Client-side SSL   

Chapter 11: Managing Keys and Certificates

Client-side security certificate tool (sc-tool)

When the client communicates with EAServer over SSL, the client must obtain and manage its certificates. sc-tool is a command line client tool used for managing the client-side C/C++ certificate database.

To use sc-tool (sc-tool.bat on Windows, and sc-tool.sh on UNIX), set JAGUAR_CLIENT_ROOT on the client to the location of DJC_HOME (in order for the client to pick up the correct certificate database), and add the location of the tool to the client’s path.

StepsUsing sc-tool

  1. Run sc-tool from the bin directory of your EAServer installation.

  2. Enter sc-tool -help for information about all sc-tool options, including:

    • Request a Certificate:

      sc-tool -certreq [-alias <alias>] [-keyStrength <sigalg>] [-keyStrength <keystrength>] [-CN <CommonName>]  [-UserID <UserID>] [-EmailID <EmailID>] [-Org <Orgnization>] [-OrgUnit OrgnizationUnit>] [-Locality <Locality>] [-State <state>] [-Country <Country>] [-ReqName <requestor name>] <-SrvAdmin server admin> [-file <csr_file>] <-Phone phone number>  <-UTF8>

      csr_file – the file name to which the request is saved. The remaining certificate parameters are used so a CA can sign it.

      alias – the new certificate name.

      sigalg – the length for the key, can be 512, 1024, and so on.

      keypass – the password used to protect the certificate.

    • Delete a client-side certificate:

      sc-tool -delete -alias <alias> [-storepass <storepass>]

      alias – the name or the certificate label which you are deleting.

      storepass – the name of the keystore that contains the certificate.

    • Export a certificate:

      sc-tool -export [-alias <alias>] [-file <cert_file>] [-storepass <storepass>] [-exportType <exportType>]

      alias – the name or the certificate label in the certificate database which you are exporting.

      file – the path/name of the file to which the exported certificate is written.

      storepass – the name of the keystore that contains the certificate.

      exportType – only pkcs7 is allowed as the type.

    • Import a certificate:

      sc-tool -import [-file <cert_file>] [-keypass <keypass>] [-storepass <storepass>]

      file – the certificate file to be imported.

      keypass – required if importing a private key. keypass is not needed when cert_file does not include a private key.

      storepass – the password for the certificate database.

      If cert_file trails with pfx or p12, it is a PKCS12 file, and keypass must be specified. Keypass is the password for recovering the private key.

    • List all available certificates in the database:

      sc-tool -list -storepass password [-userCerts true/false] [-trustedCerts true/false]  [-CACerts true/false]  [-otherCerts true/false] [-verbose]

      You can choose what certificates to list. -verbose displays detailed information of the certificate(s).

    • Change the database password:

      sc-tool -changepin -storepass [-new <new_storepass>]
[-storepass <storepass>]

      Changes the PIN for the certificate database.




Copyright © 2006. Sybase Inc. All rights reserved.  

View this document as PDF