Create a digital certificate store

Create a digital certificate store

+
Search Tips | Advanced Search

Overview
The KeyTool command-line program enables you to create a Rational Certificate Store (RCS) file containing digital certificates for use with tests.
An RCS file is a compressed archive file containing one or more PKCS#12 certificates. You can also use the KeyTool program to remove certificates from a certificate store.

Certificate KeyTool

Syntax...
java -cp rpt_home/plugins/com.ibm.rational.test.lt.kernel_version.jar com.ibm.rational.test.lt.kernel.dc.KeyTool \
     --store=file  \
     --passphrase=certificate-passphrase  \
     --add \
     --remove  \
     --generate  \
     --cert=certificate-name  \
     --subject=subject-name  \
     --ca-store=store  \
     --ca-cert=ca-certificate-name  \
     --ca-passphrase=ca-certificate-passphrase  \
     --sign \
     --self-sign  \
     --algorithm=algorithm {RSA | DSA}  \
     --list
If a value contains spaces, enclose the value in quotation marks.

Option Description
--store Name of the RCS file. If the specified certificate store does not have the RCS extension, this extension will be added. Required if adding or removing a certificate.
--passphrase Po place on the generated certificate. The default passphrase is default. Optional.
--add Add the certificate to the certificate store. Used with --generate, this generates a certificate and adds it to the certificate store. Optional.
--remove Remove the certificate from the certificate store. This option cannot be used with the --add or --generate options. Optional.
--generate Generate a certificate. Used with --add, this generates a certificate and adds it to the certificate store. Optional.
--cert Name of the certificate file to add, remove, or generate. If you are creating a certificate, the file name will be given the P12 extension. Required.
--subject X.500 Distinguished Name for the certificate. If no subject is specified, a default subject will be provided. Optional.
--ca-store File name of the RCS file from which to retrieve the CA certificate. Required if signing a certificate.
--ca-cert Name of the CA certificate file to use to sign another certificate. Required if signing a certificate.
--ca-passphrase Passphrase for the CA certificate. Required if signing a certificate.
--sign Sign the generated certificate using the specified CA certificate. This option cannot be used with --self-sign. Optional.
--self-sign Self-sign the generated certificate. This option cannot be used with --sign. Optional.
--algorithm Encryption algorithm to use. The default is RSA. The options are RSA or DSA. Optional.
--list Print the names of all certificates in a certificate store to standard output. This list can be used to create a datapool. Optional.

Use KeyTool to create and add as many digital certificates as you want. Create a datapool of the names of certificates in the certificate store, run KeyTool again with the --list option. This writes a list of names that can then be imported to a datapool.

Results

You now have a digital certificate store that you can use with tests. Because the KeyTool program has many options, you might want to create an alias or script file to use to invoke KeyTool.
You do not have to use the KeyTool command-line program to create a certificate store. It is possible to use existing PKCS#12 certificates with Rational Performance Tester. PKCS#12 certificates can be exported from a Web browser. PKCS#12 certificates encode the private key within the certificate by means of a password.
Do not use certificates associated with real users. Certificates associated with real users contain private keys that should not become known by or available to anyone other than the owner of the certificate. An intruder who gained access to the certificate store would have access to the private keys of all certificates in the store. For this reason, create, or have created for you, certificates that are signed by the correct certificate authority (CA) but that are not associated with real users.

Related

Digital certificate creation overview
Entrust TruePass authentication overview
Create a digital certificate with OpenSSL
Record a test with digital certificates
Play back a test with a digital certificate

Option	Description
--store	Name of the RCS file. If the specified certificate store does not have the RCS extension, this extension will be added. Required if adding or removing a certificate.
--passphrase	Po place on the generated certificate. The default passphrase is default. Optional.
--add	Add the certificate to the certificate store. Used with --generate, this generates a certificate and adds it to the certificate store. Optional.
--remove	Remove the certificate from the certificate store. This option cannot be used with the --add or --generate options. Optional.
--generate	Generate a certificate. Used with --add, this generates a certificate and adds it to the certificate store. Optional.
--cert	Name of the certificate file to add, remove, or generate. If you are creating a certificate, the file name will be given the P12 extension. Required.
--subject	X.500 Distinguished Name for the certificate. If no subject is specified, a default subject will be provided. Optional.
--ca-store	File name of the RCS file from which to retrieve the CA certificate. Required if signing a certificate.
--ca-cert	Name of the CA certificate file to use to sign another certificate. Required if signing a certificate.
--ca-passphrase	Passphrase for the CA certificate. Required if signing a certificate.
--sign	Sign the generated certificate using the specified CA certificate. This option cannot be used with --self-sign. Optional.
--self-sign	Self-sign the generated certificate. This option cannot be used with --sign. Optional.
--algorithm	Encryption algorithm to use. The default is RSA. The options are RSA or DSA. Optional.
--list	Print the names of all certificates in a certificate store to standard output. This list can be used to create a datapool. Optional.