.) Listing existing CSR with a specified label.

$./ikeycmd -certreq -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Label: tecmechcert
Key Size: 2048
Subject: CN=techmechanica.com, O=TechMechanica, OU=Training, L=Bangalore, ST=KA, POSTALCODE=560001, C=IN

Fingerprint: 8E:EC:C8:4B:71:87:BA:8C:BE:86:B5:3C:A9:97:FA:00
Signature Algorithm: SHA1withRSA (1.2.840.113549.1.1.5)
 

8.) To list all the certificate requests.

$./ikeycmd -certreq -list -db /tmp/mykeydb.p12 -pw test@123


Certificate requests in database /tmp/mykeydb.p12:
   tecmechcert

Since we have only one certificate request it will list only one request.

9.) Deleting certificate request

  Caution:- If you delete the CSR you will not be able to receive the CA issued certificate to the key database. Delete CSR only if you feel you have created an erroneous request.

$./ikeycmd -certreq -delete -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

 Specific certificate request will get deleted from the key database file. You have to create another request and post it to CA to obtain your certificate

$./ikeycmd -certreq -details -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123

The database doesn't contain an entry with label 'tecmechcert'.

Check the label and try again.
 

10.) Adding the issued certificate to key database file.

After receiving the certificate from CA place the certificate file in any of the location and input that file details to the command.

$./ikeycmd -cert -add -file /tmp/mycert.cer -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123 

11.) Validating the certificate.

To validate the added certificate, issue below command.

 $./ikeycmd -cert -validate -label tecmechcert -db /tmp/mykeydb.p12 -pw test@123


Validation successful.


 






 

No comments:

Post a Comment