NAME
ovcm
- manage certificates with the Certificate Server in an HTTPS-based environment.
SYNOPSIS
ovcm -h|-help
ovcm -version
ovcm -newcacert [-ni]
ovcm -importcacert -file<file>
[-pass<passphrase>
]
ovcm -exportcacert -file<file>
[-pass<passphrase>
]
ovcm -listpending [-l]
ovcm -grant <reqid>
ovcm -deny <reqid>
ovcm -remove <reqid>
ovcm -issue -file<file>
-name <nodename> [-pass<passphrase>
] [-coreid<OvCoreId>
] [-ca]
ovcm -genInstKey -file<file>
[-context<context>
] [-pass<passphrase>
.
-issue
and -genInstKey
options on the Windows platform.DESCRIPTION
You can use the ovcm
command to manage certificates
with the Certificate Server in an HTTPS-based environment. You can
execute tasks, such as creating public/private key pairs for
signing certificates and granting and issuing signed certificates
and the corresponding private keys against certificate requests
from HTTPS nodes.
Parameters
The ovcm
command incorporates the following
options:
-h|-help
ovcm
command.
-version
The -ni
non-interactive option creates a new
public/private key pair without operator interaction. If a
public/private key pair already exists, the request is
cancelled.
-importcacert -file
<file>
[-pass
<passphrase>
]
Use <file>
to specify the name of the
file (in PKCS12 format) from which to import.
Use <passphrase>
to specify the text
string you use to protect the data. If you do not use the
-pass
option, you are prompted to enter the value of
the pass phrase.
-exportcacert -file
<file>
[-pass
<passphrase>
]
Use <file>
to specify the name of the
file where the certificate data should be written to (in PKCS12
format).
Use <passphrase>
to specify the text
string you use to protect the data. If you do not use the
-pass
option, you are prompted to enter the value of
the pass phrase.
With the -l
option, detailed information on every
pending request is listed.
-grant
<reqid>
Changes the state of the pending certificate request with the
request ID <reqid>
to
granted
.
-deny
<reqid>
Changes the state of the pending certificate request with the
request ID <reqid>
to
denied
.
-remove
<reqid>
Changes the state of the pending certificate request with the
request ID <reqid>
to
removed
.
-issue -file
<file>
-name
<nodename>
[-pass
<passphrase>
]
[-coreid
<OvCoreId>
]
[-ca]
<file>
(in PKCS12 format). You can then
move the file to a portable medium, and take it to the
corresponding node.
You must specify the <nodename>
as
additional information.
You can specify the optional
<OvCoreId>
parameter to specify the
unique ID of the certificate. If this parameter is empty, a new
OvCoreId
value is generated for the certificate.
The <passphrase>
parameter is required
to protect the generated certificate data. The pass phrase entered
is used to calculate an encryption key that is then used to encrypt
the generated certificate data. If you do not use the
-pass
option, you are prompted to enter the value of
the pass phrase.
If you use the -ca
option, you can use the issued
certificate to sign other certificates. This may be necessary if
you want to set up a second Certificate Server, which creates
certificates that are trusted by all nodes that trust the root
Certificate Server.
-genInstKey -file
<file>
[-context
<context>
]
[-pass
<passphrase>
]
<file>
. You should then transfer the
created file securely to the node system.
On the target node, you can use the file to initiate a new certificate request encrypted with the installation key. The certificate server accepts only one request that is encrypted with this key.
The advantage of this approach is that you generate the certificate request (including the private key) on the node system, and can authenticate the system by using the installation key.
You can use the optional parameter
<context>
to add additional (application-
specific) information that is contained in the certificate
request.
The <passphrase>
parameter is required
to protect the generated installation key. The pass phrase you
enter is used to calculate an encryption key, which is then used to
encrypt the generated installation key. If you do not use the
-pass
option, you are prompted to enter the value of
the pass phrase.
AUTHOR
ovcm
was developed by Hewlett-Packard Company.
EXIT STATUS
The following exit values are returned:
Corresponding error messages are written to stderror.
EXAMPLES
The following examples show how to use the ovcm
command:
ovcm -newcacert
<
reqid
>
and
send a signed certificate to the requesting certificate client:
ovcm -grant
<reqid>