Creates X.509 certificates.
createcert [ -r | -s ]
Option | Prompt name | Description |
---|---|---|
@data | N/A |
Reads in options from the specified environment variable or configuration file. See Configuration files. If you want to protect passwords or other information in the configuration file, you can use the File Hiding utility (dbfhide) to obfuscate the contents of the configuration file. See File Hiding utility (dbfhide). |
-b value | Enter RSA key length (512-16384) |
Specifies the RSA key length. The length can between 512 bits and 16384 bits. This option is only required when the -r option is specified and RSA is specified for the -t option. |
-c filename | Enter file path of signer's certificate |
Specifies a location and file name for the signer's certificate. If you supply this information, the generated certificate is a signed certificate. If you do not supply this information, then the generated certificate is a self-signed root certificate. This option applies only when the -s option is specified. |
-ca y | n | Certificate Authority (y)es or (n)o |
Creates a Certificate Authority certificate that can be used to sign other certificates. By default, certificates are not certificate authorities (n). This option applies only when the -s option is specified. |
-ck filename | Enter file path of signer's private key |
Specify a location and file name to save the private key associated with the certificate request. This option prompt only appears if you specified a file name for the -c option This option applies only when you specify the -s option and provide a file name for the -c option. |
-co filename | Enter file path to save certificate |
Writes the public certificate to the specified file. Specify a location and file name to save the certificate. The certificate is not saved unless you specify a location and file name. This option applies only when the -s option is specified. |
-cp password | Enter password for signer's private key |
Specifies the password that was used to encrypt the signer's private key. Only specify this password if the private key was encrypted. This option applies only when the -s option is specified. |
-ec curve | Enter ECC curve |
This option only applies if you have purchased a license for ECC encryption and you chose ECC for the -t option. The default is secp521r1. This option applies only when the -r option is specified. The following ECC curves are supported:
The three digit number in the curve name represents the bit-size of the curve. The encryption strength of a curve is approximately equivalent to an AES key of half the size. For example, a 512-bit ECC curve would have the same strength as a 256-bit AES key. |
-io filename | Enter file path to save identity |
Specifies a location and file name to save the generated identity This option applies only when the -s option is specified. |
-ko filename | Enter file path to save private key |
Specifies a location and file name to save the private key. |
-kp password | Enter password to protect private key |
Specifies a password with which to encrypt the private key. If you do not specify a password, the private key is not encrypted. This option only applies if you specified a file name with the -ko option. |
-m value | Serial number |
Specifies a serial number. The serial number must be a hexadecimal string of 40 digits or less. This number must be unique among all certificates signed by the current signer. If you do not specify a serial number, createcert generates a GUID as the serial number. This option applies only when the -s option is specified. |
-r | N/A |
Generates a PKCS10 certificate. When this option is specified, the following options do not apply:
|
-ro filename | File path to save request |
Specifies a location and file name with which to save the PCKS10 certificate. This option only applies if you specify the -r option. |
-s filename | N/A |
Specifies the location and file name of the PKCS10 certificate request that is to be signed. The certificate request can be DER or PEM encoded. When this option is specified, the following options do not apply:
|
-sc value | Subject information |
Specifies the subject country code. This option applies only when the -r option is specified. |
-scn value | Subject information |
Specifies the subject common name. This option applies only when the -r option is specified. |
-sl value | Subject information |
Specifies the subject locality. This option applies only when the -r option is specified. |
-so value | Subject information |
Specifies the subject organization. This option applies only when the -r option is specified. |
-sou value | Subject information |
Specifies the subject organizational unit. This option applies only when the -r option is specified. |
-sst value | Subject information |
Specifies the subject state. This option applies only when the -r option is specified. |
-t type | Choose encryption type |
Specifies the encryption type. If you have purchased a license for ECC encryption, specify the encryption type. Specify RSA or ECC. This option applies only when the -r option is specified. |
-u value,... | Key usage |
Specifies how the certificate will be used. Specify a comma-separated list of numbers that indicate how the certificate's private key can be used. This is an advanced option; the default should be acceptable for most situations. The default depends on whether the certificate is a certificate authority or not. The default for a certificate with certificate authority is 6,7. The default for a certificate without certificate authority is 3,4,5 This option applies only when the -s option is specified. Values include:
|
-v years | Certificate will be valid for how many years (1-100) |
Specifies the number of years (between 1 and 100) that the certificate is valid. After this period, the certificate expires, along with all certificates it signs. This option applies only when the -s option is specified. |
-x | N/A |
Generates a self-signed certificate. This option applies only when the -s option is specified. |
Users may typically go to a third party to purchase certificates. These certificate authorities provide their own tools for creating certificates. The following tools may be especially useful to create certificates for development and testing purposes, and can also be used for production certificates.
To create a signed certificate you can specify no options and be prompted by createcert for the required values. Or, you can specify the required options for your certificate.
If you want to break up the process into two steps, for example so one person creates a request and another person signs it, the first person can run createcert with -r to create a request and the second person can sign the request by running createcert with -s.
To create an enterprise root certificate (a certificate that signs other certificates), it is recommended that the self-signed root certificate be created with Certificate Authority and uses the default signing. For example specify y for the -ca option and specify 6,7 for the -u option.
To generate an enterprise root certificate (a certificate that signs other certificates), it is recommended that the self-signed root certificate be created with certificate authority and that the certificate uses the default signing.
The following example creates a self-signed certificate with the following characteristics:
1024-bit RSA key
Generated serial number
Valid for 5 years
Not a certificate authority
Used for key encipherment, data encipherment, and key agreement.
Private key with the password sql:
createcert.exe -t rsa -b 1024 -sc CA -sst ON -sl Waterloo -so MyOrganizationalUnit -sou MyCompany -scn test -x -m 0 -v 5 -ca 0 -u 3,4,5 -co root-cert.pem -ko root-key.pem -io root-id.pem -kp sql |
The following example, creates a self-signed certificate with the following characteristics:
ECC sect283ra key
Generated serial number
Valid for 2 years
Certificate authority (can sign other certificates)
Used for key encipherment, data encipherment, key agreement, and certificate signing.
Private key with the password sql:
createcert.exe -t ecc -ec sect283ra -sc CA -sst ON -sl Waterloo -so MyOrganizationalUnit -sou MyCompany -scn test -x -m 0 -v 2 -ca 1 -u 3,4,5,6 -co root-cert.pem -ko root-key.pem -io root-id.pem -kp sql |
The following example creates a certificate signed by ca-key with the following characteristics:
1024-bit RSA key
Generated serial number
Valid for 5 years
Not certificate authority
Used for key encipherment, data encipherment, and key agreement.
Private key with the password sql:
createcert.exe -t rsa -b 1024 -sc CA -sst ON -sl Waterloo -so MyOrganizationalUnit -sou MyCompany -scn test -c ca-cert.pem -ck ca-key.pem -cp cakeypass -m 0 -v 5 -ca 0 -u 3,4,5 -co root-cert.pem -ko root-key.pem -io root-id.pem -kp sql |
The following example creates a signed certificate. In the example, because no file name is provided for the signer's certificate, the certificate is a self-signed root certificate.
createcert SQL Anywhere X.509 Certificate Generator Version 12.0.1.3330 Choose encryption type ((R)SA or (E)CC): r Enter RSA key length (512-16384): 1024 Generating key pair... Country Code: CA State/Province: Ontario Locality: Waterloo Organization: Sybase iAnywhere Organizational Unit: Engineering Common Name: Test Certificate Enter file path of signer's certificate: Certificate will be a self-signed root Serial number [generate GUID]: Generated serial number: bfb89a26fb854955954cabc4d056e177 Certificate valid for how many years (1-100): 10 Certificate Authority (Y/N) [N]: n 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [3,4,5]: 3,4,5 Enter file path to save certificate: cert.pem Enter file path to save private key: key.pem Enter password to protect private key: pwd Enter file path to save identity: id.pem |
The following example creates an enterprise root certificate (a certificate that signs other certificates) that is a self-signed root certificate with Certificate Authority. that uses the default signing. The response to the Certificate Authority prompt or the -ca option should be y and response to the Key usage prompt or the -u option should be 6,7 (the default).
Certificate Authority (Y/N) [N]: y 1. Digital Signature 2. Nonrepudiation 3. Key Encipherment 4. Data Encipherment 5. Key Agreement 6. Certificate Signing 7. CRL Signing 8. Encipher Only 9. Decipher Only Key Usage [6,7]: 6,7 |
Discuss this page in DocCommentXchange.
|
Copyright © 2012, iAnywhere Solutions, Inc. - SQL Anywhere 12.0.1 |