The N1 Service Provisioning System 5.1 uses the keytool utility provided with the JRE. The keytool utility is wrapped in a shell script, crkeys, to enable you to create keystores. The script ensures that the correct parameters are supplied to the keytool utility.
When you create a keystore, the X.509 Distinguished Name in the self-signed certificate is set to the following:
CN=application_name OU=Engineering O=Sun Microsystems Inc L=Menlo Park ST=CA C=US |
Generate the keys.
% crkeys -options |
Use the following options to create keystores based on the type of SSL connectivity you want to use.
Specifies an alias for the certificate or the key pair. Use the host name of the application as the alias. The alias names must be unique within a keystore.
Specifies the location of the machine that is being authenticated in relationship to the machine that is performing the authentication. For example, you are generating certificates for a Remote Agent that is downstream form a Local Distributor. Specify downstream as the mode for the Remote Agent. Specify upstream as the mode for the Local Distributor.
Changes the password of the keystore and all the keys within the keystore.
Specifies that the key pair or certificate for the specified entity should be deleted from keystore.
Converts and prints the encoded version of the plaintext password. Create an encoded version of a password if you plan to store the password in a file. For example, if you choose to store the keystore password in the config.properties file, you must supply an encoded version of the password.
Exports a self-signed certificate of the specified entity to the specified file.
Specifies the name of the file that the certificate is to be imported from or exported to.
Generates a new key pair for the specified alias.
Lists all the options.
Imports a self-signed certificate of an entity that is allowed to connect to this node. When importing the certificate, the host name of the node that this certificate represents should be used as the alias.
The key generation algorithm. Defaults to RSA. Can be either RSA or DSA.
The key size. Defaults to 1024. Can be any multiple of 64 in the range 512-1024 for DSA keys, and range 512-2048 for RSA keys.
Lists all the entities contained in the keystore.
Specifies the new password for the keystore and all the keys in the keystore. The password must contain at least six characters.
Specifies the password for the keystore. If a password is not specified, the user is prompted for a password. The password must contain at least six characters.
Specifies the private keystore as the target of the operation.
Number of days the self-signed certificate is valid.
Specifies the trust keystore as the target of the operation.
The following examples show how to use the crkeys command.
To generate a public-private key pair:
crkeys -private –generate -mode {upstream|downstream} –alias application_hostname [-keyalg keyalg] [-keysize keysize] [-validity days_valid] [–password password] |
To export the self signed public key for a key pair to a file:
crkeys -private –export –file cert_file –alias application_hostname [–password password] |
To import an exported, as shown in the previous example, self signed public key into the trust store:
crkeys –trust –import –file cert_file –alias application_hostname [-password password] |
To delete a key or key pair:
crkeys {-private|–trust} -delete –alias application_hostname [-password password] |
To list all of the public keys:
crkeys {-private|–trust} –list [-password password] |
To change the SSL keystore, both the trust and the private store, password:
crkeys –cpass -password oldpassword -new newpassword |
To convert and print the encoded version of the plaintext pasword:
crkeys -epass -password password |
To print instructions for using the crkeys command:
crkeys -help |