1

Info: GSK Driver Information

Summary:

GSK is one of the drivers that we can work with in Venafi Encryption Director. With GSK we can provide the full certificate life cycle.

More Information:

Below are conditional fields, Driver stages, and commands for GSK

 

Conditional Fields
Logic
The "Default Certificate:" field is only enabled/editable when the "Store Type:" field is set to "CMS".
The "Password Valid for:" field is only enabled/editable when the "Store Type:" field is set to "CMS".
The "Replace Existing:" field is only enabled/editable when the "Create:" field is set to "1" (for Yes).
The "Stash Password:" field is only enabled/editable when the "Store Type:" field is set to "CMS".

 

Driver Stages
Stage Description Other
200 Create / Replace Key Store Only done on application if set to 'Generate Keypair On Application'
400 Create CSR Only done on application if set to 'Generate Keypair On Application'
800 Create / Replace Key Store  
801 Install Certificate Chain  
802 Install Certificate  
803 Recycle Alias (Certificate Label)  

 

GSK Commands

Keystore Creation

  • gsk7cmd -keydb -create -db <filename> -pw <password> -type <cms | jks | jceks | pks12> -expire <days> -stash
    • -db <filename> is the full path for the database to be created.
    • -expire <days> is the number of days before password expires. This parameter is only valid for CMS key databases and is optional.
    • -keydb Specifies the command is for the key database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -stash stashes the password for the key database. When the -stash option is specified during the key database creation, the password is stashed in a file with a filename built as follows: <filename_of_key_database>.sth This parameter is only valid for CMS key databases and is optional.

CSR Creation

  • gsk7cmd -certreq -create -db <filename> -pw <password> -type <cms | jks | jceks | pks12> -label <label> -dn <dn> -san_dnsname <san> -size <2048 | 1024 | 512> -file <file>
    • -certreq specifies a certificate request.
    • -create specifies a create action.
    • -db <filename> specifies the name of the database.
    • -pw is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -label <label> indicates the label attached to the certificate or certificate request.
    • -dn <dn> indicates an X.500 distinguished name. Input as a quoted string of the following format (only CN, O, and C are required) "CN=common_name, O=organization, OU=organization_unit, L=location, ST=state, province, C=country"
    • -san_dnsname <san> indicates one or more Subject Alternative Names. Input as a quoted comma separated list in the following format "altname1.com,altname2.com". For information about how to enable subject alt name support on the gsk host go here SEM_Testing_Tips#How_to_Enable_.28or_Disable.29_SAN_on_GSK
    • -size <2048 | 1024 | 512> indicates a key size of 2048, 1024, or 512. The default key size is 1024. The 2048 key size is available if you are using Global Security Kit (GSKit) Version 7.0.4.14 and later.
    • -file <file> is the full path of the file where the certificate request will be stored.

Certificate Chain Installation

  • gsk7cmd -cert -add -db <file> -pw <password> -type <cms | jks | jceks | pks12> -label <label> -label <label> -format <ascii | binary> -trust <enable | disable> -file <file>
    • -cert indicates the operation applies to a certificate.
    • -add specifies an add action.
    • -db <file> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -format <ascii | binary> indicates the certificate authorities might supply a binary or an ASCII file.
    • -label <label> is the label attached to a certificate or certificate request.
    • -trust <enable | disable> indicates whether this CA can be trusted. The default is enable and indicates that the CA can be trusted.
    • -file <file> specifies the full path for the file containing the CA certificate.

Certificate Installation

Importing a certificate where the request was created using the db
  • gsk7cmd -cert -recieve -file <file> -db <db> -pw <password> -type <cms | jks | jceks | pks12> -format <ascii | binary> -default_cert <yes | no>
    • -cert indicates the operation applies to a certificate.
    • -receive specifies a receive action.
    • -file <file> specifies the full path for the file containing the certificate.
    • -db <db> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -format <ascii | binary> indicates the certificate authorities might supply a binary or an ASCII file.
    • -default_cert <yes | no> indicates whether this is the default certificate in the key database.
Importing a pkcs12
  • gsk7cmd -cert -import -db <db> -pw <password> -label <label> -new_label <new_label> -type pks12 -target <file> -target_pw <password> -target_type <cms | jks | jceks | pks12>
    • -cert indicates the operation applies to a certificate.
    • -import specifies an import action.
    • -db <db> is the full path for the pkcs12 file.
    • -pw <password> is the password to access the pkcs12 key database.
    • -label <label> is the label attached to certificate in the pkcs12 file.
    • -new_label <new_label> is the label which the certificate will be imported under.
    • -type pkcs12 specifies the type of database from which to import the certificate is a pkcs12 db
    • -target <file> specifies the full path for the db to which the certificate is being imported.
    • -target_pw <password> is the password to access the key database.
    • -target_type <cms | jks | jceks | pkcsk> is the database type.

Certificate / Key Extraction

  • gsk7cmd -cert -export -db <db> -pw <password> -type <> -label <label> -target_type pkcs12 -target <file> -target_pw <password>
    • -cert indicates the operation applies to a certificate.
    • -export specifies an export action.
    • -db <db> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -label <label> is the label attached to certificate in the pkcs12 file.
    • -target_type pkcs12 specifies the type of database to create with the exported certificate/key is a pkcs12 db

-target <file> specifies the full path for the exported file. -target_pw <password> is the password for the exported file.

Other useful commands

Showing the details for a certificate
  • gsk7cmd -cert -details -db <db> -pw <password> -type <cms | jks | jceks | pks12> -label <label>
    • -cert indicates the operation applies to a certificate.
    • -details specifies a details action.
    • -db <db> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -label <label> is the label for which the details are desired.
Setting a certificate as the default
  • gsk7cmd -cert -setdefault -db <db> -pw <password> -label <label>
    • -cert indicates the operation applies to a certificate.
    • -setdefault specifies a setdefault action.
    • -db <db> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.
    • -label <label> is the label to mark as default in the db.
Listing all certificates in the DB
  • gsk7cmd -cert -list -db <db> -pw <password> -type <cms | jks | jceks | pks12>
    • -cert indicates the operation applies to a certificate.
    • -list specifies a list action.
    • -db <db> is the full path for the database.
    • -pw <password> is the password to access the key database.
    • -type <cms | jks | jceks | pkcsk> is the database type.

0 comments

Post is closed for comments.