keydelete Command

Purpose

Deletes an object (key, certificate, etc) identified by the label from a keystore. If the label is ALL, all objects are deleted.

Syntax

keydelete [ -S ServiceName ] -l Label [ -p PrivateKeystore ] [ UserName ]

Description

The keydelete command deletes an object (key, certificate, etc) identified by the Label. If the Label is ALL, all objects are deleted. The -S flag specifies which end-entity services and libraries to use while deleting the objects from the keystore. Available services are defined in /usr/lib/security/pki/ca.cfg. When invoked without -S, keydelete uses the default service, which is local. An error is returned if a ServiceName is specified which does not have an entry in the /usr/ lib/security/pki/ca.cfg file.

The -l flag must be specified. The Label is a variable length text string that is used to map a key in the keystore to the certificate which contains the matching public key. If the Label is ALL, all the objects in the keystore are deleted.

If the -p flag is not given, the username's default keystore file is used. The user's default keystore location is /var/pki/security/keys/<UserName>.

If no UserName is given, the current user's user name is used. The user is prompted for the password of the keystore.

Flags

Item Description
-S ServiceName Specifies which service module to use.
-l Label Specifies the label associated with the key to be added.
-p PrivateKeystore Species the location of the source destination keystore.

Arguments

username - Specifies the user whose key is going to be deleted.

Security

This is a privileged (set-UID root) command.

In order to list the contents of a keystore, the user must know the password of the private keystore.

root and invokers belonging to group security are allowed to list anybody's keystore. However, they can only successfully complete this operation if they know the password to the keystore. A non-privileged user is only allowed to list the keystore that he owns.

Audit

This command records the following event information:

KEY_Delete <UserName>

Examples

  1. To delete a keystore object with a label signcert from the invoker's default keystore, type:
    keydelete -l signcert
  2. To delete all the objects from the invoker's default keystore, type:
    keydelete -l ALL
  3. To delete a keystore object with a label signcert from the keystore /home/bob/ bob.keystore, type:
    keydelete -p /home/bob/bob.keystore -l signcert

Files

/usr/lib/security/pki/ca.cfg