ovcm

NAME

ovcm

- manage certificates with the Certificate Server in an HTTPS-based environment.

SYNOPSIS

ovcm -h|-help

ovcm -version

ovcm -newcacert [-ni]

ovcm -importcacert -file <file> [-pass <passphrase>]

ovcm -exportcacert -file <file> [-pass <passphrase>]

ovcm -listpending [-l]

ovcm -grant <reqid>

ovcm -deny <reqid>

ovcm -remove <reqid>

ovcm -issue -file <file> -name <nodename> [-pass <passphrase>] [-coreid <OvCoreId>] [-ca]

ovcm -genInstKey -file <file> [-context <context>] [-pass <passphrase>.

NOTE:
Do not use the -issue and -genInstKey options on the Windows platform.

DESCRIPTION

You can use the ovcm command to manage certificates with the Certificate Server in an HTTPS-based environment. You can execute tasks, such as creating public/private key pairs for signing certificates and granting and issuing signed certificates and the corresponding private keys against certificate requests from HTTPS nodes.

Parameters

The ovcm command incorporates the following options:

-h|-help

Displays all the command-line options for the ovcm command.

-version

Returns the version of the tool (the component version).

-newcacert [-ni]

Creates a new public/private key pair for signing certificates. If there is already a public/private key pair in use by the certification authority, you are asked whether this should be replaced. Use this option with care! An initial public/private key pair is automatically created when the Certificate Management component is installed.

The -ni non-interactive option creates a new public/private key pair without operator interaction. If a public/private key pair already exists, the request is cancelled.

-importcacert -file <file> [-pass <passphrase>]

Imports a certificate for signing certificate requests together with its private key (both are contained in one file in PKCS12 format). Use this option with care as the existing certificate and private key are replaced. This option is intended for restoring a backup of the current private key/certificate (for example, if the originals are damaged or destroyed) or for setting up a backup system.

Use <file> to specify the name of the file (in PKCS12 format) from which to import.

Use <passphrase> to specify the text string you use to protect the data. If you do not use the -pass option, you are prompted to enter the value of the pass phrase.

-exportcacert -file <file> [-pass <passphrase>]

Exports the certificate and the corresponding private key of the current certification authority to a file. This option is intended to be used for creating backups. The certification authority private key must be handled very carefully because of its importance to the whole communication environment. You should never transmit it over the network or store it in an insecure place.

Use <file> to specify the name of the file where the certificate data should be written to (in PKCS12 format).

Use <passphrase> to specify the text string you use to protect the data. If you do not use the -pass option, you are prompted to enter the value of the pass phrase.

-listPending [-l]

Displays the request IDs of all pending certificate requests.

With the -l option, detailed information on every pending request is listed.

-grant <reqid>

Grants the selected certificate request, and sends a signed certificate to the requesting certificate client.

Changes the state of the pending certificate request with the request ID <reqid> to granted.

-deny <reqid>

Denies the selected certificate request, and sends a message to the requesting certificate client.

Changes the state of the pending certificate request with the request ID <reqid> to denied.

-remove <reqid>

Removes the selected certificate request from the pending pool. No message is sent to the requesting certificate client.

Changes the state of the pending certificate request with the request ID <reqid> to removed.

-issue -file <file> -name <nodename> [-pass <passphrase>] [-coreid <OvCoreId>] [-ca]

Issues a signed certificate and the associated private key for a node, and writes both to the file <file> (in PKCS12 format). You can then move the file to a portable medium, and take it to the corresponding node.

You must specify the <nodename> as additional information.

You can specify the optional <OvCoreId> parameter to specify the unique ID of the certificate. If this parameter is empty, a new OvCoreId value is generated for the certificate.

The <passphrase> parameter is required to protect the generated certificate data. The pass phrase entered is used to calculate an encryption key that is then used to encrypt the generated certificate data. If you do not use the -pass option, you are prompted to enter the value of the pass phrase.

If you use the -ca option, you can use the issued certificate to sign other certificates. This may be necessary if you want to set up a second Certificate Server, which creates certificates that are trusted by all nodes that trust the root Certificate Server.

-genInstKey -file <file> [-context <context>] [-pass <passphrase>]

Creates a new installation key, which, together with some additional information, is stored in the file <file>. You should then transfer the created file securely to the node system.

On the target node, you can use the file to initiate a new certificate request encrypted with the installation key. The certificate server accepts only one request that is encrypted with this key.

The advantage of this approach is that you generate the certificate request (including the private key) on the node system, and can authenticate the system by using the installation key.

You can use the optional parameter <context> to add additional (application- specific) information that is contained in the certificate request.

The <passphrase> parameter is required to protect the generated installation key. The pass phrase you enter is used to calculate an encryption key, which is then used to encrypt the generated installation key. If you do not use the -pass option, you are prompted to enter the value of the pass phrase.

AUTHOR

ovcm was developed by Hewlett-Packard Company.

EXIT STATUS

The following exit values are returned:

0: All steps were successful.
1: One or more steps were not successful.

Corresponding error messages are written to stderror.

EXAMPLES

The following examples show how to use the ovcm command:

To create a new public/private key pair for the signing of certificates on the management server system:
ovcm -newcacert
To grant the certificate request <reqid> and send a signed certificate to the requesting certificate client:
ovcm -grant <reqid>

500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at webmaster@systemmanager.forsenergy.ru to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.