The KeyTool command-line
program enables you to create a Rational Certificate Store (RCS) file
that contains digital certificates for use with tests. A Rational
Certificate Store (RCS) file is a compressed archive file that contains
one or more PKCS#12 certificates. You can also use the KeyTool program
to remove certificates from a certificate store.
About this task
To create a certificate store:
Procedure
- Type the following command:
java -cp rpt_home/plugins/com.ibm.rational.test.lt.kernel_version.jar
com.ibm.rational.test.lt.kernel.dc.KeyTool --store=file --passphrase=certificate-passphrase --add
--remove --generate --cert=certificate-name --subject=subject-name --ca-store=store --ca-cert=ca-certificate-name --ca-passphrase=ca-certificate-passphrase --sign
--self-sign --algorithm=algorithm {RSA | DSA} --list
If a value contains spaces, enclose the value in quotation marks.
Option |
Description |
--store |
Required if adding or removing a certificate. The file name
of the Rational Certificate Store (RCS) file. If the specified certificate
store does not have the RCS extension, this extension will be added. |
--passphrase |
Optional. The passphrase to place on the generated certificate.
The default passphrase is default. |
--add |
Optional. Adds the certificate to the certificate store. Used
with --generate, this generates
a certificate and adds it to the certificate store. |
--remove |
Optional. Removes the certificate from the certificate store.
This option cannot be used with the --add or --generate options. |
--generate |
Optional. Generates a certificate. Used with --add,
this generates a certificate and adds it to the certificate store. |
--cert |
Required. The name of the certificate file to add, remove,
or generate. If you are creating a certificate, the file name will
be given the P12 extension. |
--subject |
Optional. The X.500 Distinguished Name for the certificate.
If no subject is specified, a default subject will be provided. To
learn more about subjects, see Digital certificate creation overview. |
--ca-store |
Required if signing a certificate. The file name of the Rational
Certificate Store (RCS) file from which to retrieve the CA certificate. |
--ca-cert |
Required if signing a certificate. The name of the CA certificate
file to use to sign another certificate. |
--ca-passphrase |
Required if signing a certificate. The passphrase for the
CA certificate. |
--sign |
Optional. Signs the generated certificate using the specified
CA certificate. This option cannot be used with --self-sign. |
--self-sign |
Optional. Self-sign the generated certificate. This option
cannot be used with --sign. |
--algorithm |
Optional. This determines the encryption algorithm to use.
The default is RSA. The options are RSA or DSA. |
--list |
Optional. This prints the names of all certificates in a certificate
store to standard output. This list can be used to create a datapool. |
- Use KeyTool to create and add as many digital certificates
as you want. If you want to create a datapool of the names of certificates
in the certificate store, run KeyTool again with the --list option.
This writes a list of names that can then be imported to a datapool.
Results
You now have a digital certificate store that you can use
with tests. Because the KeyTool program has many options, you might
want to create an alias or script file to use to invoke KeyTool.
You
do not have to use the KeyTool command-line program to create a certificate
store. It is possible to use existing PKCS#12 certificates with Rational® Performance Tester.
PKCS#12 certificates can be exported from a Web browser. PKCS#12 certificates
encode the private key within the certificate by means of a password.
Note: Do
not use certificates associated with real users. Certificates associated
with real users contain private keys that should not become known
by or available to anyone other than the owner of the certificate.
An intruder who gained access to the certificate store would have
access to the private keys of all certificates in the store. For this
reason, you must create, or have created for you, certificates that
are signed by the correct certificate authority (CA) but that are
not associated with real users.