HP Open Source Security for OpenVMS Volume 1: Common Data Security Architecture > Chapter 4 CDSA Utility Programs

CDSA$CERTGEN.EXE

 » Table of Contents

 » Glossary

 » Index

The certgen utility allows the user to create digital certificates in the form runfilename.cer. Private keys will be placed in [.CDSA.PKD]csp-name.PRI under the login directory of the current process.

This program generally is called by CDSA_SYSDIR:[SIGN]CDSA$GEN_CERTS.COM.

SYNOPSIS

certgen [runfilename]

OPTIONS

runfilename 

This optional parameter specifies the name of the run file that contains the parameters that certgen needs to create a certificate. If no run file is specified, the default run file is certgen.run in the current directory.

A certgen run file contains the following items as appropriate, each on a separate line:

certype location 

certtype can be one of the following:

-s 

Indicates a self-signed certificate.

-i 

Indicates a certificate signed by another certificate.

-v 

Indicates that the created certificate takes its subject and public key from a certificate issued by another vendor. You cannot use this option to create a self-signed certificate.

location 

Indicates where the issuer certificate is read from if -i or -v is specified.

filename 

If certtype is -s or -i, filename indicates the location of the XML template that contains the Subject Name that must go into this certificate. If certtype is -v, filename indicates the location of the Vendor Certificate.

algorithm 

Indicates the algorithm used to generate the key pair associated with the certificate being created. The specified algorithm must be supported by one of the Cryptographic Service Providers available in the local implementation of CDSA. The algorithm can be either DSA or RSA. This parameter is not valid if -v is specified for certtype.

keysize 

Specifies the logical key size (in bits) of the key pair being generated. Typical examples are 128, 256, 512, 1024, and so on. The specified key size must be supported by one of the Cryptographic Service Providers available in the local implementation of CDSA. This parameter is not valid if -v is specified for certtype.

cspguid 

The globally unique identifier of the Cryptographic Service Provider that is being used.

certfile 

The output file into which the created certificate is to be written.

subject_password 

The password used to protect a key pair if one is being generated. This parameter is not valid if -v is specified for certtype.

issuer_password 

The password used to unlock the private key required to sign the generated certificate. This parameter is not valid if -s is specified for certtype.

validity_period 

The validity period for the certificate. This parameter contains a start and end date for the validity period in the form YYMMDDHHMMSS YYMMDDHHMMSS. The validity period cannot extend beyond the year 2049. If validity_period is not specified, the validity period for the certificate lasts for exactly one year.

EXAMPLE

$ certgen intmods.run

The following is an example of a run file (intmods.run) that creates a certificate named intmods.cer, which is signed by intmanf.cer and generates a 1024-bit DSA key pair.

-i intmanf.cer
intmods.xml
dsa
1024
{67ef50d0-fe74-11d2-a8e6-0090271d266f}
intmods.cer
intmods
intmanf
001013000000 101013000000