dskeymgr — manage public key infrastructure in private deployments
Synopsis
dskeymgr {subcommand} {options}
Description
This utility can be used for provisioning and managing TLS certificates for use in private deployments.
Subcommands easily allow to:
Create a deployment CA certificate
Distribute the CA certificate to all deployed applications
Provision each application with a TLS key pair signed by the deployment CA
Rotate the TLS key pairs
Subcommands take several seconds to run because the tool uses a computationally expensive algorithm for hashing the deployment key password.
Options
The dskeymgr command takes the following options:
Utility input/output options:
-n | --no-prompt
Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.
Default: false
General options:
-V | --version
Display Directory Server version information.
Default: false
-H | --help
Display this usage information.
Default: false
Subcommands
The dskeymgr command supports the following subcommands:
dskeymgr create-deployment-key
Creates a new deployment key.
Options
The dskeymgr create-deployment-key command takes the following options:
-f | --outputFile {outputFile}
Optional path to a file where the deployment key will be written, overwriting the file if it exists.
-v | --validity {validity}
The duration for which the CA certificate associated with the deployment key will be valid. Examples: '20years', '1days'.
Default: 10 y
-w | --deploymentKeyPassword {deploymentKeyPassword}
The deployment key password.
dskeymgr create-tls-key-pair
Creates a TLS key-pair signed by the CA associated with a deployment key and then adds it to a keystore with a given alias (default: 'ssl-key-pair'), overwriting any existing key-pair with the same alias.
Options
The dskeymgr create-tls-key-pair command takes the following options:
-a | --alias {alias}
The TLS key-pair alias, any entry with the same alias will be overwritten.
Default: ssl-key-pair
-h | --hostname {hostname}
The hostname(s) that will be added to the TLS certificate alternative name extension. Multiple hostnames may be given by providing this argument multiple times. Hostnames can start with a wildcard.
Default: localhost
-k | --deploymentKey {deploymentKey}
The deployment key.
-K | --keyStoreFile {keyStoreFile}
Path to an existing PKCS12 keystore file or a path indicating where a new keystore file should be created.
-s | --subjectDn {subjectDn}
The TLS certificate subject DN.
-v | --validity {validity}
The duration for which the TLS certificate will be valid. Examples: '1days', '12hours', '1d 12h'.
Default: 1 y
-w | --deploymentKeyPassword {deploymentKeyPassword}
The deployment key password.
-W | --keyStorePassword {keyStorePassword}
Keystore cleartext password.
dskeymgr export-ca-cert
Exports the CA certificate associated with a deployment key to a keystore or as a PEM file.
Options
The dskeymgr export-ca-cert command takes the following options:
-a | --alias {alias}
The CA certificate alias, must not already exist in the keystore.
Default: ca-cert
-f | --outputFile {outputFile}
Optional path to a file where the CA certificate will be written in the PEM format, overwriting the file if it exists.
-k | --deploymentKey {deploymentKey}
The deployment key.
-K | --keyStoreFile {keyStoreFile}
Path to an existing PKCS12 keystore file or a path indicating where a new keystore file should be created.
-w | --deploymentKeyPassword {deploymentKeyPassword}
The deployment key password.
-W | --keyStorePassword {keyStorePassword}
Keystore cleartext password.
dskeymgr export-master-key-pair
Exports the master key pair associated with a deployment key to a keystore.
Options
The dskeymgr export-master-key-pair command takes the following options:
-a | --alias {alias}
The master key pair alias, must not already exist in the keystore.
Default: master-key
-k | --deploymentKey {deploymentKey}
The deployment key.
-K | --keyStoreFile {keyStoreFile}
Path to an existing PKCS12 keystore file or a path indicating where a new keystore file should be created.
-w | --deploymentKeyPassword {deploymentKeyPassword}
The deployment key password.
-W | --keyStorePassword {keyStorePassword}
Keystore cleartext password.
Exit Codes
- 0
The command completed successfully.
- > 0
An error occurred.
Examples
The following example shows how to create a deployment key for managing the public key infrastructure of a private deployment:
$dskeymgr \ create-deployment-key \ --deploymentKeyPassword password \ --validity "10 years"
AFPxL0RlmdMZHeVkkcC3GYFsAHNlNQ5CBVN1bkVDM7FyW2gWxnvQdQ
The following examples show how to use a deployment key to obtain the deployment CA certificate:
Export the CA certificate to a file in PEM format:
$
dskeymgr \ export-ca-cert \ --deploymentKey AFPxL0RlmdMZHeVkkcC3GYFsAHNlNQ5CBVN1bkVDM7FyW2gWxnvQdQ \ --deploymentKeyPassword password \ > ca.pem
Export the CA certificate to a PKCS#12 truststore, creating the truststore if it does not exist:
$
dskeymgr \ export-ca-cert \ --deploymentKey AFPxL0RlmdMZHeVkkcC3GYFsAHNlNQ5CBVN1bkVDM7FyW2gWxnvQdQ \ --deploymentKeyPassword password \ --keyStoreFile keystore \ --keyStorePassword secret12 \ --alias ca-cert
The following example shows how to use a deployment key to generate a TLS key pair signed by the deployment CA certificate and add it to a PKCS#12 keystore, creating the keystore if the keystore file does not exist. In this example, the key pair must be used by an application hosted on *.example.com
and the application's entry has the DN cn=test account,cn=service
.
$ dskeymgr \
create-tls-key-pair \
--deploymentKey AFPxL0RlmdMZHeVkkcC3GYFsAHNlNQ5CBVN1bkVDM7FyW2gWxnvQdQ \
--deploymentKeyPassword password \
--subjectDn "cn=test account,cn=service" \
--hostname "*.example.com" \
--validity "1 days" \
--keyStoreFile keystore \
--keyStorePassword secret12 \
--alias tls-key-pair
In the example above, the key pair is only valid for one day. When it is about to expire, run the same command again to replace the old key pair having the alias tls-key-pair
with a new one.