Create X.509 certificates.
createcert [ -r | -s ]
Option | Description |
---|---|
-r | Creates a PKCS10 certificate request. When this option is specified, createcert does not prompt for a signer or any other information used to sign a certificate. |
-s filename | Signs the PKCS10 certificate request that is in the specified file. The request can be DER or PEM encoded. When this option is specified, createcert does not prompt for key generation or subject information. |
Users may typically go to a third party to purchase certificates. These certificate authorities provide their own tools for creating certificates. The following tools may be especially useful to create certificates for development and testing purposes, and can also be used for production certificates.
To create a signed certificate, use createcert without options. If you want to break up the process into two steps, for example so one person creates a request and another person signs it, the first person can run createcert with -r to create a request and the second person can sign the request by running createcert with -s.
When you run createcert, you are prompted for the following information. When you specify the -r or -s option, some of these prompts do not appear.
Choose encryption type This prompt only appears if you have purchased a license for ECC encryption. Choose RSA or ECC.
Enter RSA key length (512-16384) This prompt only appears if you chose RSA encryption. You can choose a length between 512 bits and 16384 bits.
Enter ECC curve This prompt only appears if you have purchased a license for ECC encryption and you chose the ECC encryption type above. You are prompted to choose from a list of ECC curves. The default is sect163k1.
Subject information You must enter the following information, which identifies the entity:
Enter file path of signer's certificate Optionally, supply a location and file name for the signer's certificate. If you supply this information, the generated certificate is a signed certificate. If you do not supply this information, then the generated certificate is a self-signed root certificate.
Enter file path of signer's private key Supply a location and file name to save the private key associated with the certificate request.
Enter password for signer's private key Optionally, supply a password with which to encrypt the private key. If you do not supply a password, the private key is not encrypted.
Serial number Optionally, supply a serial number. The serial number must be a hexadecimal string of 40 digits or less. This number must be unique among all certificates signed by the current signer. If you do not supply a serial number, createcert generates a GUID as the serial number.
Certificate will be valid for how many years (1-100) Specify the number of years (between 1 and 100) that the certificate is valid. After this period, the certificate expires, along with all certificates it signs.
Certificate Authority (y)es or (n)o Indicate whether this certificate can be used to sign other certificates. By default, certificates are not certificate authorities (n).
Key usage Supply a comma-separated list of numbers that indicate how the certificate's private key can be used. This is an advanced option; the default should be acceptable for most situations. The default depends on whether the certificate is a certificate authority or not.
File path to save request This prompt only appears if you specify the -r option. Supply a location and file name for the PCKS10 certificate request.
Enter file path to save certificate Supply a location and file name to save the certificate. The certificate is not saved unless you specify a location and file name.
Enter file path to save private key This prompt only appears if you specified the -r option and you supplied a file in the previous prompt. Supply a location and file name to save the private key associated with the certificate request.
If you did not specify the -r option, supply a location and file name to save the private key. The private key is not saved unless you specify a location and file name.
Enter password to protect private key Optionally, supply a password with which to encrypt the private key. The private key is not encrypted if you do not supply a password.
Enter file path to save identity Supply a location and file name to save the identity. The identity file is a concatenation of the certificate, signer, and private key. This is the file that you supply to the server at startup. If the private key was not saved, createcert prompts for a password to save the private key. Otherwise, it uses the password provided earlier. The identity is not saved unless you provide a file name. If you do not save the identity file, you can manually concatenate the certificate, signer, and private key files into an identity file.
The following example creates a signed certificate. In the example, no file name is provided for the signer's certificate, which makes it a self-signed root certificate.
>createcert SQL Anywhere X.509 Certificate Generator Version 11.0.1.3330 Choose encryption type ((R)SA or (E)CC): r Enter RSA key length (512-16384): 1024 Generating key pair... Country Code: CA State/Province: Ontario Locality: Waterloo Organization: Sybase iAnywhere Organizational Unit: Engineering Common Name: Test Certificate Enter file path of signer's certificate: Certificate will be a self-signed root Serial number [generate GUID]: Generated serial number: bfb89a26fb854955954cabc4d056e177 Certificate valid for how many years (1-100): 10 Certificate Authority (Y/N) [N]: n 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [3,4,5]: 3,4,5 Enter file path to save certificate: cert.pem Enter file path to save private key: key.pem Enter password to protect private key: pwd Enter file path to save identity: id.pem |
To generate an enterprise root certificate (a certificate that signs other certificates), a self-signed root certificate should be created with Certificate Authority. The procedure is similar to that shown above. However, the response to the Certificate Authority prompt should be yes and choice for roles should be option 6,7 (the default).
Certificate Authority (Y/N) [N]: y 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [6,7]: 6,7 |
Send feedback about this page via email or DocCommentXchange | Copyright © 2008, iAnywhere Solutions, Inc. - SQL Anywhere 11.0.0 |