Using the PKICER command

Working with certificates

Syntax

PKICER
ID     =     string,
[CHECK     =     {YES | NO},]
[COMMENT     =     string,]
[IFORM     =     {PKCS12 | DER | PEM | PKCS7,]
[IKFORM     =     {DER | PEM | PKCS8},]
[IKNAME     =     string,]
[IKPASSW     =     string,]
[INAME     =     string,]
[ITYPE     =     {ALL | USER | ROOT | INTER},]
[MODE     =     {REPLACE | CREATE | DELETE},]
[PKIFNAME     =     string,]
[PKIPASSW     =     string,]
[STATE     =     {ACT | INACT},]
[ROOTCID     =     string,]

Description

Use the PKICER command to:

  • Import, delete or update a root or intermediate certificate authority in the local database
  • Import, delete or update a user certificate (with or without the associated private key) in the local database
  • Import the private key associated with a user certificate

Users with several certificates signed by different authorities can import all their certificates with the same identifier.

Parameters

ID = string1..8

Unique local identifier of the certificate to be created, replaced or deleted.

[CHECK = YES | NO]

Certificate check during import: this option is only applicable for a user or intermediate authority certificate.

A check is performed:

  • To establish whether the root or intermediate authority certificate exists in the local database
  • On the certificate signature
  • To determine whether the public key matches the private key (if the private key is to be imported)

[COMMENT = string1..64]

Comment associated with the certificate: for the CREATE or REPLACE operations only.

[PKIFNAME = string1..64]

Name of the local certificate internal datafile in which the operation is to be performed. On each OS, a default name is assigned to the local certificate database.

[IFORM = PKCS12 | DER | PEM | PKCS7]

Format of the certificate to be imported. It must be specified if the INAME parameter is set.

[IKFORM = PKCS8 | DER | PEM ]

Format of the private key to be imported. This parameter must be specified if the IKNAME parameter is set.

[IKNAME = string1..64]

File from which the private key, that is associated with a user certificate, to be imported or updated must be read.

This parameter is not significant if the certificate format is PKCS#12 as the certificate and private key are declared in the same source file.

[IKPASSW = string1..64]

Source file protection password. This is the source file protection password, and must be specified for encrypted PEM (PKCS#5), PKCS#8 encrypted private key formats, PKCS#7, or for PKCS#12 certificate formats.

There are two ways to specify the password:

  • By value: the value assigned to the parameter is used directly as a password
  • By reference to a file: the value assigned to the parameter is the name of a file, the first record of which contains the password; in this case, the file name must be preceded by a # or @ sign depending on the OS. On Windows, for example, IKPASSW=#myfile where the password is specified in the myfile file; the first file record must contain the password in plain format.

[INAME = string1..128]

Source file containing the certificate to be imported or updated.

This parameter is not allowed in DELETE mode.

[ITYPE = ALL | USER | ROOT | INTER]

Type of certificate to be imported.

This parameter is mandatory for the modes DELETE (deleting a certificate from the database) and REPLACE (updating a certificate).

This field must be specified for an X.509 certificate, Version 1 or 2. The type of an X.509 version 3 certificate is determined automatically. For version 3, the ITYPE parameter is matched against the type detected:

  • ALL: certificate type not checked
  • USER: user certificate
  • ROOT: root authority certificate
  • INTER: intermediate authority certificate

[MODE = REPLACE | CREATE | DELETE]

Action on the certificate. The REPLACE action imports or updates an existing certificate in the database.

If importing a certificate chain, user certificate and all intermediate authority certificates, all certificates are recorded in the local database. The user certificate is recorded with the identifier generated from the ID parameter. Intermediate authority certificates are recorded with internal identifiers in the local internal datafile and cannot be viewed.

[PKIPASSW = string1..64]

Encryption password of the private key in the local certificate database.

There are two ways to specify the password:

  • By value: the value assigned to the parameter is used directly as a password
  • By reference to a file: the value assigned to the parameter is the name of a file, the first record of which contains the password; in this case, the file name must be preceded by a # or @ sign depending on the OS. On Windows, for example, PKIPASSW=#myfile where the password is specified in the myfile file; the first file record must contain the password in plain format.

The password is not recorded in the local certificate database. You are strongly advised to use the same password for all private keys. The same password must be declared in the Transfer CFT configuration, so that the Transfer CFT can access the private keys.

[ROOTCID = string1..8]

This parameter is mandatory for the DELETE (deletion of a certificate from the database) and REPLACE (update of a certificate) modes. It indicates the identifier of the authority of the certificate to be deleted or updated.

This parameter must even be indicated for an authority certificate. In this case, the ID and ROOTCID parameters have the same value.

[STATE = ACT | INACT]

Status of the imported certificate.

By default, the certificate is active and can be used by Transfer CFT.

Related Links