This command provides a command-line interface to manage X.509 certificates in a trust store or a Certificate Revocation List (CRL).
You must run the ssltrustmgr command from a QSHELL command-line, which requires that the QSHELL product is installed on the system. You can run this command from /QIBM/UserData/OS400/CIM.
The CIMOM must be running to use this command.
- Name
- ssltrustmgr - add, remove, revoke or list X.509 certificates in a PEM format trust store.
- Synopsis
- Usage:
- ssltrustmgr -a [ -t truststore ] -c certuser -f certfile
- ssltrustmgr -a -T trustpath -f certfile
- ssltrustmgr -a -R -f crlfile
- ssltrustmgr -r [ -t truststore | -T trustpath ] -i issuername –n serialnumber
- ssltrustmgr -r -R -i issuername
- ssltrustmgr -l [ -t truststore | -T trustpath ] [ -i issuername [ -n serialnumber ] ]
- ssltrustmgr -l -R [ -i issuername ]
- ssltrustmgr -h | --help
- ssltrustmgr -v | --version
- Remarks
- This command exits with an error status if the user running
the command is not a privileged user. A privileged user has *ALLOBJ and *SECADM
special authorities. The ssltrustmgr command requires that the CIM Server
is running.
- Description
The ssltrustmgr command provides a command-line interface to manage X.509 certificates in a trust store or a Certificate Revocation List (CRL). The command exits with an error status if the trust store or the CRL store do not exist or they are not in directory format.
The add option of the ssltrustmgr command adds an X.509 certificate from one of the following:
- The certfile to the specified truststore or trustpath.
- The CRL from crlfile to the CRL store.
The truststore names supported are cim_trust and export_trust. If no truststore is specified, then cim_trust is used as the default truststore. If truststore is specified, then certuser must be specified. The certuser specifies the username to be associated with the certificate in the certfile. If the CRL specified in crlfile already exists in the CRL store, the existing CRL is overwritten.
The remove option of the ssltrustmgr command removes the X.509 certificate matching the specified issuername and serialnumber from the specified truststore or trustpath. The remove option also removes the CRL from the CRL store for a specified issuername.
The list option of the ssltrustmgr command lists the X.509 certificates in the specified truststore or trustpath. The listing can be filtered by specifying the issuername and serialnumber. The list option also lists the CRLs for the specified issuername.
Options
The ssltrustmgr command uses the following options:- -a
- Adds the specified certificate to the target truststore, trustpath, or a CRL store. If the truststore or trustpath does not exist, an error message is returned and no action is taken. If the specified certfile does not contain an X.509 certificate or contain an invalid certificate, an error message is returned and no action is taken. If the specified crlfile contains an invalid CRL, an error message is returned and no action is taken. If the CRL specified in crlfile already exists in the CRL store, the existing CRL is overwritten.
- -r
- Removes the certificate matching the serialnumber issued by the issuername from the target truststore or trustpath. If no certificate exists for the specified issuername and serialnumber, an error message is returned and no action is taken. If -R option is specified, it removes the CRL issued by the specified issuername.
- -l
- Displays the X.509 certificates in the target truststore or trustpath. If issuername and serialnumber are specified, only the matching certificates are displayed. If -R option is specified, all the CRLs in the CRL store are displayed. If issuername is specified with the -R option, then the CRL issued by that issuer is displayed.
- -R
- Indicates that the requested add, remove, or list operation is to be performed on the CRL store.
- -t truststore
- Specifies a trust store name containing zero or more X.509 certificates.
- -T trustpath
- Specifies a trust store path containing zero or more X.509 certificates.
- -f certfile / crlfile
- Specifies a PEM format file containing an X.509 certificate or a CRL.
- -c certuser
- Specifies a username to be associated with the specified certificate. The username specified should be a valid system user on the target system.
- -i issuername
- Specifies a certificate or a CRL issuer name.
- -n serialnumber
- Specifies a certificate serial number.
- -h | --help
- Displays command help information.
- -v | --version
- Displays the CIMOM version number.
Exit status
When an error occurs, an error message is written to stderr and an error value 1 is returned. The following values are returned:- 0
- Success
- 1
- Error
Examples
- ssltrustmgr -a -t cim_trust -c username -f cert.pem
- Adds the X.509 certificate in the cert.pem file to the trust store cim_trust on the CIMOM and associate user username with the certificate.
- ssltrustmgr -a -T /QIBM/UserData/OS400/CIM/mytruststore -f cert.pem
- Adds the X.509 certificate in the cert.pem file to
the trust store specified by the trust path /QIBM/UserData/OS400/CIM/mytruststore.
User association is not required when trust path is specified.
- ssltrustmgr -a -R -f class1crl.pem
- ssltrustmgr -aR -f class1crl.pem
- Both of these examples add the CRL in class1crl.pem to the Certificate Revocation List on the CIMOM.
- ssltrustmgr -r -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com" -n 01
- Removes the certificate matching the specified issuername and serialnumber from the cim_trust trust store.
- ssltrustmgr -l -t export_trust
- Lists all the X.509 certificates in the export_trust trust store.
- ssltrustmgr -l
- ssltrustmgr -l -t cim_trust
- Both of these examples list all the X.509 certificates in the cim_trust trust store.
- ssltrustmgr -lR -i "/C=US/ST=California/L=Cupertino/O=Smart & Secure/OU=Secure Software Division/CN=dev.admin.ss.com"
- Lists the CRL issued by the issuer name.
iSeries-specific usage: On an iSeries™ server, this command requires the user to have *SECADM and *ALLOBJ authority.