• Home
• com.unboundid
• unboundid-ldapsdk
• 6.0.11
• source code

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

.unboundid-ldapsdk.6.0.11.source-code.unboundid-ldapsdk-cert.properties Maven / Gradle / Ivy

# Copyright 2017-2023 Ping Identity Corporation
# All Rights Reserved.
#
# -----
#
# Copyright 2017-2023 Ping Identity Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# -----
#
# Copyright (C) 2017-2023 Ping Identity Corporation
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License (GPLv2 only)
# or the terms of the GNU Lesser General Public License (LGPLv2.1 only)
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, see .


# The fully-qualified name of the class to create.
class.name=com.unboundid.util.ssl.cert.CertMessages

ERR_CERT_ENCODE_ERROR=An error occurred while attempting to encode X.509 \
  certificate {0} using the provided information:  {1}
ERR_CERT_ENCODE_NAME_CANNOT_GET_SCHEMA=Unable to encoded DN ''{0}'' for \
  inclusion in an encoded X.509 certificate because an error occurred while \
  trying to get the default standard schema:  {1}
ERR_CERT_ENCODE_NAME_UNKNOWN_ATTR_TYPE=Unable to encode DN ''{0}'' for \
  inclusion in an encoded X.509 certificate because it includes attribute \
  ''{1}'' that is not defined in the default standard schema.
ERR_CERT_ENCODE_NAME_ERROR=Unable to encode DN ''{0}'' for inclusion in an \
  encoded X.509 certificate:  {1}
ERR_CERT_DECODE_NOT_SEQUENCE=Unable to decode the provided byte array \
  as an X.509 certificate because the contents of the array could not be \
  parsed as a DER sequence:  {0}
ERR_CERT_DECODE_UNEXPECTED_SEQUENCE_ELEMENT_COUNT=Unable to decode the \
  provided byte array as an X.509 certificate because the DER sequence \
  contained {0,number,0}, which is different from the three elements \
  (tbsCertificate, signatureAlgorithm, and signatureValue) that were expected.
ERR_CERT_DECODE_FIRST_ELEMENT_NOT_SEQUENCE=Unable to decode the provided \
  byte array as an X.509 certificate because the first element of the DER \
  sequence (expected to be the tbsCertificate element) could not itself be \
  parsed as a DER sequence:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_VERSION=Unable to decode the provided byte \
  array as an X.509 certificate because an error was encountered while trying \
  to parse the X.509 certificate version as an integer:  {0}
ERR_CERT_DECODE_UNSUPPORTED_VERSION=Unable to decode the provided byte array \
  as an X.509 certificate because it appears to have a version number of \
  {0,number,0}, which not a supported version.  Only versions 1, 2, and 3 are \
  supported.
ERR_CERT_DECODE_CANNOT_PARSE_SERIAL_NUMBER=Unable to decode the provided byte \
  array as an X.509 certificate because an error was encountered while trying \
  to parse the serial number as an integer:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_SIG_ALG=Unable to decode the provided byte \
  array as an X.509 certificate because an error was encountered while trying \
  to parse the signature algorithm:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_ISSUER_DN=Unable to decode the provided byte \
  array as an X.509 certificate because an error was encountered while trying \
  to parse the issuer DN:  {0}
ERR_CERT_DECODE_NOT_BEFORE_UNEXPECTED_TYPE=Unable to decode the provided byte \
  array as an X.509 certificate because the notBefore element had an \
  unexpected BER type of {0}, which does not match the universal BER type for \
  either a UTC time ({1}) or generalized time ({2}) element.
ERR_CERT_DECODE_NOT_AFTER_UNEXPECTED_TYPE=Unable to decode the provided byte \
  array as an X.509 certificate because the notAfter element had an \
  unexpected BER type of {0}, which does not match the universal BER type for \
  either a UTC time ({1}) or generalized time ({2}) element.
ERR_CERT_DECODE_COULD_NOT_PARSE_VALIDITY=Unable to decode the provided byte \
  array as an X.509 certificate because an error occurred while trying to \
  parse the validity sequence:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_SUBJECT_DN=Unable to decode the provided byte \
  array as an X.509 certificate because an error was encountered while trying \
  to parse the subject DN:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_PUBLIC_KEY_INFO=Unable to decode the provided \
  byte array as an X.509 certificate because an error occurred while trying \
  to parse the subject public key info element:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_ISSUER_UNIQUE_ID=Unable to decode the provided \
  byte array as an X.509 certificate because an error occurred while trying \
  to parse the issuer unique ID element:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_SUBJECT_UNIQUE_ID=Unable to decode the provided \
  byte array as an X.509 certificate because an error occurred while trying \
  to parse the subject unique ID element:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_EXTENSION=Unable to decode the provided byte \
  array as an X.509 certificate because an error occurred while trying to \
  parse the set of certificate extensions:  {0}
ERR_CERT_DECODE_SIG_ALG_MISMATCH=Unable to decode the provided byte array as \
  an X.509 certificate because there is a mismatch between the signature \
  algorithm contained in the tbsCertificate sequence ({0}) and the signature \
  algorithm contained in the outer certificate sequence ({1}).  These \
  signature algorithms must match.
ERR_CERT_DECODE_CANNOT_PARSE_SIG_VALUE=Unable to decode the provided byte \
  array as an X.509 certificate because an error occurred while trying to \
  parse the signature value:  {0}
ERR_CERT_GEN_SELF_SIGNED_CANNOT_GET_KEY_GENERATOR=Unable to get a key \
  generator instance for the ''{0}'' public key algorithm:  {1}
ERR_CERT_GEN_SELF_SIGNED_INVALID_KEY_SIZE=Unable to use a key size of \
  {0,number,0} bits with the ''{1}'' key algorithm:  {2}
ERR_CERT_GEN_SELF_SIGNED_CANNOT_GENERATE_KEY_PAIR=An error occurred while \
  attempting to generate the {0,number,0}-bit {1} key pair for the \
  certificate:  {2}
ERR_CERT_GEN_SELF_SIGNED_CANNOT_PARSE_KEY_PAIR=An error occurred while \
  attempting to parse the key pair to get the public key elements and \
  construct a subject key identifier:  {0}
ERR_CERT_GEN_ISSUER_SIGNED_CANNOT_GENERATE_KEY_ID=An error occurred while \
  attempting to generate a subject key identifier for the certificate:  {0}
ERR_CERT_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR=Unable to get a \
  signature generator for the ''{0}'' signature algorithm:  {1}
ERR_CERT_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR=Unable to initialize \
  the ''{0}'' signature generator with the provided private key:  {1}
ERR_CERT_GEN_SIGNATURE_CANNOT_COMPUTE=An error occurred while attempting to \
  compute the ''{0}'' signature for the certificate:  {1}
ERR_CERT_DECODE_NAME_NOT_SEQUENCE=An error occurred while trying to parse the \
  name as an RDN sequence:  {0}
ERR_CERT_DECODE_CANNOT_PARSE_NAME_SEQUENCE_ELEMENT=An error occurred while \
  trying to parse RDN element {0,number,0} in the name sequence:  {1}
ERR_CERT_VERIFY_SIGNATURE_ISSUER_CERT_NOT_PROVIDED=ERROR:  Unable to verify \
  the certificate signature because the certificate is not self-signed and no \
  issuer certificate was provided.
ERR_CERT_VERIFY_SIGNATURE_CANNOT_GET_PUBLIC_KEY=ERROR:  Unable to verify the \
  certificate signature because an error occurred while attempting to get the \
  public key from the issuer certificate:  {0}
ERR_CERT_VERIFY_SIGNATURE_CANNOT_GET_SIGNATURE_VERIFIER=Unable verify the \
  certificate signature because an error occurred while trying to get a \
  signature verifier for the ''{0}'' signature algorithm:  {1}
ERR_CERT_VERIFY_SIGNATURE_CANNOT_INIT_SIGNATURE_VERIFIER=Unable to initialize \
  the ''{0}'' signature verifier with the issuer certificate''s public key:  \
  {1}
ERR_CERT_VERIFY_SIGNATURE_NOT_VALID=ERROR:  Certificate ''{0}'' has an \
  invalid signature.
ERR_CERT_VERIFY_SIGNATURE_ERROR=ERROR:  An error occurred while attempting to \
  verify the signature for certificate ''{0}'':  {1}
ERR_CERT_CANNOT_COMPUTE_FINGERPRINT=An error occurred while trying to \
  compute a {0} fingerprint of the certificate:  {1}
INFO_CERT_IS_ISSUER_FOR_DN_MISMATCH=The certificate with subject DN ''{0}'' \
  is not the issuer for certificate with subject DN ''{1}'' because that \
  certificate has an issuer DN of ''{2}''.
INFO_CERT_IS_ISSUER_FOR_KEY_ID_MISMATCH=The certificate with subject DN \
  ''{0}'' is not the issuer for certificate with subject DN ''{1}'' because \
  the authority key identifier for certificate ''{1}'' does not match the \
  subject key identifier for certificate ''{0}''.
ERR_CSR_DECODE_NOT_SEQUENCE=Unable to decode the provided byte array \
  as a PKCS #10 certificate signing request because the contents of the array \
  could not be parsed as a DER sequence:  {0}
ERR_CSR_DECODE_UNEXPECTED_SEQUENCE_ELEMENT_COUNT=Unable to decode the \
  provided byte array as a PKCS #10 certificate signing request because the \
  DER sequence contained {0,number,0}, which is different from the three \
  elements (CertificationRequestInfo, SignatureAlgorithm, and Signature) that \
  were expected.
ERR_CSR_DECODE_FIRST_ELEMENT_NOT_SEQUENCE=Unable to decode the provided \
  byte array as a PKCS #10 certificate signing request because the first \
  element of the DER sequence (expected to be the CertificationRequestInfo \
  element) could not itself be parsed as a DER sequence:  {0}
ERR_CSR_DECODE_CANNOT_PARSE_VERSION=Unable to decode the provided byte \
  array as a PKCS #10 certificate signing request because an error was \
  encountered while trying to parse the version element as an integer:  {0}
ERR_CSR_DECODE_UNSUPPORTED_VERSION=Unable to decode the provided byte array \
  as a PKCS #10 certificate signing request because it appears to have a \
  version number of {0,number,0}, which not a supported version.  Only \
  versions 1 is supported.
ERR_CSR_DECODE_CANNOT_PARSE_SUBJECT_DN=Unable to decode the provided byte \
  array as a PKCS #10 certificate signing request because an error was \
  encountered while trying to parse the subject DN:  {0}
ERR_CSR_DECODE_CANNOT_PARSE_PUBLIC_KEY_INFO=Unable to decode the provided \
  byte array as a PKCS #10 certificate signing request because an error \
  occurred while trying to parse the subject public key info element:  {0}
ERR_CSR_DECODE_CANNOT_PARSE_ATTRS=Unable to decode the provided \
  byte array as a PKCS #10 certificate signing request because an error \
  occurred while trying to parse the request attributes:  {0}
ERR_CSR_DECODE_CANNOT_PARSE_EXT_ATTR=Unable to decode the provided \
  byte array as a PKCS #10 certificate signing request because an error \
  occurred while trying to parse a request attribute with OID {0} as an X.509 \
  certificate extension:  {1}
ERR_CSR_DECODE_CANNOT_PARSE_SIG_ALG=Unable to decode the provided byte \
  array as a PKCS #10 certificate signing request because an error was \
  encountered while trying to parse the signature algorithm:  {0}
ERR_CSR_DECODE_CANNOT_PARSE_SIG_VALUE=Unable to decode the provided byte \
  array as a PKCS #10 certificate signing request because an error occurred \
  while trying to parse the signature value:  {0}
ERR_CSR_ENCODE_ERROR=An error occurred while attempting to encode PKCS #10 \
  certificate signing request {0} using the provided information:  {1}
ERR_CSR_GEN_CANNOT_PARSE_KEY_PAIR=An error occurred while attempting to parse \
  the generated key pair to get the public key elements:  {0}
ERR_CSR_GEN_SIGNATURE_CANNOT_GET_SIGNATURE_GENERATOR=Unable to get a \
  signature generator for the ''{0}'' signature algorithm:  {1}
ERR_CSR_GEN_SIGNATURE_CANNOT_INIT_SIGNATURE_GENERATOR=Unable to initialize \
  the ''{0}'' signature generator with the provided private key:  {1}
ERR_CSR_GEN_SIGNATURE_CANNOT_COMPUTE=An error occurred while attempting to \
  compute the ''{0}'' signature for the certificate signing request:  {1}
ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_PUBLIC_KEY=Unable to verify the \
  certificate signing request signature because an error occurred while \
  attempting to parse the request''s public key:  {0}
ERR_CSR_VERIFY_SIGNATURE_CANNOT_GET_SIGNATURE_VERIFIER=Unable to verify the \
  certificate signing request signature because an error occurred while \
  attempting to get a signature verifier for the ''{0}'' signature \
  algorithm:  {1}
ERR_CSR_VERIFY_SIGNATURE_CANNOT_INIT_SIGNATURE_VERIFIER=Unable to verify the \
  certificate signing request signature because an error occurred while \
  attempting to initialize the ''{0}'' signature verifier with the request''s \
  public key:  {1}
ERR_CSR_VERIFY_SIGNATURE_NOT_VALID=ERROR:  The certificate signing request \
  with subject ''{0}'' has an invalid signature.
ERR_CSR_VERIFY_SIGNATURE_ERROR=ERROR:  An error occurred while attempting to \
  verify the signature for the certificate signing request with subject \
  ''{0}'':  {1}
ERR_PRIVATE_KEY_DECODE_NOT_SEQUENCE=Unable to decode the provided byte array \
  as a PKCS #8 private key because the contents of the array could not be \
  parsed as a DER sequence:  {0}
ERR_PRIVATE_KEY_DECODE_NOT_ENOUGH_ELEMENTS=Unable to decode the provided byte \
  array as a PKCS #8 private key because the private key sequence only had \
  {0,number,0} elements, while the sequence should have a minimum of three \
  elements.
ERR_PRIVATE_KEY_DECODE_CANNOT_PARSE_VERSION=Unable to decode the provided \
  byte array as a PKCS #8 private key because an error occurred while trying \
  to parse the private key version:  {0}
ERR_PRIVATE_KEY_DECODE_UNSUPPORTED_VERSION=Unable to decode the provided byte \
  array as a PKCS #8 private key because it appears to have a version number \
  of {0,number,0}, which is not a supported version.  Only versions 1 and 2 \
  are supported.
ERR_PRIVATE_KEY_DECODE_CANNOT_PARSE_ALGORITHM=Unable to decode the provided \
  byte array as a PKCS #8 private key because an error occurred while trying \
  to parse the private key algorithm:  {0}
ERR_PRIVATE_KEY_DECODE_CANNOT_PARSE_PUBLIC_KEY=Unable to decode the provided \
  byte array as a PKCS #8 private key because an error occurred while trying \
  to parse the public key:  {0}
ERR_PRIVATE_KEY_WRAP_RSA_KEY_ERROR=An error occurred while trying to wrap an \
  RSA private key in a PKCS #8 private key envelope:  {0}
ERR_PRIVATE_KEY_ENCODE_ERROR=An error occurred while trying to encode PKCS #8 \
  private key {0}:  {1}
ERR_EXTENSION_DECODE_ERROR=An error occurred while trying to decode an ASN.1 \
  element as an X.509 certificate extension:  {0}
ERR_EXTENSION_ENCODE_ERROR=Unable to encode X.509 certificate extension \
  {0}:  {1}
ERR_AUTHORITY_KEY_ID_EXTENSION_CANNOT_PARSE=Unable to parse the provided \
  X.509 certificate extension {0} as an authority key identifier extension:  \
  {1}
INFO_AUTHORITY_KEY_ID_EXTENSION_NAME=Authority Key Identifier
ERR_KEY_USAGE_EXTENSION_CANNOT_PARSE=Unable to parse the provided X.509 \
  certificate extension {0} as key usage extension:  {1}
INFO_KEY_USAGE_EXTENSION_NAME=Key Usage
ERR_SUBJECT_KEY_ID_EXTENSION_CANNOT_PARSE=Unable to parse the provided X.509 \
  certificate extension {0} as a subject key identifier extension:  {1}
INFO_SUBJECT_KEY_IDENTIFIER_EXTENSION_NAME=Subject Key Identifier
ERR_GENERAL_NAMES_CANNOT_PARSE=Unable to parse the provided element as a \
  general names element:  {0}
ERR_GENERAL_NAMES_CANNOT_ENCODE=An error occurred while trying to encode \
  general names element {0}:  {1}
ERR_GENERAL_ALT_NAME_EXTENSION_CANNOT_PARSE=Unable to parse the provided \
  X.509 certificate extension {0} as an extension of type {1}:  {2}
INFO_SUBJECT_ALT_NAME_EXTENSION_NAME=Subject Alternative Name
INFO_ISSUER_ALT_NAME_EXTENSION_NAME=Issuer Alternative Name
ERR_BASIC_CONSTRAINTS_EXTENSION_CANNOT_PARSE=Unable to parse the provided \
  X.509 certificate extension {0} as a basic constraints extension:  {1}
INFO_BASIC_CONSTRAINTS_EXTENSION_NAME=Basic Constraints
ERR_EXTENDED_KEY_USAGE_EXTENSION_CANNOT_PARSE=Unable to parse the provided \
  X.509 certificate extension {0} as an extended key usage extension:  {1}
ERR_EXTENDED_KEY_USAGE_EXTENSION_CANNOT_ENCODE=An error occurred while trying \
  to encode the value of an extended key usage extension with key usage IDs \
  {0}:  {1}
INFO_EXTENDED_KEY_USAGE_EXTENSION_NAME=Extended Key Usage
INFO_EXTENDED_KEY_USAGE_ID_TLS_SERVER_AUTHENTICATION=TLS Server Authentication
INFO_EXTENDED_KEY_USAGE_ID_TLS_CLIENT_AUTHENTICATION=TLS Client Authentication
INFO_EXTENDED_KEY_USAGE_ID_CODE_SIGNING=Code Signing
INFO_EXTENDED_KEY_USAGE_ID_EMAIL_PROTECTION=Email Protection
INFO_EXTENDED_KEY_USAGE_ID_TIME_STAMPING=Time Stamping
INFO_EXTENDED_KEY_USAGE_ID_OCSP_SIGNING=OCSP Signing
ERR_CRL_DP_UNRECOGNIZED_NAME_ELEMENT_TYPE=Unable to decode the provided ASN.1 \
  element as a CRL distribution point because the distributionPoint element \
  had a nested element with an unexpected DER type of {0}.
ERR_CRL_DP_CANNOT_DECODE=Unable to decode the provided ASN.1 element as a CRL \
  distribution point:  {0}
ERR_CRL_DP_ENCODE_CANNOT_GET_SCHEMA=Unable to encode CRL distribution point \
  {0} because an error occurred while trying to get the default standard \
  schema for use in encoding nameRelativeToCRLIssuer value ''{1}'':  {2}
ERR_CRL_DP_ENCODE_UNKNOWN_ATTR_TYPE=Unable to encode CRL distribution point \
  {0} because nameRelativeToCRLIssuer value ''{1}'' includes attribute type \
  ''{2}'' that is not defined in the default standard schema.
ERR_CRL_DP_ENCODE_ERROR=Unable to encode CRL distribution point {0} because \
  an error occurred while trying to encode nameRelativeToCRLIssuer value \
  ''{1}'':  {2}
ERR_CRL_DP_EXTENSION_CANNOT_PARSE=Unable to parse the provided X.509 \
  certificate extension {0} as a CRL distribution points extension:  {1}
INFO_CRL_DP_EXTENSION_NAME=CRL Distribution Points
ERR_RSA_PUBLIC_KEY_CANNOT_DECODE=Unable to decode the X.509 certificate \
  public key as an RSA public key:  {0}
ERR_RSA_PRIVATE_KEY_UNSUPPORTED_VERSION=Unable to decode the PKCS #8 private \
  key as an RSA private key because it has an unsupported version of \
  {0,number,0}.  Only versions 0 and 1 are supported.
ERR_RSA_PRIVATE_KEY_CANNOT_DECODE=Unable to decode the PKCS #8 private key \
  as an RSA private key:  {0}
ERR_EC_PUBLIC_KEY_PARSE_UNEXPECTED_UNCOMPRESSED_FIRST_BYTE=Unable to decode \
  the X.509 certificate public key as an elliptic curve public key because \
  the public key has a size of {0,number,0} bytes, indicating that it uses \
  the uncompressed form of the point, but the value of the first byte is {1} \
  rather than the expected value of 04.
ERR_EC_PUBLIC_KEY_PARSE_UNEXPECTED_COMPRESSED_FIRST_BYTE=Unable to decode \
  the X.509 certificate public key as an elliptic curve public key because \
  the public key has a size of {0,number,0} bytes, indicating that it uses \
  the compressed form of the point, but the value of the first byte is {1} \
  rather than the expected value of 02 (to indicate that the y coordinate is \
  even) or 0x03 (to indicate that the y coordinate is odd).
ERR_EC_PUBLIC_KEY_PARSE_UNEXPECTED_SIZE=Unable to decode the X.509 \
  certificate public key as an elliptic curve public key because the public \
  key has a size of {0,number,0} bytes, which does not match the expected \
  size for a 256-bit or 384-bit compressed or uncompressed elliptic curve \
  public key.
ERR_EC_PUBLIC_KEY_PARSE_ERROR=Unable to decode the X.509 certificate \
  public key as an elliptic curve public key:  {0}
ERR_EC_PUBLIC_KEY_ENCODE_X_TOO_LARGE=Unable to encode elliptic curve public \
  key {0} because the x coordinate value requires {1,number,0} bytes to \
  encode, which is larger than the maximum allowed size of 32 bytes.
ERR_EC_PUBLIC_KEY_ENCODE_Y_TOO_LARGE=Unable to encode elliptic curve public \
  key {0} because the y coordinate value requires {1,number,0} bytes to \
  encode, which is larger than the maximum allowed size of 32 bytes.
ERR_EC_PRIVATE_KEY_UNSUPPORTED_VERSION=Unable to decode the PKCS #8 private \
  key as an elliptic curve private key because it has an unsupported version \
  of {0,number,0}.  Only version 1 is supported.
ERR_EC_PRIVATE_KEY_CANNOT_DECODE=Unable to decode the PKCS #8 private key \
  as an elliptic curve private key:  {0}
ERR_EC_PRIVATE_KEY_CANNOT_ENCODE=An error occurred while trying to encode \
  elliptic curve private key {0}:  {1}
ERR_MANAGE_CERTS_SECURITY_MANAGER_EXIT_NOT_ALLOWED=VM exit is not allowed.
INFO_MANAGE_CERTS_TOOL_DESC=Manage certificates and private keys in a JKS, \
  PKCS #12, PKCS #11, or BCFKS key store.
INFO_MANAGE_CERTS_PLACEHOLDER_ALIAS='{'alias'}'
INFO_MANAGE_CERTS_PLACEHOLDER_BITS='{'bits'}'
INFO_MANAGE_CERTS_PLACEHOLDER_FORMAT='{'format'}'
INFO_MANAGE_CERTS_PLACEHOLDER_HOST='{'host'}'
INFO_MANAGE_CERTS_PLACEHOLDER_IP='{'ipAddress'}'
INFO_MANAGE_CERTS_PLACEHOLDER_NAME='{'name'}'
INFO_MANAGE_CERTS_PLACEHOLDER_OID='{'oid'}'
INFO_MANAGE_CERTS_PLACEHOLDER_PASSWORD='{'password'}'
INFO_MANAGE_CERTS_PLACEHOLDER_PORT='{'port'}'
INFO_MANAGE_CERTS_PLACEHOLDER_TYPE='{'type'}'
INFO_MANAGE_CERTS_PLACEHOLDER_TIMESTAMP='{'YYYYMMDDhhmmss'}'
INFO_MANAGE_CERTS_PLACEHOLDER_URI='{'uri'}'
INFO_MANAGE_CERTS_SC_LIST_CERTS_DESC=Displays a list of some or all of the \
  certificates in a key store.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_KS_DESC=The path to the key store file \
  containing the certificates to list.  Either this argument or the \
  --useJVMDefaultTrustStore argument must be provided, and if this argument \
  is given, then the specified file must exist.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_JVM_DEFAULT_DESC=List certificates from \
  the JVM-default trust store ({0}).
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is optional for some key store types, but may be \
  required for others.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is optional for some key store types, but may be \
  required for others.  If a key store password file is supplied, then the \
  file must exist, must contain only one line, and that line must consist \
  only of the clear-text key store password.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is optional for \
  some key store types, but may be required for others.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when listing certificates, but it \
  may be required in some cases (for example, when listing the certificates \
  in a BCFKS key store when not operating in FIPS 140-2-compliant mode).  The \
  value must be one of ''JKS'' (for the Java Key Store format), ''PKCS12'' \
  (for the standard PKCS #12 format), ''PKCS11'' (for PKCS #11 tokens), or \
  ''BCFKS'' (for the Bouncy Castle FIPS 140-2-compliant Key Store format).  \
  If this is not provided, then an attempt will be made to automatically \
  infer the correct key store type.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of a certificate to include in the output.  This argument may be \
  provided multiple times to identify multiple certificates to include.  If \
  this argument is provided, then only the listed certificates will be \
  displayed.  If this argument is omitted, then all certificates will be \
  listed.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_DISPLAY_PEM_DESC=Include a PEM-encoded \
  representation of each certificate in the output.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_VERBOSE_DESC=Display verbose information \
  about each of the certificates.  If this argument is not provided, then the \
  listing will only include basic summary information for each certificate, \
  including its subject and issuer DNs, validity start and end times, and \
  fingerprints.  If this argument is provided, then additional information, \
  including the X.509 certificate version, serial number, signature algorithm \
  and value, public key algorithm and content, and extensions, will also be \
  included.
INFO_MANAGE_CERTS_SC_LIST_CERTS_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_LIST_CERTS_EXAMPLE_1=Display basic information about \
  all of the certificates in the ''{0}'' key store file.
INFO_MANAGE_CERTS_SC_LIST_CERTS_EXAMPLE_2=Display verbose information about \
  the ''server-cert'' certificate in the ''{0}'' key store file, whose \
  contents are protected by a password contained in the ''{1}'' file.  It \
  will also display a command that can be used to accomplish a similar result \
  using the Java keytool utility, along with a PEM-encoded representation of \
  the certificate.
INFO_MANAGE_CERTS_SC_LIST_CERTS_EXAMPLE_3=Display basic information about \
  all of the certificates in the JVM''s default trust store file.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_DESC=Exports a certificate or certificate \
  chain from a key store.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_KS_DESC=The path to the key store file \
  containing the certificates to export.  This is required, and the key store \
  file must exist.
INFO_MANAGE_CERTS_SC_EXPORT_CERTS_ARG_JVM_DEFAULT_DESC=Export certificates \
  from the JVM-default trust store ({0}).
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is optional for some key store types, but may be \
  required for others.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is optional for some key store types, but may be \
  required for others.  If a key store password file is supplied, then the \
  file must exist, must contain only one line, and that line must consist \
  only of the clear-text key store password.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is optional for \
  some key store types, but may be required for others.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when exporting certificates, but \
  it may be required in some cases (for example, when listing the \
  certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant key store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the certificate to export.  This is required, and it may only \
  be provided once.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_CHAIN_DESC=Indicates that the entire \
  certificate chain (the target certificate and all of the certificates in \
  its issuer chain) should be exported rather than just the specified target \
  certificate.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_FORMAT_DESC=The output format to use for \
  the exported certificate.  The value may be either ''PEM'' (to export the \
  certificate in the text-based PEM format), or ''DER'' (to export the \
  certificate in the binary DER format).  If this is not provided, then the \
  PEM output format will be used.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_FILE_DESC=The path to the output file \
  to which the exported certificate should be written.  An output file is \
  optional when using the PEM format, but required when using the DER \
  format.  If no output file is provided, then the exported certificate will \
  be written to standard output.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_SEPARATE_FILE_DESC=Indicates that if \
  multiple certificates are to be exported, then each certificate should be \
  written to a different file rather than concatenating all of them into the \
  same file.  This can only be used if both the --export-certificate-chain \
  and --output-file arguments are also provided.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_EXAMPLE_1=Export the ''server-cert'' \
  certificate in PEM format to standard output.
INFO_MANAGE_CERTS_SC_EXPORT_CERT_EXAMPLE_2=Export the ''server-cert'' \
  certificate, and all of the certificates in its issuer chain, to the \
  specified output file in the binary DER format.  It will also display a \
  command that can be used to accomplish a similar result using the \
  Java keytool utility.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_DESC=Exports a private key from a key store.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_KS_DESC=The path to the key store file \
  containing the private key to export.  This is required, and the key store \
  file must exist.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is required when exporting a private key, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is required when exporting a private key, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  If a key store \
  password file is supplied, then the file must exist, must contain only one \
  line, and that line must consist only of the clear-text key store password.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is required when \
  exporting a private key, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) used to protect the private key.  In many cases, the \
  private key password will be the same as the password used to protect the \
  key store itself, and in such instances, the private key password can be \
  omitted and the key store password will be used.  However, if a private key \
  is protected with a different password than the key store itself, then one \
  of the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments must be provided.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password used to protect the private key.  In many cases, \
  the private key password will be the same as the password used to protect \
  the key store itself, and in such instances, the private key password can \
  be omitted and the key store password will be used.  However, if a private \
  key is protected with a different password than the key store itself, then \
  one of the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments must be provided.  If a private \
  key password file is supplied, then the file must exist, must contain only \
  one line, and that line must consist only of the clear-text private key \
  password.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_PROMPT_FOR_PK_PW_DESC=Interactively \
  prompt for the private key password.  In many cases, the private key \
  password will be the same as the password used to protect the key store \
  itself, and in such instances, the private key password can be omitted and \
  the key store password will be used.  However, if a private key is \
  protected with a different password than the key store itself, then one of \
  the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments must be provided.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when exporting private keys, but \
  it may be required in some cases (for example, when listing the \
  certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the private key to export.  This is required, and it may only \
  be provided once.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_FORMAT_DESC=The output format to use for \
  the exported private key.  The value may be either ''PEM'' (to export the \
  private key in the text-based PEM format), or ''DER'' (to export the key in \
  the binary DER format).  If this is not provided, then the PEM output \
  format will be used.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_FILE_DESC=The path to the output file to \
  which the exported private key should be written.  An output file is \
  optional when using the PEM format, but required when using the DER \
  format.  If no output file is provided, then the exported private key will \
  be written to standard output.
INFO_MANAGE_CERTS_SC_EXPIRT_KEY_ARG_ENC_PW_DESC=The password to use to encrypt \
  the exported private key.  At most one of the --encryption-password, \
  --encryption-password-file, and --prompt-for-encryption-password arguments \
  may be provided.  If none of those arguments is provided, then the private \
  key will not be encrypted.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_ENC_PW_FILE_DESC=The path to a file \
  containing the password to use to encrypt the exported private key.  If \
  provided, the file must exist, must contain only one line, and that line \
  must consist only of the clear-text encryption password.  At most one of the \
  --encryption-password, --encryption-password-file, and \
  --prompt-for-encryption-password arguments may be provided.  If none of \
  those arguments is provided, then the private key will not be encrypted.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_ARG_PROMPT_FOR_ENC_PW=Interactively prompt for \
  the password to use to encrypt the exported private key.  At most one of the \
  --encryption-password, --encryption-password-file, and \
  --prompt-for-encryption-password arguments may be provided.  If none of \
  those arguments is provided, then the private key will not be encrypted.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_EXAMPLE_1=Export the private key for the \
  ''server-cert'' certificate to standard output in PEM format.
INFO_MANAGE_CERTS_SC_EXPORT_KEY_EXAMPLE_2=Export the private key for the \
  ''server-cert'' certificate to the specified output file in the binary DER \
  format.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_DESC=Imports a certificate or certificate \
  chain, and optionally a private key, into a key store.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_KS_DESC=The path to the key store file \
  into which the certificates and key should be imported.  This is required, \
  but if the file does not exist, then it will be created.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when importing certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_KS_PW_FILE_DESC=The password (also \
  called a passphrase or PIN) needed to access the contents of the \
  key store.  If the key store does not exist, then it will be created with \
  this password.  A key store password is required when importing \
  certificates, so one of the --keystore-password, --keystore-password-file, \
  or --prompt-for-keystore-password arguments must be provided.  If a key \
  store password file is supplied, then the file must exist, must contain \
  only one line, and that line must consist only of the clear-text key store \
  password.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  If the key store does not exist, then \
  it will be created with this password.  A key store password is required \
  when importing certificates, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_KS_TYPE_DESC=The key store type for the \
  key store to create.  This argument should only be provided when creating a \
  new key store, and it will be ignored if the key store already exists.  The \
  value must be one of ''JKS'' (for the Java Key Store format), ''PKCS12'' \
  (for the standard PKCS #12 format), ''PKCS11'' (for PKCS #11 tokens), or \
  ''BCFKS'' (for the Bouncy Castle FIPS 140-2-compliant Key Store format).  \
  If this is not provided, then a default key store type of ''JKS'' will be \
  used for newly-created key stores.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_ALIAS_DESC=The alias (also called a \
  nickname) to use for the imported certificate.  If multiple certificates \
  are to be imported, then the behavior depends on whether a private key will \
  also be imported.  When importing a certificate chain along with a private \
  key, then the alias must not already exist in the key store, and the \
  private key and the entire certificate chain will be stored under this \
  alias.  When importing a certificate for which the corresponding private \
  key already exists in the key store (for example, if you used the \
  generate-certificate-request subcommand to create a certificate signing \
  request and are now importing the signed certificate), then you should use \
  the same alias that is used for the existing private key, and you should \
  provide the complete certificate chain.  When importing a certificate \
  for which the corresponding private key does not already exist in the \
  key store and for which the private key is not being provided by the \
  --private-key-file argument, then the alias must not already exist in the \
  key store, and any provided issuer certificates (which you should provide \
  if they do not already exist in the key store and are not in the JVM''s \
  default set of trusted issuer certificates) will be imported with aliases \
  that are generated from the provided alias.  If there is only one issuer \
  certificate to be imported, then it will be stored with an alias that is \
  the provided alias with ''-issuer'' appended onto it.  If there are \
  multiple issuer certificates to be imported, then their aliases will be the \
  provided alias with ''-issuer-#'' appended onto it, where ''#'' will be \
  ''1'' for the first issuer certificate, ''2'' for the second, and so on.  \
  This is a required argument.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_CERT_FILE_DESC=The path to a file \
  containing a certificate or certificate chain to import.  The certificates \
  in the file may be stored either in the text-based PEM or the binary DER \
  format, but if the file contains multiple certificates, then they must all \
  be in the same format.  You may also provide this argument multiple times \
  to specify multiple files containing certificates to import.  However, if \
  multiple certificates are provided, then they must all form a certificate \
  chain in which each subsequent certificate is the issuer certificate for \
  the previous certificate.  When importing a non-self-signed certificate, \
  you should ensure that its issuer certificate is also being imported, is \
  already in the key store under a different alias, or is in the JVM''s \
  default set of trusted certificates.  At least one certificate file is \
  required.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_KEY_FILE_DESC=The path to a file \
  containing the private key for the end certificate in the chain to be \
  imported.  It may be stored in either the text-based PEM or the binary \
  DER format.  This is an optional argument, and at most one private key file \
  may be specified, and that file may contain only a single private key.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) to use to protect the private key.  This is only needed \
  when importing a private key along with a certificate chain, or when \
  importing a certificate chain into an alias with an existing private key.  \
  In many cases, the private key password will be the same as the key store \
  password and in such instances, the private key password can be omitted and \
  the key store password will be used as the private key password.  However, \
  if you are importing a private key and wish to protect it with a password \
  that does not match the key store password, or if you are importing a new \
  certificate chain for an existing private key that uses a password that \
  does not match the key store password, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be provided.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password to use to protect the private key.  This is only \
  needed when importing a private key along with a certificate chain, or when \
  importing a certificate chain into an alias with an existing private key.  \
  In many cases, the private key password will be the same as the key store \
  password and in such instances, the private key password can be omitted and \
  the key store password will be used as the private key password.  \
  However, if you are importing a private key and wish to protect it with a \
  password that does not match the key store password, or if you are importing \
  a new certificate chain for an existing private key that uses a password \
  that does not match the key store password, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be provided.  If a \
  private key password file is supplied, then the file must exist, must \
  contain only one line, and that line must consist only of the clear-text \
  private key password.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_PROMPT_FOR_PK_PW_DESC=Interactively \
  prompt for the password to use to protect the private key.  This is only \
  needed when importing a private key along with a certificate chain, or when \
  importing a certificate chain into an alias with an existing private key.  \
  In many cases, the private key password will be the same as the key store \
  password and in such instances, the private key password can be omitted and \
  the key store password will be used as the private key password.  \
  However, if you are importing a private key and wish to protect it with a \
  password that does not match the key store password, or if you are \
  importing a new certificate chain for an existing private key that uses a \
  password that does not match the key store password, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be provided.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_ENC_PW_DESC=The password used to encrypt \
  the private key being imported.  At most one of the --encryption-password, \
  --encryption-password-file, and --prompt-for-encryption-password arguments \
  may be provided.  If none of those arguments is provided, then it will be \
  assumed that the private key is not encrypted.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_ENC_PW_FILE_DESC=The path to a file \
  containing the password used to encrypt the private key being imported.  If \
  provided, the file must exist, must contain only one line, and that line \
  must consist only of the clear-text encryption password.  At most one of the \
  --encryption-password, --encryption-password-file, and \
  --prompt-for-encryption-password arguments may be provided.  If none of \
  those arguments is provided, then it will be assumed that the private key is \
  not encrypted.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_PROMPT_FOR_ENC_PW_DESC=Interactively \
  prompt for the password used to encrypt the private key being imported.  At \
  most one of the --encryption-password, --encryption-password-file, and \
  --prompt-for-encryption-password arguments may be provided.  If none of \
  those arguments is provided, then it will be assumed that the private key is \
  not encrypted.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_NO_PROMPT_DESC=Import the certificates \
  without prompting the end user.  By default, the certificates will be \
  displayed and the user will be interactively prompted about whether to \
  import them.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_EXAMPLE_1=Import the certificates in the \
  ''{0}'' file into the specified key store using an alias of ''server-cert''.
INFO_MANAGE_CERTS_SC_IMPORT_CERT_EXAMPLE_2=Import a certificate chain, \
  including a private key, from the set of provided files into the specified \
  key store using an alias of ''server-cert''.
INFO_MANAGE_CERTS_SC_DELETE_CERT_DESC=Removes a certificate from a key store.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_KS_DESC=The path to the key store file \
  containing the certificate to remove.  This is required, and the key store \
  file must exist.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is required when importing certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is required when importing certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  If a key store \
  password file is supplied, then the file must exist, must contain only one \
  line, and that line must consist only of the \
  clear-text key store password.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is required when \
  importing certificates, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when deleting certificates, but \
  it may be required in some cases (for example, when listing the \
  certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the certificate to delete.  This is required, and it may only \
  be provided once.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_NO_PROMPT_DESC=Delete the certificate \
  without prompting the end user.  By default, the target certificate will be \
  displayed and the user will be interactively prompted about whether to \
  delete it.
INFO_MANAGE_CERTS_SC_DELETE_CERT_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_DELETE_CERT_EXAMPLE_1=Remove the ''server-cert'' \
  certificate from the ''{0}'' key store.
INFO_MANAGE_CERTS_SC_GEN_CERT_DESC=Generates a self-signed certificate in a \
  key store.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KS_DESC=The path to the key store file \
  in which the self-signed certificate will be created.  This is required, \
  but if the file does not exist, then it will be created.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when generating certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KS_PW_FILE_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when generating certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  If a key store \
  password file is supplied, then the file must exist, must contain only one \
  line, and that line must consist only of the clear-text key store password.  \
  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  If the key store does not exist, then \
  it will be created with this password.  A key store password is required \
  when generating certificates, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password to use to protect the private key.  Although in \
  many cases, private keys will be protected with the same password as the \
  key store itself, it is possible to use a different password for the \
  private key.  If an alternate private key password is needed, then one of \
  the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  If a \
  private key password file is supplied, then the file must exist, must \
  contain only one line, and that line must consist only of the clear-text \
  private key password.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_PROMPT_FOR_PK_PW_DESC=Interactively prompt \
  for the password to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KS_TYPE_DESC=The key store type for the \
  key store to create.  This argument should only be provided when creating a \
  new key store, and it will be ignored if the key store already exists.  The \
  value must be one of ''JKS'' (for the Java Key Store format), ''PKCS12'' \
  (for the standard PKCS #12 format), ''PKCS11'' (for PKCS #11 tokens), or \
  ''BCFKS'' (for the Bouncy Castle FIPS 140-2-compliant Key Store format).  \
  If this is not provided, then a default key store type of ''JKS'' will be \
  used for newly-created key stores.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_ALIAS_DESC=The alias (also called a \
  nickname) to use for the newly-generated certificate.  If the \
  --use-existing-key-pair argument is provided, then this must be the alias \
  of the private key for which to replace the certificate chain with the \
  self-signed certificate.  If the --use-existing-key-pair argument is not \
  provided, then the alias must not already exist in the key store.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_USE_EXISTING_KP_DESC=Indicates that the new \
  self-signed certificate should replace the certificate chain associated \
  with an existing private key that is identified by the --alias argument, \
  reusing the existing key pair.  If this argument is not provided, then a \
  new key pair will be generated.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SUBJECT_DN_DESC=The subject DN for the new \
  certificate.  This must be provided unless the \
  --use-existing-key-pair argument is given.  If the --use-existing-key-pair \
  argument is provided, then the --subject-dn argument may be omitted if you \
  want to reuse the same subject as the existing certificate.  A subject DN \
  typically includes at least a ''CN'' attribute (which in a server \
  certificate should be the hostname that clients are expected to use when \
  connecting to the server, and in other certificates indicates the purpose \
  of that certificate), and may also include additional attributes like \
  ''OU'' (the associated department or organizational unit name), ''O'' (the \
  company or organization name), ''L'' (the city or locality name), ''ST'' \
  (the full name -- NOT the two-letter abbreviation -- of the state or \
  province), ''C'' (the two-letter country code -- NOT the full country \
  name).  For example:  ''CN=ldap.example.com,OU=Directory Services,O=Example \
  Corporation,L=Austin,ST=Texas,C=US''.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_DAYS_VALID_DESC=The number of days that \
  the certificate should be considered valid.  If this argument is not \
  provided, then a default value of 365 days will be used.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_VALIDITY_START_TIME_DESC=The time that the \
  certificate''s validity window should start (that is, the ''notBefore'' \
  value).  If this is not provided, then the current time will be used.  If a \
  value is given, it should be in the form ''YYYYMMDDhhmmss'' (for example, \
  ''{0}'').  Timestamp values are assumed to be in the local time zone.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KEY_ALGORITHM_DESC=The name of the key \
  algorithm to use to generate the key pair.  If present, the value will \
  typically be ''RSA'' or ''EC'' (for elliptic curve).  This argument must \
  not be provided if the --use-existing-key-pair argument is used.  If \
  neither this argument nor the --use-existing-key-pair argument is provided, \
  then a default key algorithm of ''RSA'' will be used.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KEY_SIZE_BITS_DESC=The size of the key to \
  generate, in bits.  This argument must not be provided if the \
  --use-existing-key-pair argument is used.  This argument must be provided \
  if the --key-algorithm argument is used to specify an algorithm other than \
  ''RSA''.  If neither this argument nor the --use-existing-key-pair argument \
  is provided, then a default key size of 2048 bits will be used.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SIG_ALG_DESC=The name of the algorithm to \
  use to sign the certificate.  This argument must not be provided if the \
  --use-existing-key-pair argument is used.  This argument must be \
  provided if the --key-algorithm argument is used to specify an algorithm \
  other than ''RSA''.  If neither this argument nor the \
  --use-existing-key-pair argument is provided, then a default signature \
  algorithm of ''SHA256withRSA'' will be used.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_INHERIT_EXT_DESC=This argument can only be \
  used in conjunction with the --use-existing-key-pair argument, and it \
  indicates that the new certificate should inherit all of the same extension \
  values as the certificate being replaced (although extensions known to apply \
  to the certificate''s issuer, like authority key identifier and issuer \
  alternative name, may be excluded).  If the --use-existing-key-pair argument \
  is provided without the --inherit-extensions argument, then the new \
  certificate will only have the extensions that are explicitly specified \
  using other arguments.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SAN_DNS_DESC=Indicates that the certificate \
  should include a subject alternative name extension with the specified DNS \
  hostname.  This can be used to help clients trust a server certificate if \
  they connect to the server using a different hostname than is included in \
  the CN attribute of the certificate subject.  This can be provided \
  multiple times to specify multiple alternate hostnames, and hostnames can \
  have an asterisk as their leftmost component (for example, \
  ''*.example.com'' or ''*.east.example.com'') to match any value in that \
  component.  Each value must contain only ASCII characters, so \
  internationalized domain names must use the ASCII-Compatible Encoding (ACE) \
  described in RFC 5890.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SAN_IP_DESC=Indicates that the certificate \
  should include a subject alternative name extension with the specified IP \
  address.  This can be used to help clients trust a server certificate if \
  they connect to the server using an IP address rather than the hostname \
  that is included in the CN attribute of the certificate subject.  This can \
  be provided multiple times to specify multiple IP addresses, and each value \
  must be a valid IPv4 or IPv6 address.  There is no support for wildcards, \
  CIDR, other mechanisms for specifying a range of addresses.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SAN_EMAIL_DESC=Indicates that the \
  certificate should include a subject alternative name extension with the \
  specified email address (technically, RFC 822 name) value.  This can be \
  provided multiple times to specify multiple email addresses.  Each value \
  must contain only ASCII characters, so internationalized email addresses \
  must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SAN_URI_DESC=Indicates that the certificate \
  should include a subject alternative name extension with the specified URI \
  value.  This can be provided multiple times to specify multiple URIs.  Each \
  value must contain only ASCII characters, so internationalized resource \
  identifiers must be mapped to URIs as described in RFC 3987.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_SAN_OID_DESC=Indicates that the certificate \
  should include a subject alternative name extension with the specified OID \
  as a resource identifier.  This can be provided multiple times to specify \
  multiple OIDs, and each value must be the string representation of a valid \
  object identifier.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_BC_IS_CA_DESC=Indicates that the \
  certificate should include a basic constraints extension that indicates \
  whether the certificate should be considered a certification authority.  If \
  present, the value must be either ''true'' or ''false''.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_BC_PATH_LENGTH_DESC=Indicates that the \
  certificate should include a basic constraints extension that specifies \
  that there must not be more than the specified number of intermediate \
  certificates between that issuer certificate and the subject certificate in \
  a certificate chain.  This argument can only be provided in conjunction \
  with a --basic-constraints-is-ca value of ''true''.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_KU_DESC=Indicates that the certificate \
  should include a key usage extension that indicates that the certificate \
  can be used for a specified purpose.  Allowed values for this argument are \
  ''digital-signature'', ''non-repudiation'', ''key-encipherment'', \
  ''data-encipherment'', ''key-agreement'', ''key-cert-sign'', ''crl-sign'', \
  ''encipher-only'', and ''decipher-only''.  This argument can be provided \
  multiple times to specify multiple key usage values.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_EKU_DESC=Indicates that the certificate \
  should include an extended key usage extension that indicates that the \
  certificate can be used for a specified purpose.  Allowed values for this \
  argument are ''server-auth'', ''client-auth'', ''code-signing'', \
  ''email-protection'', ''time-stamping'', and ''ocsp-signing'', or the \
  string representation of any valid object identifier.  This argument can be \
  provided multiple times to specify multiple extended key usage values.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_EXT_DESC=Indicates that the certificate \
  should include an extension with the specified content.  The value must be \
  in the form oid:criticality:value, where oid is the OID that identifies \
  the type of extension, criticality is a value of either ''true'' or \
  ''false'', and value is the hexadecimal representation of the extension \
  value (for example, --ext 2.5.29.19:true:30030101ff).
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_OUTPUT_FILE_DESC=The output file to which \
  the generated certificate should be written, if desired.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_FORMAT_DESC=The format in which the \
  generated certificate should be written to the specified output file.  The \
  value may be either ''PEM'' (to export the certificate in the text-based \
  PEM format), or ''DER'' (to export the certificate in the binary DER \
  format).  If this is not provided, then the PEM output format will be used.
INFO_MANAGE_CERTS_SC_GEN_CERT_ARG_DISPLAY_COMMAND_DESC=Display a command that \
  can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_GEN_CERT_EXAMPLE_1=Generates a self-signed certificate \
  with an alias of ''server-cert'' and subject DN of \
  ''CN=ldap.example.com,O=Example Corp,C=US''.  The certificate will use a \
  2048-bit RSA key, a signature algorithm of SHA256withRSA, and a validity of \
  365 days, starting immediately.
INFO_MANAGE_CERTS_SC_GEN_CERT_EXAMPLE_2=Generates a self-signed certificate \
  to replace the existing certificate with the ''server-cert'' alias.  The \
  new certificate will reuse the existing certificate''s key pair, will \
  include the same subject, key and signature algorithms, and set of \
  extensions as the existing certificate, and it will have a validity of 365 \
  days, starting immediately.
INFO_MANAGE_CERTS_SC_GEN_CERT_EXAMPLE_3=Generates a self-signed server \
  certificate with an alias of ''server-cert'', a subject DN of \
  ''CN=ldap.example.com,O=Example Corp,C=US'', a 4096-bit RSA key, \
  a signature algorithm of SHA256withRSA, a subject alternate name \
  extension with DNS names of ''ldap1.example.com'' and \
  ''ldap2.example.com'' and IP addresses of 1.2.3.4 and 1.2.3.5, and an \
  extended key usage extension with the server-auth and client-auth usages.  \
  The certificate will have a validity of 3650 days, starting at midnight on \
  January 1, 2017 in the local time zone.
INFO_MANAGE_CERTS_SC_GEN_CERT_EXAMPLE_4=Generates a self-signed certification \
  authority certificate with an alias of ''ca-cert'', a subject DN of \
  ''CN=Example Certification Authority,O=Example Corp,C=US'', a 256-bit \
  elliptic curve key, a signature algorithm of SHA256withECDSA, a basic \
  constraints extension that indicates the certificate is a certification \
  authority, and a key usage extension with the key-cert-sign and crl-sign \
  values.  The certificate will have a validity of 7300 days, starting at \
  midnight on January 1, 2017 in the local time zone.
INFO_MANAGE_CERTS_SC_GEN_CSR_DESC=Generates a certificate signing request \
  (CSR) for a private key in a key store, optionally generating the private \
  key in the process.  The certificate signing request may be either written \
  to standard output or to a specified output file.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_FORMAT_DESC=The output format to use for the \
  generated certificate signing request.  The value may be either ''PEM'' \
  (to export the request in the text-based PEM format), or ''DER'' (to export \
  the request in the binary DER format).  If this is not provided, then the \
  PEM output format will be used.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_OUTPUT_FILE_DESC=The path to the output \
  file to which the certificate signing request should be written.  If this \
  is not provided, then the certificate signing request will be written to \
  standard output.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KS_DESC=The path to the key store file that \
  contains the key (or in which the key will be generated) to use for the \
  certificate signing request.  This is required, but if the file does not \
  exist, then it will be created.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when generating certificate signing requests, \
  so one of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KS_PW_FILE_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when generating certificate signing \
  requests, so one of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  If a key store \
  password file is supplied, then the file must exist, must contain only one \
  line, and that line must consist only of the clear-text key store \
  password.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_PROMPT_FOR_KS_PW_DESC=Interactively prompt \
  for the key store password.  If the key store does not exist, then it will \
  be created with this password.  A key store password is required when \
  generating certificate signing requests, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password to use to protect the private key.  Although in \
  many cases, private keys will be protected with the same password as the \
  key store itself, it is possible to use a different password for the \
  private key.  If an alternate private key password is needed, then one of \
  the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  If a \
  private key password file is supplied, then the file must exist, must \
  contain only one line, and that line must consist only of the clear-text \
  private key password.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_PROMPT_FOR_PK_PW_DESC=Interactively prompt \
  for the password to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KS_TYPE_DESC=The key store type for the \
  key store to create.  This argument should only be provided when creating a \
  new key store, and it will be ignored if the key store already exists.  The \
  value must be one of ''JKS'' (for the Java Key Store format), ''PKCS12'' \
  (for the standard PKCS #12 format), ''PKCS11'' (for PKCS #11 tokens), or \
  ''BCFKS'' (for the Bouncy Castle FIPS 140-2-compliant Key Store format).  \
  If this is not provided, then a default key store type of ''JKS'' will be \
  used for newly-created key stores.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the private key to use to generate the certificate signing \
  request.  If the --use-existing-key-pair argument is provided, then this \
  must be the alias of an existing private key.  If the \
  --use-existing-key-pair argument is not provided, then the alias must not \
  already exist in the key store, and a corresponding key pair will be \
  created in that alias.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_USE_EXISTING_KP_DESC=Indicates that the \
  certificate signing request should use an existing key pair in the key \
  store, identified by the specified alias.  If this argument is not \
  provided, then a new key pair will be generated for the certificate signing \
  request and stored in the key store.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SUBJECT_DN_DESC=The subject DN for the \
  certificate signing request.  This must be provided unless then \
  --use-existing-key-pair argument is given.  If the --use-existing-key-pair \
  argument is provided, then the --subject-dn argument may be omitted if you \
  want to reuse the same subject as the existing certificate.  A subject DN \
  typically includes at least a ''CN'' attribute (which in a server \
  certificate should be the hostname that clients are expected to use when \
  connecting to the server, and in other certificates indicates the purpose \
  of that certificate), and may also include additional attributes like \
  ''OU'' (the associated department name), ''O'' (the company or organization \
  name), ''L'' (the city or locality name), ''ST'' (the full name -- NOT the \
  two-letter abbreviation -- of the state or province), ''C'' (the two-letter \
  country code -- NOT the full country name).  For example:  \
  ''CN=ldap.example.com,OU=Directory Services,O=Example \
  Corporation,L=Austin,ST=Texas,C=US''.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KEY_ALGORITHM_DESC=The name of the key \
  algorithm to use to generate the key pair.  If present, the value will \
  typically be ''RSA'' or ''EC'' (for elliptic curve).  This argument must \
  not be provided if the --use-existing-key-pair argument is used.  If \
  neither this argument nor the --use-existing-key-pair argument is provided, \
  then a default key algorithm of ''RSA'' will be used.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KEY_SIZE_BITS_DESC=The size of the key to \
  generate, in bits.  This argument must not be provided if the \
  --use-existing-key-pair argument is used.  This argument must be provided \
  if the --key-algorithm argument is used to specify an algorithm \
  other than ''RSA''.  If neither this argument nor the \
  --use-existing-key-pair argument is provided, then a default key size of \
  2048 bits will be used.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SIG_ALG_DESC=The name of the algorithm to \
  use to sign the certificate.  This argument must not be provided if the \
  --use-existing-key-pair argument is used.  This argument must be provided \
  if the --key-algorithm argument is used to specify an algorithm other than \
  ''RSA''.  If neither this argument nor the --use-existing-key-pair argument \
  is provided, then a default signature algorithm of ''SHA256withRSA'' will \
  be used.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_INHERIT_EXT_DESC=This argument can only be \
  used in conjunction with the --use-existing-key-pair argument, and it \
  indicates that the requested certificate should inherit all of the same \
  extension values as the existing certificate (although extensions known to \
  apply to the certificate''s issuer, like authority key identifier and \
  issuer alternative name, may be excluded).  If the --use-existing-key-pair \
  argument is provided without the --inherit-extensions argument, then the \
  new certificate will only have the extensions that are explicitly specified \
  using other arguments.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SAN_DNS_DESC=Indicates that the certificate \
  signing request should include a subject alternative name extension with \
  the specified DNS hostname.  This can be used to help clients trust a \
  server certificate if they connect to the server using a different \
  hostname than is included in the CN attribute of the certificate subject.  \
  This can be provided multiple times to specify multiple alternate \
  hostnames, and hostnames can have an asterisk as their leftmost component \
  (for example, ''*.example.com'' or ''*.east.example.com'') to match any \
  value in that component.  Each value must contain only ASCII characters, so \
  internationalized domain names must use the ASCII-Compatible Encoding \
  (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SAN_IP_DESC=Indicates that the certificate \
  signing request should include a subject alternative name extension with \
  the specified IP address.  This can be used to help clients trust a server \
  certificate if they connect to the server using an IP address rather than \
  the hostname that is included in the CN attribute of the certificate \
  subject.  This can be provided multiple times to specify multiple IP \
  addresses, and each value must be a valid IPv4 or IPv6 address.  There is \
  no support for wildcards, CIDR, other mechanisms for specifying a range of \
  addresses.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SAN_EMAIL_DESC=Indicates that the \
  certificate signing request should include a subject alternative name \
  extension with the specified email address (technically, RFC 822 name) \
  value.  This can be provided multiple times to specify multiple email \
  addresses.  Each value must contain only ASCII characters, so \
  internationalized email addresses must use the ASCII-Compatible Encoding \
  (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SAN_URI_DESC=Indicates that the certificate \
  signing request should include a subject alternative name extension with \
  the specified URI value.  This can be provided multiple times to specify \
  multiple URIs.  Each value must contain only ASCII characters, so \
  internationalized resource identifiers must be mapped to URIs as described \
  in RFC 3987.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_SAN_OID_DESC=Indicates that the certificate \
  signing request should include a subject alternative name extension with \
  the specified OID as a resource identifier.  This can be provided multiple \
  times to specify multiple OIDs, and each value must be the string \
  representation of a valid object identifier.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_BC_IS_CA_DESC=Indicates that the certificate \
  signing request should include a basic constraints extension that indicates \
  whether the certificate should be considered a certification authority.  If \
  present, the value must be either ''true'' or ''false''.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_BC_PATH_LENGTH_DESC=Indicates that the \
  certificate signing request should include a basic constraints extension \
  that specifies that there must not be more than the specified number of \
  intermediate certificates between that certificate and the subject \
  certificate in a certificate chain.  This argument can only be provided in \
  conjunction with a --basic-constraints-is-ca value of ''true''.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_KU_DESC=Indicates that the certificate \
  signing request should include a key usage extension that indicates that \
  the certificate can be used for a specified purpose.  Allowed values for \
  this argument are ''digital-signature'', ''non-repudiation'', \
  ''key-encipherment'', ''data-encipherment'', ''key-agreement'', \
  ''key-cert-sign'', ''crl-sign'', ''encipher-only'', and ''decipher-only''.  \
  This argument can be provided multiple times to specify multiple key usage \
  values.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_EKU_DESC=Indicates that the certificate \
  signing request should include an extended key usage extension that \
  indicates that the certificate can be used for a specified purpose.  \
  Allowed values for this argument are ''server-auth'', ''client-auth'', \
  ''code-signing'', ''email-protection'', ''time-stamping'', and \
  ''ocsp-signing'', or the string representation of any valid object \
  identifier.  This argument can be provided multiple times to specify \
  multiple extended key usage values.
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_EXT_DESC=Indicates that the certificate \
  signing request should include an extension with the specified content.  \
  The value must be in the form oid:criticality:value, where oid is the OID \
  that identifies the type of extension, criticality is a value of either \
  ''true'' or ''false'', and value is the hexadecimal representation of the \
  extension value (for example, --ext 2.5.29.19:true:30030101ff).
INFO_MANAGE_CERTS_SC_GEN_CSR_ARG_DISPLAY_COMMAND_DESC=Display a command that \
  can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_GEN_CSR_EXAMPLE_1=Generates a certificate signing \
  request for a certificate with a subject DN of \
  ''CN=ldap.example.com,O=Example Corp,C=US''.  The request will generate a \
  new key pair in the ''server-cert'' alias with a 2048-bit RSA key and a \
  signature algorithm of SHA256withRSA.  The generated certificate signing \
  request will be sent to standard output.
INFO_MANAGE_CERTS_SC_GEN_CSR_EXAMPLE_2=Generates a certificate signing \
  request to replace the existing certificate with the ''server-cert'' \
  alias.  The new certificate will use the same key pair as the existing \
  certificate, will include the same subject, key and signature algorithms, \
  and set of extensions as the existing certificate, and the request will be \
  written to the server-cert.csr output file.
INFO_MANAGE_CERTS_SC_GEN_CSR_EXAMPLE_3=Generates a certificate signing \
  request for a certificate with a subject DN of \
  ''CN=ldap.example.com,O=Example Corp,C=US'', a subject alternate name \
  extension with DNS names of ''ldap1.example.com'' and ''ldap2.example.com'' \
  and IP addresses of 1.2.3.4 and 1.2.3.5, and an extended key usage \
  extension with the server-auth and client-auth usages.  The certificate \
  will use a newly-generated key pair with a 256-bit elliptic curve key and a \
  signature algorithm of SHA256withECDSA.  The request will be written to the \
  server-cert.csr output file.
INFO_MANAGE_CERTS_SC_SIGN_CSR_DESC=Signs a certificate signing request (CSR) \
  provided in a specified input file using a certificate contained in a \
  specified key store.  The signed certificate may be written to either \
  standard output or to a specified file.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_INPUT_FILE_DESC=The path to the input file \
  containing the certificate signing request to process.  This must be \
  provided, and the specified file must exist.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_OUTPUT_FILE_DESC=The path to the output \
  file to which the signed certificate should be written.  If this is not \
  provided, then the certificate will be written to standard output.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_FORMAT_DESC=The output format to use for \
  the signed certificate.  The value may be either ''PEM'' (to write the \
  certificate in the text-based PEM format), or ''DER'' (to write the \
  certificate in the binary DER format).  If this is not provided, then the \
  PEM output format will be used.  If an output format of ''DER'' is \
  specified, then the --certificate-output-file argument must also be provided.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_KS_DESC=The path to the key store file that \
  contains the certificate that will be used to sign the requested \
  certificate.  This must be provided, and the specified file must exist.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store \
  containing the signing certificate.  A key store password is required when \
  signing certificate requests, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_KS_PW_FILE_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store \
  containing the signing certificate.  A key store password is required when \
  signing certificate requests, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  If a key store password file is supplied, then the file must \
  exist, must contain only one line, and that line must consist only of the \
  clear-text key store password.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_PROMPT_FOR_KS_PW_DESC=Interactively prompt \
  for the key store password.  A key store password is required when signing \
  certificate requests, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password to use to protect the private key.  Although in \
  many cases, private keys will be protected with the same password as the \
  key store itself, it is possible to use a different password for the \
  private key.  If an alternate private key password is needed, then one of \
  the --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.  If a \
  private key password file is supplied, then the file must exist, must \
  contain only one line, and that line must consist only of the clear-text \
  private key password.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_PROMPT_FOR_PK_PW_DESC=Interactively prompt \
  for the password to use to protect the private key.  Although in many \
  cases, private keys will be protected with the same password as the key \
  store itself, it is possible to use a different password for the private \
  key.  If an alternate private key password is needed, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments should be used to provide that \
  private key password.  If none of these arguments is given, then the \
  key store password will be used as the private key password.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when signing certificates, but \
  it may be required in some cases (for example, when listing the \
  certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the certificate to use to sign the request.  This alias must \
  exist in the key store, and it must reference a private key with a \
  certificate chain.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SUBJECT_DN_DESC=The subject DN for the \
  signed certificate.  A subject DN typically includes at least a ''CN'' \
  attribute (which in a server certificate should be the hostname that \
  clients are expected to use when connecting to the server, and in other \
  certificates indicates the purpose of that certificate), and may also \
  include additional attributes like ''OU'' (the associated department or \
  organizational unit name), ''O'' (the company or organization name), ''L'' \
  (the city or locality name), ''ST'' (the full name -- NOT the two-letter \
  abbreviation -- of the state or province), ''C'' (the two-letter country \
  code -- NOT the full country name).  For example:  \
  ''CN=ldap.example.com,OU=Directory Services,O=Example \
  Corporation,L=Austin,ST=Texas,C=US''.  This argument is optional, and if it \
  is not provided, then the subject DN from the certificate signing request \
  will be used.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_DAYS_VALID_DESC=The number of days that \
  the signed certificate should be considered valid.  If this argument is not \
  provided, then a default value of 365 days will be used.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_VALIDITY_START_TIME_DESC=The time that the \
  signed certificate''s validity window should start (that is, the \
  ''notBefore'' value).  If this is not provided, then the current time will \
  be used.  If a value is given, it should be in the form ''YYYYMMDDhhmmss'' \
  (for example, ''{0}'').  Timestamp values are assumed to be in the local \
  time zone.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SIG_ALG_DESC=The name of the algorithm to \
  use to sign the certificate.  If this is not provided, then the signature \
  algorithm from the certificate signing request will be used.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_INCLUDE_EXT_DESC=Indicates that the \
  signed certificate should include all of the extensions requested in the \
  certificate signing request (although extensions known to apply to the \
  certificate''s issuer, like authority key identifier and issuer alternative \
  name, may be excluded), and the requested extensions will be included in \
  addition to any other extensions requested via command-line arguments.  If \
  this is not provided, then only the extensions requested via command-line \
  arguments will be included in the signed certificate.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SAN_DNS_DESC=Indicates that the signed \
  certificate should include a subject alternative name extension with \
  the specified DNS hostname.  This can be used to help clients trust a \
  server certificate if they connect to the server using a different \
  hostname than is included in the CN attribute of the certificate subject.  \
  This can be provided multiple times to specify multiple alternate \
  hostnames, and hostnames can have an asterisk as their leftmost component \
  (for example, ''*.example.com'' or ''*.east.example.com'') to match any \
  value in that component.  Each value must contain only ASCII characters, so \
  internationalized domain names must use the ASCII-Compatible Encoding \
  (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SAN_IP_DESC=Indicates that the signed \
  certificate should include a subject alternative name extension with \
  the specified IP address.  This can be used to help clients trust a server \
  certificate if they connect to the server using an IP address rather than \
  the hostname that is included in the CN attribute of the certificate \
  subject.  This can be provided multiple times to specify multiple IP \
  addresses, and each value must be a valid IPv4 or IPv6 address.  There is \
  no support for wildcards, CIDR, other mechanisms for specifying a range of \
  addresses.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SAN_EMAIL_DESC=Indicates that the signed \
  certificate should include a subject alternative name extension with the \
  specified email address (technically, RFC 822 name) value.  This can be \
  provided multiple times to specify multiple email addresses.  Each value \
  must contain only ASCII characters, so internationalized email addresses \
  must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SAN_URI_DESC=Indicates that the signed \
  certificate should include a subject alternative name extension with \
  the specified URI value.  This can be provided multiple times to specify \
  multiple URIs.  Each value must contain only ASCII characters, so \
  internationalized resource identifiers must be mapped to URIs as described \
  in RFC 3987.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_SAN_OID_DESC=Indicates that the signed \
  certificate should include a subject alternative name extension with the \
  specified OID as a resource identifier.  This can be provided multiple \
  times to specify multiple OIDs, and each value must be the string \
  representation of a valid object identifier.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_IAN_DNS_DESC=Indicates that the signed \
  certificate should include an issuer alternative name extension with \
  the specified DNS hostname.  This can be provided multiple times to specify \
  multiple alternate hostnames, and hostnames can have an asterisk as their \
  leftmost component (for example, ''*.example.com'' or \
  ''*.east.example.com'') to match any value in that component.  Each value \
  must contain only ASCII characters, so internationalized domain names must \
  use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_IAN_IP_DESC=Indicates that the signed \
  certificate should include an issuer alternative name extension with \
  the specified IP address.  This can be provided multiple times to specify \
  multiple IP addresses, and each value must be a valid IPv4 or IPv6 \
  address.  There is no support for wildcards, CIDR, other mechanisms for \
  specifying a range of addresses.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_IAN_EMAIL_DESC=Indicates that the signed \
  certificate should include an issuer alternative name extension with the \
  specified email address (technically, RFC 822 name) value.  This can be \
  provided multiple times to specify multiple email addresses.  Each value \
  must contain only ASCII characters, so internationalized email addresses \
  must use the ASCII-Compatible Encoding (ACE) described in RFC 5890.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_IAN_URI_DESC=Indicates that the signed \
  certificate should include an issuer alternative name extension with \
  the specified URI value.  This can be provided multiple times to specify \
  multiple URIs.  Each value must contain only ASCII characters, so \
  internationalized resource identifiers must be mapped to URIs as described \
  in RFC 3987.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_IAN_OID_DESC=Indicates that the signed \
  certificate should include an issuer alternative name extension with the \
  specified OID as a resource identifier.  This can be provided multiple \
  times to specify multiple OIDs, and each value must be the string \
  representation of a valid object identifier.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_BC_IS_CA_DESC=Indicates that the signed \
  certificate should include a basic constraints extension that indicates \
  whether the certificate should be considered a certification authority.  If \
  present, the value must be either ''true'' or ''false''.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_BC_PATH_LENGTH_DESC=Indicates that the \
  signed certificate should include a basic constraints extension that \
  specifies that there must not be more than the specified number of \
  intermediate certificates between that issuer certificate and the subject \
  certificate in a certificate chain.  This argument can only be provided in \
  conjunction with a --basic-constraints-is-ca value of ''true''.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_KU_DESC=Indicates that the signed \
  certificate should include a key usage extension that indicates that \
  the certificate can be used for a specified purpose.  Allowed values for \
  this argument are ''digital-signature'', ''non-repudiation'', \
  ''key-encipherment'', ''data-encipherment'', ''key-agreement'', \
  ''key-cert-sign'', ''crl-sign'', ''encipher-only'', and ''decipher-only''.  \
  This argument can be provided multiple times to specify multiple key usage \
  values.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_EKU_DESC=Indicates that the signed \
  certificate should include an extended key usage extension that \
  indicates that the certificate can be used for a specified purpose.  \
  Allowed values for this argument are ''server-auth'', ''client-auth'', \
  ''code-signing'', ''email-protection'', ''time-stamping'', and \
  ''ocsp-signing'', or the string representation of any valid object \
  identifier.  This argument can be provided multiple times to specify \
  multiple extended key usage values.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_EXT_DESC=Indicates that the signed \
  certificate should include an extension with the specified content.  \
  The value must be in the form oid:criticality:value, where oid is the OID \
  that identifies the type of extension, criticality is a value of either \
  ''true'' or ''false'', and value is the hexadecimal representation of the \
  extension value (for example, --ext 2.5.29.19:true:30030101ff).
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_NO_PROMPT_DESC=Sign the request without \
  prompting the end user.  By default, the certificate signing request will \
  be displayed and the user will be interactively prompted about whether to \
  sign it.
INFO_MANAGE_CERTS_SC_SIGN_CSR_ARG_DISPLAY_COMMAND_DESC=Display a command that \
  can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_SIGN_CSR_EXAMPLE_1=Signs the certificate signing request \
  contained in file ''server-cert.csr'' using the ''ca-cert'' certificate \
  contained in the ''{0}'' key store.  The subject DN, signature algorithm, \
  and extensions from the provided certificate signing request will be used \
  to generate the corresponding values in the signed certificate, and the \
  certificate will be valid for 365 days, starting immediately.  The signed \
  certificate will be written to standard output in PEM format.
INFO_MANAGE_CERTS_SC_SIGN_CSR_EXAMPLE_2=Signs the certificate signing request \
  contained in file ''server-cert.csr'' using the ''ca-cert'' certificate \
  contained in the ''{0}'' key store.  The subject DN, signature algorithm, \
  and extensions from the provided certificate signing request will be used \
  to generate the corresponding values in the signed certificate, and the \
  certificate will also include an issuer alternative name extension with an \
  email address of ''[email protected]''.  The signed certificate will be valid \
  for 730 days starting at midnight on January 1, 2017 in the local \
  timezone.  The signed certificate will be written to the file \
  ''server-cert.der'' file in the binary DER format.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_DESC=Changes the alias of a certificate in \
  a key store.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_KS_DESC=The path to the key store file \
  containing the alias to rename.  This is required, and the keystore \
  file must exist.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  If a key store password file is supplied, then the file must \
  exist, must contain only one line, and that line must consist only of the \
  clear-text key store password.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is required so one \
  of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_PK_PW_DESC=The password (also called a \
  passphrase or PIN) used to protect the private key.  In many cases, the \
  private key password will be the same as the password used to protect the \
  key store itself, and in such instances, the private key password can be \
  omitted and the key store password will be used.  However, if the target \
  alias includes a private key, and that private key is protected with a \
  different password than the key store itself, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_PK_PW_FILE_DESC=The path to a file \
  containing the password used to protect the private key.  In many cases, \
  the private key password will be the same as the password used to protect \
  the key store itself, and in such instances, the private key password can \
  be omitted and the key store password will be used.  However, if the target \
  alias includes a private key, and that private key is protected with a \
  different password than the key store itself, then one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments must be provided.  If a private \
  key password file is supplied, then the file must exist, must contain only \
  one line, and that line must consist only of the clear-text private key \
  password.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_PROMPT_FOR_PK_PW_DESC=Interactively \
  prompt for the private key password.  In many cases, the private key \
  password will be the same as the password used to protect the key store \
  itself, and in such instances, the private key password can be omitted and \
  the key store password will be used.  However, if the target alias includes \
  a private key, and that private key is protected with a different password \
  than the key store itself, then one of the --private-key-password, \
  --private-key-password-file, or --prompt-for-private-key-password arguments \
  must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when changing a certificate \
  alias, but it may be required in some cases (for example, when listing the \
  certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_CURRENT_ALIAS_DESC=The current alias \
  for the key store entry to rename.  This is required, and it may only be \
  provided once.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_NEW_ALIAS_DESC=The new alias to assign \
  to the target entry in the key store.  This is required, and it may only be \
  provided once.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_CHANGE_ALIAS_EXAMPLE_1=Changes the alias of the existing \
  ''server-cert'' certificate to be ''server-certificate''.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_DESC=Changes the password used to protect \
  the contents of a key store.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_KS_DESC=The path to the key store file \
  for which to change the password.  This is required, and the key store \
  file must exist.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_CURRENT_PW_DESC=The current password \
  for the key store.  The current password is required, so one of the \
  --current-keystore-password, --current-keystore-password-file, or \
  --prompt-for-current-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_CURRENT_PW_FILE_DESC=The path to a \
  file containing the current password for the key store.  The current \
  password is required, so one of the --current-keystore-password, \
  --current-keystore-password-file, or --prompt-for-current-keystore-password \
  arguments must be provided.  If a key store password file is supplied, then \
  the file must exist, must contain only one line, and that line must consist \
  only of the clear-text key store password.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_PROMPT_FOR_CURRENT_PW_DESC=Interactively \
  prompt for the current key store password.  The current password \
  is required, so one of the --current-keystore-password, \
  --current-keystore-password-file, or --prompt-for-current-keystore-password \
  arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_NEW_PW_DESC=The new password for the \
  key store.  The new password is required, so one of the \
  --new-keystore-password, --new-keystore-password-file, or \
  --prompt-for-new-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_NEW_PW_FILE_DESC=The path to a file \
  containing the new password for the key store.  The new password is \
  required, so one of the --new-keystore-password, \
  --new-keystore-password-file, or --prompt-for-new-keystore-password \
  arguments must be provided.  If a key store password file is supplied, then \
  the file must exist, must contain only one line, and that line must consist \
  only of the clear-text key store password.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_PROMPT_FOR_NEW_PW_DESC=Interactively \
  prompt for the new key store password.  The new password is required, so \
  one of the --new-keystore-password, --new-keystore-password-file, or \
  --prompt-for-new-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_CHANGE_KS_PW_EXAMPLE_1=Changes the password for the \
  ''{0}'' key store from the current password contained in file ''{1}'' to \
  the new password contained in file ''{2}''.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_DESC=Changes the password used to protect \
  a specified private key.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_KS_DESC=The path to the key store file \
  containing the private key entry for which to change the password.  This is \
  required, and the key store file must exist.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  If a key store password file is supplied, then the file must \
  exist, must contain only one line, and that line must consist only of the \
  clear-text key store password.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is required so one \
  of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_KS_TYPE_DESC=The key store type for the \
  key store.  This is usually not necessary when changing private key \
  passwords, but it may be required in some cases (for example, when listing \
  the certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the private key entry for which to change the password.  This \
  is required.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_CURRENT_PW_DESC=The current password \
  used to encrypt the private key.  The current private key password is \
  required, so one of the --current-private-key-password, \
  --current-private-key-password-file, and \
  --prompt-for-current-private-key-password arguments is required.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_CURRENT_PW_FILE_DESC=The path to a file \
  containing the current password used to encrypt the private key.  The \
  current private key password is required, so one of the \
  --current-private-key-password, --current-private-key-password-file, and \
  --prompt-for-current-private-key-password arguments is required.  If a \
  private key password file is supplied, then the file must exist, must \
  contain only one line, and that line must consist only of the clear-text \
  private key password.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_PROMPT_FOR_CURRENT_PW_DESC=Interactively \
  prompt for the current private key password.  The current private key \
  password is required, so one of the --current-private-key-password, \
  --current-private-key-password-file, and \
  --prompt-for-current-private-key-password arguments is required.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_NEW_PW_DESC=The new password to use to \
  encrypt the private key.  The new private key password is required, so one \
  of the --new-private-key-password, --new-private-key-password-file, and \
  --prompt-for-new-private-key-password arguments is required.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_NEW_PW_FILE_DESC=The path to a file \
  containing the new password to use to encrypt the private key.  The new \
  private key password is required, so one of the --new-private-key-password, \
  --new-private-key-password-file, and --prompt-for-new-private-key-password \
  arguments is required.  If a private key password file is supplied, then \
  the file must exist, must contain only one line, and that line must consist \
  only of the clear-text private key password.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_PROMPT_FOR_NEW_PW_DESC=Interactively \
  prompt for the new private key password.  The new private key password is \
  required, so one of the --new-private-key-password, \
  --new-private-key-password-file, and \
  --prompt-for-new-private-key-password arguments is required.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_CHANGE_PK_PW_EXAMPLE_1=Changes the password for the \
  ''server-cert'' private key entry in the ''{0}'' key store from the current \
  password contained in file ''{1}'' to the new password contained in file \
  ''{2}''.
INFO_MANAGE_CERTS_SC_COPY_KS_DESC=Copies the contents of one key store to \
  another.  If the destination key store does not exist, then a new one will \
  be created (allowing you to convert one type of key store to another).  If \
  the destination key store does exist, then there must not be any conflicts \
  between the aliases of the source and destination key stores.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_KS_DESC=The path to the source key store \
  whose contents should be copied.  This must be provided, and the file must \
  exist.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_KS_PW_DESC=The password needed to access \
  the contents of the source key store.  Exactly one of the \
  --source-keystore-password, --source-keystore-password-file, and \
  --prompt-for-source-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the source \
  key store.  Exactly one of the --source-keystore-password, \
  --source-keystore-password-file, and --prompt-for-source-keystore-password \
  arguments must be provided.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_PROMPT_FOR_SRC_KS_PW=Interactively prompt \
  for the password needed to access the contents of the source key store.  \
  Exactly one of the --source-keystore-password, \
  --source-keystore-password-file, and --prompt-for-source-keystore-password \
  arguments must be provided.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_PK_PW_DESC=The password needed to access \
  private keys in the source key store.  At most one of the \
  --source-keystore-password, --source-keystore-password-file, and \
  --prompt-for-source-keystore-password arguments must be provided, and if \
  none of them is provided, then the source key store password will be used \
  as the source private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_PK_PW_FILE_DESC=The path to a file \
  containing the password needed to access the private keys in the source key \
  store.  At most one of the --source-keystore-password, \
  --source-keystore-password-file, and --prompt-for-source-keystore-password \
  arguments must be provided, and if none of them is provided, then the \
  source key store password will be used as the source private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_PROMPT_FOR_SRC_PK_PW=Interactively prompt \
  for the password needed to access private keys in the source key store.  At \
  most one of the --source-keystore-password, \
  --source-keystore-password-file, and --prompt-for-source-keystore-password \
  arguments must be provided, and if none of them is provided, then the \
  source key store password will be used as the source private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_SRC_KS_TYPE=The key store type for the \
  source key store.  If provided, the value must be one of ''JKS'' (for the \
  Java Key Store format), ''PKCS12'' (for the standard PKCS #12 key store \
  format), ''PKCS11'' (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy \
  Castle FIPS 140-2-compliant Key Store format).  If this is not provided, \
  then an attempt will be made to automatically infer the correct key store \
  type.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_KS_DESC=The path to the destination key \
  store to which the source key store contents should be copied.  This must \
  be provided, but if the file does not exist, then a new key store will be \
  created.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_KS_PW_DESC=The password needed to access \
  the contents of the destination key store.  At most one of the \
  --destination-keystore-password, --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments may be provided, and \
  if none of them is given, then the source key store password will be used \
  as the destination key store password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the destination \
  key store.  At most one of the --destination-keystore-password, \
  --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments may be provided, and \
  if none of them is given, then the source key store password will be used \
  as the destination key store password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_PROMPT_FOR_DST_KS_PW=Interactively prompt \
  for the password needed to access the contents of the destination key \
  store.  At most one of the --destination-keystore-password, \
  --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments may be provided, and \
  if none of them is given, then the source key store password will be used \
  as the destination key store password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_PK_PW_DESC=The password needed to access \
  private keys in the destination key store.  At most one of the \
  --destination-keystore-password, --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments must be provided, and \
  if none of them is provided, then the destination key store password will \
  be used as the destination private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_PK_PW_FILE_DESC=The path to a file \
  containing the password needed to access the private keys in the \
  destination key store.  At most one of the --destination-keystore-password, \
  --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments must be provided, and \
  if none of them is provided, then the destination key store password will \
  be used as the destination private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_PROMPT_FOR_DST_PK_PW=Interactively prompt \
  for the password needed to access private keys in the destination key \
  store.  At most one of the --destination-keystore-password, \
  --destination-keystore-password-file, and \
  --prompt-for-destination-keystore-password arguments must be provided, and \
  if none of them is provided, then the destination key store password will \
  be used as the destination private key password.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_DST_KS_TYPE=The key store type for the \
  destination key store.  If provided, the value must be one of ''JKS'' (for \
  the Java Key Store format), ''PKCS12'' (for the standard PKCS #12 key store \
  format), ''PKCS11'' (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy \
  Castle FIPS 140-2-compliant Key Store format).  If this is not provided, \
  then an attempt will be made to automatically infer the correct key store \
  type if the destination key store exists, or a default type of ''JKS'' will \
  be used if the file does not exist.
INFO_MANAGE_CERTS_SC_COPY_KS_ARG_ALIAS=The alias for a certificate to copy \
  from the source key store to the destination key store.  This may be \
  provided multiple times if multiple specific certificates should be \
  copied.  If this is not provided, then all certificates in the source key \
  store will be copied to the destination key store.
INFO_MANAGE_CERTS_SC_COPY_KS_EXAMPLE_1=Copies the contents of the ''{0}'' \
  JKS key store to the ''{1}'' PKCS #12 key store.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_DESC=Initiates a secure connection to a \
  server to get that server''s certificate chain, and then displays that \
  certificate and optionally writes it to a file.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_HOSTNAME_DESC=The hostname or IP \
  address of the server to which the connection should be established.  This \
  must be provided.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_PORT_DESC=The TCP port number of the \
  server to which the connection should be established.  Unless the \
  --use-ldap-start-tls argument is provided, the port number must be one on \
  which the server expects to accept TLS-based connections.  If the \
  --use-ldap-start-tls argument is provided, then the specified port must be \
  one on which an LDAP server is listening for non-secure connections but \
  on which clients may use the StartTLS extended operation to transition to \
  using secure communication.  Standard secure port numbers include 636 for \
  LDAPS and 443 for HTTPS, and the standard non-secure port for LDAP is 389.  \
  This must be provided.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_USE_START_TLS_DESC=Indicates that the \
  tool should initially establish a non-secure connection to an LDAP server, \
  and then use the StartTLS extended operation to transition to using secure \
  communication.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_FILE_DESC=The path to the output file \
  to which the retrieved certificates should be written.  If this argument is \
  provided, then a PEM or DER representation of all certificates in the chain \
  will be written to the specified file.  If this argument is not provided, \
  then information about the certificate will only be written to standard \
  output.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_FORMAT_DESC=The format in which the \
  certificates should be written to the specified output file.  The value \
  may be either ''PEM'' (to use the text-based PEM format), or ''DER'' (to \
  use the binary DER format).  This argument may only be provided if the \
  --output-file argument is also given.  If this is not provided, then the \
  PEM output format will be used.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_ONLY_PEER_DESC=Only provide \
  information about the peer certificate.  If this argument is not provided, \
  then the tool will provide information about all certificates in the \
  presented chain.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_ENABLE_SSL_DEBUGGING_DESC=Enable \
  Java''s low-level support for debugging SSL/TLS communication.  This is \
  equivalent to setting the ''javax.net.debug'' property to ''all''.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_ARG_VERBOSE_DESC=Display verbose \
  information about the certificates that are retrieved.  This will only \
  affect what is written to standard output and will not alter what may be \
  written to the output file (if one was requested).
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_EXAMPLE_1=Establish a secure connection \
  to ds.example.com on port 636 and display basic information about the \
  server''s certificate chain.
INFO_MANAGE_CERTS_SC_RETRIEVE_CERT_EXAMPLE_2=Establish an initially insecure \
  connection to ds.example.com on port 389 and then invoke an LDAP StartTLS \
  extended operation to establish a secure communication channel.  Display \
  verbose information about the peer certificate (ignoring any issuer \
  certificates), and write a PEM representation of that certificate to the \
  ''ds-cert.pem'' file.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_DESC=Initiates a secure connection to a \
  server to get that server''s certificate chain, and then adds those \
  certificates to a key store so that it can be used as a trust store for that \
  server.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_HOSTNAME_DESC=The hostname or IP \
  address of the server to which the connection should be established.  This \
  must be provided.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_PORT_DESC=The TCP port number of the \
  server to which the connection should be established.  Unless the \
  --use-ldap-start-tls argument is provided, the port number must be one on \
  which the server expects to accept TLS-based connections.  If the \
  --use-ldap-start-tls argument is provided, then the specified port must be \
  one on which an LDAP server is listening for non-secure connections but \
  on which clients may use the StartTLS extended operation to transition to \
  using secure communication.  Standard secure port numbers include 636 for \
  LDAPS and 443 for HTTPS, and the standard non-secure port for LDAP is 389.  \
  This must be provided.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_USE_START_TLS_DESC=Indicates that the \
  tool should initially establish a non-secure connection to an LDAP server, \
  and then use the StartTLS extended operation to transition to using secure \
  communication.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_KS_DESC=The path to the key store file \
  to which the certificates should be added.  This is required, but if the \
  file does not exist, then it will be created.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_KS_PW_DESC=The password (also called a \
  passphrase or PIN) needed to access the contents of the key store.  If the \
  key store does not exist, then it will be created with this password.  A \
  key store password is required when importing certificates, so one of the \
  --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  The password \
  must contain at least six characters.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_KS_PW_FILE_DESC=The password (also \
  called a passphrase or PIN) needed to access the contents of the key \
  store.  If the key store does not exist, then it will be created with this \
  password.  A key store password is required when importing certificates, so \
  one of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.  If a key store \
  password file is supplied, then the file must exist, must contain only one \
  line, and that line must consist only of the clear-text key store \
  password.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  If the key store does not exist, then \
  it will be created with this password.  A key store password is required \
  when importing certificates, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  The password must contain at least six characters.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_KS_TYPE_DESC=The key store type for the \
  key store to create.  This argument should only be provided when creating a \
  new key store, and it will be ignored if the key store already exists.  The \
  value must be one of ''JKS'' (for the Java Key Store format), ''PKCS12'' \
  (for the standard PKCS #12 format), ''PKCS11'' (for PKCS #11 tokens), or \
  ''BCFKS'' (for the Bouncy Castle FIPS 140-2-compliant Key Store format).  \
  If this is not provided, then a default key store type of ''JKS'' will be \
  used for newly-created key stores.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_ALIAS_DESC=The alias (also called a \
  nickname) to use for the first certificate to add to the key store.  This \
  alias must not already be in use in the key store.  If multiple \
  certificates are to be imported, then the first certificate imported will \
  use this alias, and subsequent certificates will have either ''-issuer'' \
  (if there is only one issuer certificate) or ''-issuer-#'' (if there are \
  multiple issuers, where # will be replaced with an incrementing number for \
  each subsequent issuer).  If this is omitted, then a default alias will be \
  constructed from the hostname and port number.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_ISSUERS_ONLY_DESC=Indicates that the \
  tool should only update the key store to include the issuer certificates \
  for the target server, but omit the server certificate at the head of the \
  chain.  This may be useful in environments in which all servers are signed \
  by a common issuer and it is sufficient to trust just the issuer \
  certificates.  This argument will not have any effect for self-signed \
  certificates in which a certificate is its own issuer.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_NO_PROMPT_DESC=Trust the server \
  certificates without prompting the end user.  By default, the server \
  certificate chain will be displayed and the user will be interactively \
  prompted about whether to trust the certificate.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_ENABLE_SSL_DEBUGGING_DESC=Enable \
  Java''s low-level support for debugging SSL/TLS communication.  This is \
  equivalent to setting the ''javax.net.debug'' property to ''all''.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_ARG_VERBOSE_DESC=Display verbose \
  information about the certificates in the server''s certificate chain.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_EXAMPLE_1=Establishes a secure connection \
  to the server ds.example.com on port 636 and adds that server''s \
  certificate chain to the ''{0}'' key store with a base alias of \
  ''ds.example.com:636''.  The tool will display verbose information about \
  the certificate chain presented by the server, and will interactively \
  prompt about whether to trust that chain.
INFO_MANAGE_CERTS_SC_TRUST_SERVER_EXAMPLE_2=Establishes a non-secure \
  connection to ds.example.com on port 389, and then uses the LDAP StartTLS \
  extended operation to transition to a secure connection.  It will then add \
  the server''s issuer certificates to the ''{0}'' key store with a base \
  alias of ''ds-start-tls-cert''.  The tool will trust the certificate chain \
  without any confirmation from the user.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_DESC=Examines a key store to determine \
  how suitable a specified certificate is for use as a server certificate.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_KS_DESC=The path to the key store \
  file containing the certificate to check.  This is required, and the \
  key store file must exist.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_KS_PW_DESC=The password (also called \
  a passphrase or PIN) needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_KS_PW_FILE_DESC=The path to a file \
  containing the password needed to access the contents of the key store.  A \
  key store password is required, so one of the --keystore-password, \
  --keystore-password-file, or --prompt-for-keystore-password arguments must \
  be provided.  If a key store password file is supplied, then the file must \
  exist, must contain only one line, and that line must consist only of the \
  clear-text key store password.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_PROMPT_FOR_KS_PW_DESC=Interactively \
  prompt for the key store password.  A key store password is required, so \
  one of the --keystore-password, --keystore-password-file, or \
  --prompt-for-keystore-password arguments must be provided.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_KS_TYPE_DESC=The key store type for \
  the key store.  This is usually not necessary when checking certificate \
  usability, but it may be required in some cases (for example, when listing \
  the certificates in a BCFKS key store when not operating in FIPS \
  140-2-compliant mode).  The value must be one of ''JKS'' (for the Java Key \
  Store format), ''PKCS12'' (for the standard PKCS #12 format), ''PKCS11'' \
  (for PKCS #11 tokens), or ''BCFKS'' (for the Bouncy Castle FIPS \
  140-2-compliant Key Store format).  If this is not provided, then an \
  attempt will be made to automatically infer the correct key store type.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_ARG_ALIAS_DESC=The alias (also called a \
  nickname) of the certificate to examine.  This is required, and it may only \
  be provided once.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_IGNORE_SHA1_WARNING_DESC=Do not fail the \
  validation check merely because an issuer certificate contains a signature \
  based on the SHA-1 digest algorithm.  The SHA-1 algorithm is considered \
  weak, and some clients may reject a certificate chain that includes a \
  certificate with a SHA-1-based signature, but because some commercial \
  authorities still use SHA-1-based root certificates, this argument makes it \
  possible to ignore this warning for issuer certificates.
INFO_MANAGE_CERTS_SC_CHECK_USABILITY_EXAMPLE_1=Check the ''server-cert'' \
  certificate in the ''{0}'' key store to determine how suitable it is for \
  use as a server certificate.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_DESC=Displays information about all of the \
  certificates contained in a file.  The certificates may be formatted in \
  either the text-based PEM or the binary DER format, and if the file \
  multiple certificates, then all certificates must use the same format.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_ARG_FILE_DESC=The path to a file \
  containing the certificates to be printed.  The certificates may be \
  formatted in either the text-based PEM format or the binary DER format.  \
  If the certificates are in PEM format, then each certificate must include \
  the begin header and end footer, and blank lines and lines that start with \
  the octothorpe character (#) will be ignored.  If the certificates are in \
  DER format, then there must not be any delimiter between the certificates.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_ARG_VERBOSE_DESC=Display verbose \
  information about each of the certificates.  If this argument is not \
  provided, then the listing will only include basic summary information for \
  each certificate, including its subject and issuer DNs, validity start and \
  end times, and fingerprints.  If this argument is provided, then additional \
  information, including the X.509 certificate version, serial number, \
  signature algorithm and value, public key algorithm and content, and \
  extensions, will also be included.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_EXAMPLE_1=Display basic information about \
  each of the certificates in file ''{0}''.
INFO_MANAGE_CERTS_SC_DISPLAY_CERT_EXAMPLE_2=Display verbose information about \
  each of the certificates in file ''{0}''.  It will also display a command \
  that can be used to accomplish a similar result using the Java keytool \
  utility.
INFO_MANAGE_CERTS_SC_DISPLAY_CSR_DESC=Displays information about a \
  certificate signing request (CSR) contained in a file.  The CSR may be \
  formatted in either the text-based PEM or the binary DER format.
INFO_MANAGE_CERTS_SC_DISPLAY_CSR_ARG_FILE_DESC=The path to a file \
  containing the certificate signing request (CSR) to be printed.  The CSR \
  may be formatted in either the text-based PEM format or the binary DER \
  format.  If the request is in PEM format, it must include the begin header \
  and end footer, and blank lines and lines that start with the \
  octothorpe character (#) will be ignored.  The file must contain only a \
  single certificate signing request.
INFO_MANAGE_CERTS_SC_DISPLAY_CSR_ARG_VERBOSE_DESC=Display verbose information \
  about the certificate signing request.  If this argument is not provided, \
  then the listing will only include basic summary information for the \
  request, including its subject DN, signature algorithm, and public key \
  algorithm.  If this argument is provided, then additional information about \
  the signature, public key, and extensions will be included.
INFO_MANAGE_CERTS_SC_DISPLAY_CSR_ARG_DISPLAY_COMMAND_DESC=Display a command \
  that can be invoked to achieve a similar result with the Java keytool \
  utility.  Note that this may just be an approximation, since the \
  manage-certificates and keytool utilities do not provide exactly the same \
  sets of functionality.
INFO_MANAGE_CERTS_SC_DISPLAY_CSR_EXAMPLE_1=Display information about the \
  certificate signing request in file ''{0}'', as well as a command that can \
  be used to accomplish a similar result using the Java keytool utility.
ERR_MANAGE_CERTS_NO_SUBCOMMAND=ERROR:  No subcommand was selected.
ERR_MANAGE_CERTS_UNKNOWN_SUBCOMMAND=ERROR:  Unrecognized subcommand ''{0}''.
ERR_MANAGE_CERTS_LIST_CERTS_CANNOT_GET_ALIASES=ERROR:  Unable to obtain a \
  list of the aliases in key store ''{0}'':
INFO_MANAGE_CERTS_LIST_KEYSTORE_TYPE=Keystore Type:  {0}
ERR_MANAGE_CERTS_LIST_CERTS_ERROR_GETTING_CERT=ERROR:  An error occurred \
  while attempting to retrieve the certificate with alias ''{0}'' from the \
  key store:  {1}
INFO_MANAGE_CERTS_LIST_CERTS_LABEL_ALIAS_WITHOUT_CHAIN=Alias:  {0}
INFO_MANAGE_CERTS_LIST_CERTS_LABEL_ALIAS_WITH_CHAIN=Alias:  {0} (Certificate \
  {1,number,0} of {2,number,0} in a chain)
ERR_MANAGE_CERTS_LIST_CERTS_VERIFY_SIGNATURE_NO_ISSUER=WARNING:  Unable to \
  verify the signature for this certificate because issuer certificate \
  ''{0}'' could not be located in either the specified key store or the \
  default set of JVM trusted issuers.
INFO_MANAGE_CERTS_LIST_CERTS_SIGNATURE_VALID=The certificate has a valid \
  signature.
INFO_MANAGE_CERTS_LIST_CERTS_LABEL_HAS_PK_YES=Private Key Available:  Yes
INFO_MANAGE_CERTS_LIST_CERTS_LABEL_HAS_PK_NO=Private Key Available:  No
INFO_MANAGE_CERTS_LIST_CERTS_LABEL_PEM=PEM-Encoded Certificate:
WARN_MANAGE_CERTS_LIST_CERTS_ALIAS_NOT_IN_KS=WARNING:  Alias ''{0}'' was \
  requested for inclusion in the list of certificates, but there is no \
  certificate with that alias in key store ''{1}''.
INFO_MANAGE_CERTS_LIST_CERTS_NO_CERTS_OR_KEYS_WITHOUT_PW=No certificates or \
  keys were found in the key store.  This may be because the key store is \
  empty, or it may be that the key store requires a password in order to \
  access its contents.  If you believe the key store may be non-empty, then \
  try again with one of the --keystore-password, --keystore-password-file, \
  or --prompt-for-keystore-password arguments supply a key store password.
INFO_MANAGE_CERTS_LIST_CERTS_NO_CERTS_OR_KEYS_WITH_PW=No certificates or \
  keys were found in the key store.
ERR_MANAGE_CERTS_EXPORT_CERT_NO_FILE_WITH_DER=ERROR:  An output file must be \
  specified when exporting certificates in the binary DER format.
ERR_MANAGE_CERTS_EXPORT_CERT_NO_CERT_WITH_ALIAS=ERROR:  There is no \
  certificate with alias ''{0}'' in key store ''{1}''.
ERR_MANAGE_CERTS_EXPORT_CERT_ERROR_GETTING_CERT=ERROR:  An error occurred \
  while trying to obtain the certificate with alias ''{0}'' from key store \
  ''{1}'':
ERR_MANAGE_CERTS_EXPORT_CERT_ERROR_OPENING_OUTPUT=ERROR:  An error occurred \
  while opening output file ''{0}'' for writing:
ERR_MANAGE_CERTS_EXPORT_CERT_ERROR_WRITING_CERT=ERROR:  An error occurred \
  while attempting to export the certificate with alias ''{0}'' and subject \
  ''{1}'':
WARN_MANAGE_CERTS_EXPORT_CERT_MISSING_CERT_IN_CHAIN=WARNING:  Unable to \
  locate issuer certificate with subject DN ''{0}'' in either key store \
  ''{1}'' or in the JVM''s default set of trusted certificates.  The \
  certificate chain is incomplete.
INFO_MANAGE_CERTS_EXPORT_CERT_EXPORT_SUCCESSFUL=Successfully exported the \
  following certificate to ''{0}'':
ERR_MANAGE_CERTS_EXPORT_KEY_NO_FILE_WITH_DER=ERROR:  An output file must be \
  specified when exporting a private key in the binary DER format.
ERR_MANAGE_CERTS_EXPORT_KEY_NO_KEY_WITH_ALIAS=ERROR:  There is no private key \
  with alias ''{0}'' in key store ''{1}''.
ERR_MANAGE_CERTS_EXPORT_KEY_WRONG_KEY_PW=ERROR:  Unable to retrieve the \
  private key with alias ''{0}'' from key store ''{1}'' because the wrong \
  password was used to try to access the key.  Please use one of the \
  --private-key-password, --private-key-password-file, or \
  --prompt-for-private-key-password arguments to supply the correct password \
  for the private key.
ERR_MANAGE_CERTS_EXPORT_KEY_ERROR_GETTING_KEY=ERROR:  An error occurred \
  while trying to obtain the private key with alias ''{0}'' from key store \
  ''{1}'':
ERR_MANAGE_CERTS_EXPORT_KEY_ERROR_OPENING_OUTPUT=ERROR:  An error occurred \
  while opening output file ''{0}'' for writing:
ERR_MANAGE_CERTS_EXPORT_KEY_ERROR_WRITING_KEY=ERROR:  An error occurred \
  while attempting to export the private with alias ''{0}'':
INFO_MANAGE_CERTS_EXPORT_KEY_EXPORT_SUCCESSFUL=Successfully exported the \
  private key.
ERR_MANAGE_CERTS_IMPORT_CERT_NO_CERTS_IN_FILE=ERROR:  Certificate file \
  ''{0}'' does not contain any certificates to import.
ERR_MANAGE_CERTS_IMPORT_CERT_SELF_SIGNED_NOT_LAST=ERROR:  There are multiple \
  certificates to import, but they do not form a valid certificate chain.  \
  The certificate with subject DN ''{0}'' is self-signed, but it is not the \
  last certificate in the set of certificates to import.
ERR_MANAGE_CERTS_IMPORT_CERT_NEXT_NOT_ISSUER_OF_PREV=ERROR:  There are \
  multiple certificates to import, but they do not form a valid certificate \
  chain.  {0}
ERR_MANAGE_CERTS_IMPORT_CERT_CANNOT_GET_ISSUER=ERROR:  An error occurred \
  while trying to retrieve issuer certificate ''{0}'' from the key store or \
  the JVM''s default set of trusted issuers to complete the certificate chain:
WARN_MANAGE_CERTS_IMPORT_CERT_NO_ISSUER_WITH_AKI=WARNING:  The certificate \
  with subject ''{0}'' and subject key identifier ''{1}'' was not included in \
  the set of certificates to import, is not already present in the key store, \
  and is not included in the JVM''s default set of trusted issuers.  When \
  validating a certificate chain, many clients expect to be able to find all \
  certificates in the chain.  Although the import will continue, you are \
  strongly encouraged to find this issuer certificate, and any other \
  certificates higher up the issuer chain, and import those certificates as \
  well.
WARN_MANAGE_CERTS_IMPORT_CERT_NO_ISSUER_NO_AKI=WARNING:  The certificate with \
  subject ''{0}'' was not included in the set of certificates to import, \
  is not already present in the key store, and is not included in the JVM''s \
  default set of trusted issuers.  When validating a certificate chain, many \
  clients expect to be able to find all certificates in the chain.  Although \
  the import will continue, you are strongly encouraged to find this issuer \
  certificate, and any other certificates higher up the issuer chain, and \
  import those certificates as well.
ERR_MANAGE_CERTS_IMPORT_CERT_NO_ISSUER_WITH_AKI=ERROR:  The certificate \
  with subject ''{0}'' and subject key identifier ''{1}'' was not included in \
  the set of certificates to import, is not already present in the key store, \
  and is not included in the JVM''s default set of trusted issuers.  When \
  importing a private key, or when importing a signed certificate into an \
  alias with an existing private key, the entire certificate chain must be \
  available.  Please locate this issuer certificate, and any other \
  certificates higher up the issuer chain, so that the complete chain can be \
  imported.
ERR_MANAGE_CERTS_IMPORT_CERT_NO_ISSUER_NO_AKI=ERROR:  The certificate with \
  subject ''{0}'' was not included in the set of certificates to import, \
  is not already present in the key store, and is not included in the JVM''s \
  default set of trusted issuers.  When importing a private key, or when \
  importing a signed certificate into an alias with an existing private key, \
  the entire certificate chain must be available.  Please locate this issuer \
  certificate, and any other certificates higher up the issuer chain, so that \
  the complete chain can be imported.
ERR_MANAGE_CERTS_IMPORT_CERT_WITH_PK_KEY_ALIAS_CONFLICT=ERROR:  Unable to \
  import the private key and certificate chain into alias ''{0}'' because \
  that alias is already associated with another key in the key store.
ERR_MANAGE_CERTS_IMPORT_CERT_WITH_PK_CERT_ALIAS_CONFLICT=ERROR:  Unable to \
  import the private key and certificate chain into alias ''{0}'' because \
  that alias is already associated with another certificate in the key store.
ERR_MANAGE_CERTS_IMPORT_CERT_WITH_PK_ALIAS_CONFLICT_ERROR=ERROR:  \
  An error occurred while trying to check for an existing key or certificate \
  with alias ''{0}'' in the key store:
ERR_MANAGE_CERTS_IMPORT_CERT_ERROR_CONVERTING_KEY=ERROR:  Unable to convert \
  the PKCS #8 key read from file ''{0}'' into a Java PrivateKey object \
  suitable for importing into the key store:
ERR_MANAGE_CERTS_IMPORT_CERT_ERROR_CONVERTING_CERT=ERROR:  Unable to convert \
  the X.509 certificate with subject ''{0}'' into a Java certificate object \
  suitable for importing into the key store:
INFO_MANAGE_CERTS_IMPORT_CERT_CONFIRM_IMPORT_CHAIN_NEW_KEY=The following \
  certificate chain will be imported into the key store, along with a private \
  key, into alias ''{0}'':
INFO_MANAGE_CERTS_IMPORT_CERT_PROMPT_IMPORT_CHAIN=Do you want to import this \
  certificate chain into the key store?
ERR_MANAGE_CERTS_IMPORT_CERT_CANCELED=The import operation was canceled and \
  the key store was not updated.
ERR_MANAGE_CERTS_IMPORT_CERT_ERROR_UPDATING_KS_WITH_CHAIN=ERROR:  An error \
  occurred while attempting to set the key entry for alias ''{0}'' with the \
  private key and certificate chain:
INFO_MANAGE_CERTS_IMPORT_CERT_CREATED_KEYSTORE=Successfully created a new {0} \
  key store.
INFO_MANAGE_CERTS_IMPORT_CERT_IMPORTED_CHAIN_WITH_PK=Successfully imported \
  the certificate chain and its associated private key.
ERR_MANAGE_CERTS_IMPORT_CERT_WITH_CONFLICTING_CERT_ALIAS=ERROR:  The key \
  store already has a certificate with alias ''{0}''.  Please choose a \
  different alias for the certificate to import.
ERR_MANAGE_CERTS_IMPORT_CERT_INTO_KEY_ALIAS_CANNOT_GET_KEY=ERROR:  The \
  key store already contains a key with alias ''{0}'', but an error was \
  encountered while attempting to retrieve that key and its associated \
  certificate chain:
ERR_MANAGE_CERTS_IMPORT_CERT_INTO_KEY_ALIAS_KEY_MISMATCH=ERROR:  The key \
  store already contains a key pair and certificate chain with alias ''{0}'', \
  and that key pair uses a different public key than the certificate to \
  import.  A certificate can only be imported into an alias with an existing \
  key pair if the certificate uses the same public key.
INFO_MANAGE_CERTS_IMPORT_CERT_CONFIRM_IMPORT_CHAIN_EXISTING_KEY=The following \
  certificate chain will be imported into the key store into alias ''{0}'', \
  preserving the existing private key associated with that alias:
INFO_MANAGE_CERTS_IMPORT_CERT_IMPORTED_CHAIN_WITHOUT_PK=Successfully imported \
  the certificate chain.
ERR_MANAGE_CERTS_IMPORT_CERT_WITH_CONFLICTING_ISSUER_ALIAS=ERROR:  The import \
  process would have resulted in issuer certificate ''{0}'' being assigned an \
  alias of ''{1}'', which is already in use by another certificate or key in \
  the key store.  Please choose a different alias to use as the base of the \
  certificate chain, or import the issuer certificates manually with aliases \
  that do not conflict.
ERR_MANAGE_CERTS_IMPORT_CERT_ERROR_UPDATING_KS_WITH_CERT=ERROR:  An error \
  occurred while attempting to add certificate ''{0}'' with alias ''{1}'' to \
  the key store:
INFO_MANAGE_CERTS_IMPORT_CERT_CONFIRM_IMPORT_CHAIN_NO_KEY=The following \
  certificate chain will be imported into the key store:
INFO_MANAGE_CERTS_IMPORT_CERT_LABEL_ALIAS=Alias:  {0}
ERR_MANAGE_CERTS_DELETE_CERT_ERROR_GETTING_CERT=ERROR:  An error occurred \
  while attempting to retrieve the certificate stored in alias ''{0}'':
ERR_MANAGE_CERTS_DELETE_CERT_ERROR_GETTING_CHAIN=ERROR:  An error occurred \
  while attempting to retrieve the certificate chain associated with the \
  private key stored in alias ''{0}'':
ERR_MANAGE_CERTS_DELETE_CERT_ERROR_ALIAS_NOT_CERT_OR_KEY=ERROR:  There is \
  no certificate or key entry with alias ''{0}'' in the key store.
INFO_MANAGE_CERTS_DELETE_CERT_CONFIRM_DELETE_CERT=The following certificate \
  will be deleted from the key store:
INFO_MANAGE_CERTS_DELETE_CERT_CONFIRM_DELETE_CHAIN=The following certificate \
  chain will be deleted from the key store, along with its corresponding \
  private key:
INFO_MANAGE_CERTS_DELETE_CERT_PROMPT_DELETE=Do you really want to delete this \
  entry from the key store?
ERR_MANAGE_CERTS_DELETE_CERT_CANCELED=The delete operation was canceled and \
  the key store was not updated.
ERR_MANAGE_CERTS_DELETE_CERT_DELETE_ERROR=ERROR:  An error occurred when \
  trying to delete the ''{0}'' entry from the key store:
INFO_MANAGE_CERTS_DELETE_CERT_DELETED_CERT=Successfully deleted the \
  certificate from the key store.
INFO_MANAGE_CERTS_DELETE_CERT_DELETED_CHAIN=Successfully deleted the \
  certificate chain and its associated private key from the key store.
ERR_MANAGE_CERTS_GEN_CERT_NO_FILE_WITH_DER=ERROR:  An output file must be \
  specified when using the binary DER output format.
ERR_MANAGE_CERTS_GEN_CERT_USE_EXISTING_KP_WITHOUT_KS=ERROR:  If the \
  --use-existing-key-pair argument is provided, then the key store file must \
  already exist.
ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_KEY_ALG=ERROR:  Unrecognized public key \
  algorithm ''{0}''.  Suggested key algorithm names include ''RSA'' and ''EC''.
ERR_MANAGE_CERTS_GEN_CERT_NO_KEY_SIZE_FOR_NON_RSA_KEY=ERROR:  If the \
  --key-algorithm argument is used to specify a key algorithm other than \
  ''RSA'', then the --key-size-bits argument must also be provided to specify \
  the key size.
ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG=ERROR:  Unrecognized signature \
  algorithm ''{0}''.  Suggested signature algorithm names include \
  ''SHA256withRSA'', ''SHA384withRSA'', ''SHA512withRSA'', \
  ''SHA256withECDSA'', ''SHA384withECDSA'', and ''SHA512withECDSA''.
ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG_IN_CERT=ERROR:  The existing \
  certificate uses an unrecognized signature algorithm with OID ''{0}''.
ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG_IN_CSR=ERROR:  The existing \
  certificate signing request uses an unrecognized signature algorithm with \
  OID ''{0}''.
ERR_MANAGE_CERTS_GEN_CERT_NO_SIG_ALG_FOR_NON_RSA_KEY=ERROR:  If the \
  --key-algorithm argument is used to specify a key algorithm other than \
  ''RSA'', then the --signature-algorithm argument must also be provided to \
  specify the signature algorithm.
ERR_MANAGE_CERTS_GEN_CERT_BC_PATH_LENGTH_WITHOUT_CA=ERROR:  The \
  --basic-constraints-path-length argument cannot be used unless the \
  --basic-constraints-is-ca argument is also provided with a value of ''true''.
ERR_MANAGE_CERTS_GEN_CERT_INVALID_KEY_USAGE=ERROR:  Invalid value ''{0}'' \
  provided for the --key-usage argument.  Allowed values are:  \
  ''digital-signature'', ''non-repudiation'', ''key-encipherment'', \
  ''data-encipherment'', ''key-agreement'', ''key-cert-sign'', ''crl-sign'', \
  ''encipher-only'', and ''decipher-only''.
ERR_MANAGE_CERTS_GEN_CERT_INVALID_EXTENDED_KEY_USAGE=ERROR:  Invalid value \
  ''{0}'' provided for the --extended-key-usage argument.  Allowed values \
  are:  ''server-auth'', ''client-auth'', ''code-signing'', \
  ''email-protection'', ''time-stamping'', and ''ocsp-signing'', or the \
  string representation of any valid object identifier.
ERR_MANAGE_CERTS_GEN_CERT_EXTENDED_KEY_USAGE_ERROR=ERROR:  Unable to create \
  an extended key usage extension with the provided values:
ERR_MANAGE_CERTS_GEN_CERT_EXT_MALFORMED_OID=ERROR:  Unable to create an \
  extension from value ''{0}'' because it has a malformed OID ''{1}'' that is \
  not a strictly valid object identifier.
ERR_MANAGE_CERTS_GEN_CERT_EXT_INVALID_CRITICALITY=ERROR:  Unable to create an \
  extension from value ''{0}'' because the criticality value ''{1}'' could \
  not be parsed as a Boolean value.  The criticality should be either \
  ''true'' or ''false'' (without the single quotes).
ERR_MANAGE_CERTS_GEN_CERT_EXT_INVALID_VALUE=ERROR:  Unable to create an \
  extension from value ''{0}'' because the value portion could not be parsed \
  as a valid hexadecimal string with an even number of characters.
ERR_MANAGE_CERTS_GEN_CERT_EXT_MALFORMED=ERROR:  Unable to create an extension \
  from value ''{0}'' because that value could not be parsed in the form \
  ''oid:criticality:value'', where oid is the object identifier for the \
  extension, criticality is either ''true'' or ''false'', and value is the \
  hexadecimal representation of the bytes to include in the extension value.
ERR_MANAGE_CERTS_GEN_CERT_USE_EXISTING_KP_ALIAS_IS_CERT=ERROR:  Alias ''{0}'' \
  in key store ''{1}'' is associated with a certificate entry that does not \
  include a private key.  The --use-existing-key-pair argument can only be \
  used with an alias that represents a private key entry.
ERR_MANAGE_CERTS_GEN_CERT_USE_EXISTING_KP_NO_SUCH_ALIAS=ERROR:  Alias ''{0}'' \
  does not exist in key store ''{1}''.
ERR_MANAGE_CERTS_GEN_CERT_USE_EXISTING_KP_COULD_NOT_GET_CERT=ERROR:  An error \
  occurred while attempting to retrieve the certificate and corresponding \
  key pair at the head of the chain stored in alias ''{0}'':
ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CERT=ERROR:  An error occurred \
  while trying to generate a self-signed certificate with the provided \
  settings:
ERR_MANAGE_CERTS_GEN_CERT_ERROR_UPDATING_KEYSTORE=ERROR:  An error occurred \
  while attempting to write the updated key store:
ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CSR=ERROR:  An error occurred \
  while trying to generate a certificate signing request with the provided \
  settings:
ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CSR=ERROR:  An error occurred while \
  trying to write the generated certificate signing request:
ERR_MANAGE_CERTS_GEN_CERT_NO_SUBJECT_DN_WITHOUT_USE_EXISTING_KP=ERROR:  The \
  --subject-dn argument must be provided unless the --use-existing-key-pair \
  argument is provided.
ERR_MANAGE_CERTS_GEN_CERT_ALIAS_EXISTS_WITHOUT_USE_EXISTING_KP=ERROR:  Alias \
  ''{0}'' is already in use in the key store.  The specified alias must not \
  exist unless the --use-existing-key-pair argument is also provided.
INFO_MANAGE_CERTS_GEN_CERT_CERT_CREATED_KEYSTORE=Successfully created a new \
  {0} key store.
INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_SELF_CERT=Successfully \
  generated the following self-signed certificate:
INFO_MANAGE_CERTS_GEN_CERT_WROTE_OUTPUT_FILE=Successfully wrote the \
  generated certificate to file ''{0}''.
ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CERT=ERROR:  An error occurred while \
  attempting to write the generated certificate to file ''{0}'':
INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_CSR=Successfully wrote the \
  certificate signing request to file ''{0}''.
INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_KEYPAIR=Successfully \
  generated the key pair to use for the certificate signing request.
ERR_MANAGE_CERTS_GEN_CERT_SIGN_ALIAS_IS_CERT=ERROR:  Alias ''{0}'' in \
  key store ''{1}'' is associated with a certificate entry that does not \
  include a private key.  The signing certificate must have a private key.
ERR_MANAGE_CERTS_GEN_CERT_SIGN_NO_SUCH_ALIAS=ERROR:  Alias ''{0}'' does \
  not exist in key store ''{1}''.  The signing certificate must exist and must \
  have a private key.
ERR_MANAGE_CERTS_GEN_CERT_SIGN_CANNOT_GET_SIGNING_CERT=ERROR:  An error \
  occurred while attempting to retrieve the signing certificate and its \
  corresponding key pair with alias ''{0}'' from the key store:
INFO_MANAGE_CERTS_GEN_CERT_SIGN_CONFIRM=Read the following certificate \
  signing request:
INFO_MANAGE_CERTS_GEN_CERT_PROMPT_SIGN=Do you really want to sign this request?
ERR_MANAGE_CERTS_GEN_CERT_SIGN_CANCELED=The operation was canceled and the \
  certificate signing request was not signed.
ERR_MANAGE_CERTS_GEN_CERT_ERROR_SIGNING_CERT=ERROR:  An error occurred \
  while trying to generate a signed certificate with the provided settings:
ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_SIGNED_CERT=ERROR:  An error occurred \
  while trying to write the signed certificate:
INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_SIGNED_CERT=Successfully wrote the \
  signed certificate to file ''{0}''.
ERR_MANAGE_CERTS_CHANGE_ALIAS_NO_SUCH_ALIAS=ERROR:  The key store does not \
  have an existing entry with alias ''{0}''.
ERR_MANAGE_CERTS_CHANGE_ALIAS_CANNOT_GET_EXISTING_ENTRY=ERROR:  An error \
  occurred while attempting to retrieve the contents of the existing entry \
  with alias ''{0}''
ERR_MANAGE_CERTS_CHANGE_ALIAS_NEW_ALIAS_IN_USE=ERROR:  The key store already \
  has an entry with alias ''{0}''.
ERR_MANAGE_CERTS_CHANGE_ALIAS_CANNOT_UPDATE_KEYSTORE=ERROR:  An error \
  occurred while attempting to update the key store to set the new alias:
INFO_MANAGE_CERTS_CHANGE_ALIAS_SUCCESSFUL=Successfully changed the alias from \
  ''{0}'' to ''{1}''.
INFO_MANAGE_CERTS_CHANGE_KS_PW_SUCCESSFUL=Successfully changed the password \
  for key store ''{0}''.
ERR_MANAGE_CERTS_CHANGE_PK_PW_ALIAS_IS_CERT=ERROR:  Alias ''{0}'' references \
  a certificate entry for which there is no private key.  You can only change \
  the private key password for entries that have a private key.
ERR_MANAGE_CERTS_CHANGE_PK_PW_NO_SUCH_ALIAS=ERROR:  Alias ''{0}'' does not \
  exist in the key store.
ERR_MANAGE_CERTS_CHANGE_PK_PW_WRONG_PK_PW=ERROR:  Unable to retrieve the \
  private key stored in alias ''{0}''.  The most likely reason is that the \
  provided current private key password is incorrect.
ERR_MANAGE_CERTS_CHANGE_PK_PW_CANNOT_GET_PK=ERROR:  An error occurred while \
  attempting to retrieve the private key stored in alias ''{0}'':
ERR_MANAGE_CERTS_CHANGE_PK_PW_CANNOT_UPDATE_KS=ERROR:  An error occurred \
  while attempting to update the key store:
INFO_MANAGE_CERTS_CHANGE_PK_PW_SUCCESSFUL=Successfully changed the private \
  key password for alias ''{0}''.
ERR_MANAGE_CERTS_COPY_KS_NO_SUCH_SOURCE_ALIAS=ERROR:  No entry exists with \
  alias ''{0}'' in source key store ''{1}''.
ERR_MANAGE_CERTS_COPY_KS_CANNOT_GET_SOURCE_ALIASES=ERROR:  Unable to retrieve \
  information about available aliases from source key store ''{0}'':  {1}
INFO_MANAGE_CERTS_COPY_KS_NO_CERTS_COPIED_EXISTING_KS=Source key store \
  ''{0}'' does not contain any certificates to copy, and destination key \
  store ''{1}'' already exists.  No changes are required.
ERR_MANAGE_CERTS_COPY_KS_CONFLICTING_ALIAS=ERROR:  An entry with alias \
  ''{0}'' already exists in destination key store ''{1}''.  The {2} \
  subcommand cannot be used to overwrite existing entries in the destination \
  key store.
ERR_MANAGE_CERTS_COPY_KS_CANNOT_CHECK_DEST_ALIAS=ERROR:  Unable to check \
  whether an entry already exists in destination key store ''{0}'' with \
  alias ''{1}'':  {2}
ERR_MANAGE_CERTS_COPY_KS_ERROR_COPYING_ENTRY=ERROR:  Unable to copy the \
  entry with alias ''{0}'' from source key store ''{1}'' to destination key \
  store ''{2}'':  {3}
INFO_MANAGE_CERTS_COPY_KS_NO_CERTS_COPIED_KS_CREATED=Source key store ''{0}'' \
  does not contain any certificates to copy, but new, empty {1} destination \
  key store ''{2}'' was successfully created.
INFO_MANAGE_CERTS_COPY_KS_CERTS_COPIED_HEADER=Successfully copied the \
  following entries from source key store ''{0}'' to {1} destination key \
  store ''{2}'':
ERR_MANAGE_CERTS_RETRIEVE_CERT_NO_CERT_CHAIN_RECEIVED=ERROR:  Did not \
  receive the certificate chain from {0} after waiting for up to 90 seconds.
ERR_MANAGE_CERTS_RETRIEVE_CERT_EMPTY_CHAIN=ERROR:  Received an empty \
  certificate chain from the server.
ERR_MANAGE_CERTS_RETRIEVE_CERT_CANNOT_WRITE_TO_FILE=An error occurred while \
  attempting to write certificate information to file ''{0}'':  {1}
INFO_MANAGE_CERTS_RETRIEVE_CERT_DISPLAY_HEADER=Certificate {0,number,0} of \
  {1,number,0} in the chain:
ERR_MANAGE_CERTS_TRUST_SERVER_ALIAS_IN_USE=ERROR:  Alias ''{0}'' is already \
  in use in the key store.
ERR_MANAGE_CERTS_TRUST_SERVER_NO_CERT_CHAIN_RECEIVED=ERROR:  Did not \
  receive the certificate chain from {0} after waiting for up to 90 seconds.
INFO_MANAGE_CERTS_TRUST_SERVER_RETRIEVED_CHAIN=Retrieved the following \
  certificate chain from {0}:
INFO_MANAGE_CERTS_TRUST_SERVER_NOTE_OMITTED=NOTE:  The following certificate \
  will not be added to the key store because the --issuers-only argument was \
  provided:
INFO_MANAGE_CERTS_TRUST_SERVER_PROMPT_TRUST=Do you wish to trust this \
  certificate chain and add the certificates into the trust store?
ERR_MANAGE_CERTS_TRUST_SERVER_CHAIN_REJECTED=The server certificate chain was \
  rejected and the key store has not been updated.
ERR_MANAGE_CERTS_TRUST_SERVER_INVALID_PROMPT_RESPONSE=ERROR:  You must enter \
  either ''yes'' to trust the certificate chain and add it into the key \
  store, or ''no'' to reject it and exit.
ERR_MANAGE_CERTS_TRUST_SERVER_CANNOT_READ_PROMPT_RESPONSE=ERROR:  Unable to \
  read the response to the prompt:
ERR_MANAGE_CERTS_TRUST_SERVER_ERROR_ADDING_CERT_TO_KS=ERROR:  An error \
  occurred while trying to add certificate ''{0}'' to the key store:
INFO_MANAGE_CERTS_TRUST_SERVER_CERT_CREATED_KEYSTORE=Successfully created a \
  new {0} key store.
INFO_MANAGE_CERTS_TRUST_SERVER_ADDED_CERT_TO_KS=Successfully added 1 \
  certificate to the key store.
INFO_MANAGE_CERTS_TRUST_SERVER_ADDED_CERTS_TO_KS=Successfully added \
  {0,number,0} certificates to the key store.
ERR_MANAGE_CERTS_CHECK_USABILITY_CANNOT_GET_CHAIN=ERROR:  An error occurred \
  while retrieving the certificate chain contained in the key entry with \
  alias ''{0}'':
INFO_MANAGE_CERTS_CHECK_USABILITY_GOT_CHAIN=Successfully retrieved the \
  certificate chain for alias ''{0}'':
ERR_MANAGE_CERTS_CHECK_USABILITY_NO_PRIVATE_KEY=ERROR:  Alias ''{0}'' \
  contains only a certificate entry with no corresponding private key.  A \
  server certificate must have both a private key and a certificate chain.
ERR_MANAGE_CERTS_CHECK_USABILITY_NO_SUCH_ALIAS=ERROR:  Alias ''{0}'' does not \
  exist in the key store.
WARN_MANAGE_CERTS_CHECK_USABILITY_CERT_IS_SELF_SIGNED=WARNING:  Certificate \
  ''{0}'' is self-signed.  While this is valid and will yield encryption that \
  is just as strong as if the certificate had been signed by another \
  certificate, self-signed certificates can encourage bad behavior among \
  clients because rather than configuring the client with explicit knowledge \
  of the server certificate, the client might be configured to blindly trust \
  any certificate that is presented to it, which leaves that communication \
  vulnerable to man-in-the-middle attacks.  It is recommended that server \
  certificates be signed by a common issuer so that clients can be configured \
  to trust that issuer certificate, and they can automatically trust any \
  certificate signed by that issuer.
ERR_MANAGE_CERTS_CHECK_USABILITY_END_OF_CHAIN_NOT_SELF_SIGNED=ERROR:  The \
  certificate chain stored in alias ''{0}'' is not complete because it does \
  not end with a self-signed certificate.
ERR_MANAGE_CERTS_CHECK_USABILITY_CHAIN_ISSUER_MISMATCH=ERROR:  The \
  certificate chain stored in alias ''{0}'' is not valid because the \
  certificates in it do not constitute a single continuous change.  The \
  certificate with subject ''{1}'' is not the issuer certificate for the \
  certificate with subject ''{2}'' that immediately precedes it in the \
  chain:  {3}
INFO_MANAGE_CERTS_CHECK_USABILITY_CHAIN_COMPLETE=OK:  The certificate chain \
  is complete.  Each subsequent certificate is the issuer for the previous \
  certificate in the chain, and the chain ends with a self-signed certificate.
INFO_MANAGE_CERTS_CHECK_USABILITY_CA_TRUSTED_OK=OK:  CA certificate ''{0}'' \
  was found in the JVM''s default set of trusted certificates.  Most clients \
  will likely trust this issuer.
INFO_MANAGE_CERTS_CHECK_USABILITY_CA_NOT_IN_JVM_DEFAULT_TS=NOTICE:  CA \
  certificate ''{0}'' was not found in the JVM''s default set of trusted \
  certificates.  Clients will likely need special configuration to trust this \
  certificate chain.
WARN_MANAGE_CERTS_CHECK_USABILITY_CHECK_CA_IN_TS_ERROR=WARNING:  An error \
  occurred while attempting to determine whether CA certificate ''{0}'' is \
  contained in the JVM-default trust store:  {1}
INFO_MANAGE_CERTS_CHECK_USABILITY_CERT_SIGNATURE_VALID=OK:  Certificate \
  ''{0}'' has a valid signature.
ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_NOT_YET_VALID=ERROR:  Certificate \
  ''{0}'' is not yet valid.  It will not be valid until {1}.
ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_NOT_YET_VALID=ERROR:  Issuer \
  certificate ''{0}'' is not yet valid.  It will not be valid until {1}.
ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_EXPIRED=ERROR:  Certificate \
  ''{0}'' expired at {1}.
ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_EXPIRED=ERROR:  Issuer \
  certificate ''{0}'' expired at {1}.
WARN_MANAGE_CERTS_CHECK_USABILITY_END_CERT_NEAR_EXPIRATION=WARNING:  \
  Certificate ''{0}'' will expire at {1}.  To ensure seamless operation, you \
  will need to renew the certificate before that time.
WARN_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_NEAR_EXPIRATION=WARNING:  \
  Issuer certificate ''{0}'' will expire at {1}.  Clients will stop trusting \
  a certificate once its issuer has expired.  To ensure seamless operation, \
  you will need to renew the certificate before that time and ensure that the \
  new certificate is signed by an issuer that will not expire in the near \
  future.
INFO_MANAGE_CERTS_CHECK_USABILITY_END_CERT_VALIDITY_OK=OK:  Certificate \
  ''{0}'' will expire at {1}, which is not in the near future.
INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_VALIDITY_OK=OK:  Issuer \
  certificate ''{0}'' will expire at {1}, which is not in the near future.
ERR_MANAGE_CERTS_CHECK_USABILITY_END_CERT_BAD_EKU=ERROR:  Certificate ''{0}'' \
  at the head of the chain includes an extended key usage extension, but \
  that extension does not include the ''serverAuth'' usage.  Clients that \
  check this extension will not accept the certificate as a TLS server \
  certificate.
INFO_MANAGE_CERTS_CHECK_USABILITY_END_CERT_GOOD_EKU=OK:  Certificate ''{0}'' \
  at the head of the chain includes an extended key usage extension, and \
  that extension includes the ''serverAuth'' usage.
ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_BAD_BC_CA=ERROR:  Issuer \
  certificate ''{0}'' includes a basic constraints extension that indicates \
  the certificate is not permitted to act as a certification authority.  \
  Clients that check this extension will not accept the certificate chain.
ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_BAD_BC_LENGTH=ERROR:  Issuer \
  certificate ''{0}'' includes a basic constraints extension with a path \
  length value of {1,number,0}, which means that there must not be more than \
  {1,number,0} intermediate certificate(s) between that certificate and \
  the subject certificate.  However, the number of intermediate certificates \
  between subject certificate ''{2}'' and issuer certificate ''{0}'' is \
  {3,number,0}.  Clients that check this extension will likely not accept the \
  certificate chain.
INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_CERT_GOOD_BC=OK:  Issuer \
  certificate ''{0}'' includes a basic constraints extension, and the \
  certificate chain satisfies those constraints.
ERR_MANAGE_CERTS_CHECK_USABILITY_ISSUER_NO_CERT_SIGN_KU=ERROR:  Issuer \
  certificate ''{0}'' includes a key usage extension, but that extension does \
  not have the keyCertSign usage flag set to true.  Clients that check this \
  extension will not trust it to sign other certificates.
INFO_MANAGE_CERTS_CHECK_USABILITY_ISSUER_GOOD_KU=OK:  Issuer certificate \
  ''{0}'' includes a key usage extension with the keyCertSign usage flag set \
  to true.
WARN_MANAGE_CERTS_CHECK_USABILITY_NO_EKU=WARNING:  Certificate ''{0}'' does \
  not have an extended key usage extension.  It is generally recommended that \
  TLS server certificates have an extended key usage extension with at least \
  the serverAuth usage ID.
WARN_MANAGE_CERTS_CHECK_USABILITY_NO_BC=WARNING:  Issuer certificate ''{0}'' \
  does not have a basic constraints extension.  It is generally recommended \
  that all issuer certificates have this extension to indicate that they \
  are permitted to act as a certification authority.
WARN_MANAGE_CERTS_CHECK_USABILITY_NO_KU=WARNING:  Issuer certificate ''{0}'' \
  does not have a key usage extension.  It is generally recommended that all \
  issuer certificates have this extension with at least the keyCertSign \
  usage to indicate that they are allowed to sign other certificates.
WARN_MANAGE_CERTS_CHECK_USABILITY_UNKNOWN_SIG_ALG=WARNING:  Certificate \
  ''{0}'' uses a signature algorithm of ''{1}'', which is not a recognized \
  algorithm.  Unable to determine the strength of the signature algorithm.
ERR_MANAGE_CERTS_CHECK_USABILITY_WEAK_SIG_ALG=ERROR:  Certificate ''{0}'' \
  uses a signature algorithm of ''{1}'', which is considered weak.  Some \
  clients may not accept certificates with this signature algorithm.
WARN_MANAGE_CERTS_CHECK_USABILITY_ISSUER_WITH_SHA1_SIG=WARNING:  Issuer \
  certificate ''{0}'' uses a signature algorithm of ''{1}'', which uses the \
  weak SHA-1 message digest.  Many clients will not accept server \
  certificates with this signature algorithm, and some may not accept issuer \
  certificates with this algorithm.  However, this is not considered an error \
  because the ''{2}'' argument was provided.
INFO_MANAGE_CERTS_CHECK_USABILITY_SIG_ALG_OK=OK:  Certificate ''{0}'' uses a \
  signature algorithm of ''{1}'', which is considered strong.
ERR_MANAGE_CERTS_CHECK_USABILITY_WEAK_RSA_MODULUS=ERROR:  Certificate ''{0}'' \
  has a {1,number,0}-bit RSA public key, which is considered weak.  RSA keys \
  should have a size of at least 2048 bits.
INFO_MANAGE_CERTS_CHECK_USABILITY_RSA_MODULUS_OK=OK:  Certificate ''{0}'' \
  has a {1,number,0}-bit RSA public key, which is considered strong.
ERR_MANAGE_CERTS_CHECK_USABILITY_ONE_ERROR=1 usability error was identified \
  while validating the certificate chain.
ERR_MANAGE_CERTS_CHECK_USABILITY_MULTIPLE_ERRORS={0,number,0} usability \
  errors were identified while validating the certificate chain.
ERR_MANAGE_CERTS_CHECK_USABILITY_ONE_WARNING=No usability errors were \
  identified while validating the certificate chain, but 1 usability warning \
  was identified.
ERR_MANAGE_CERTS_CHECK_USABILITY_MULTIPLE_WARNINGS=No usability errors were \
  identified while validating the certificate chain, but {0,number,0} \
  usability warnings were identified.
INFO_MANAGE_CERTS_CHECK_USABILITY_NO_ERRORS_OR_WARNINGS=No usability errors \
  or warnings were identified while validating the certificate chain.
INFO_MANAGE_CERTS_DISPLAY_CERT_NO_CERTS=There are no certificates in file \
  ''{0}''.
INFO_MANAGE_CERTS_APPROXIMATE_KEYTOOL_COMMAND=# Approximately equivalent \
  keytool command:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_SUBJECT_DN=Subject DN:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_ISSUER_DN=Issuer DN:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VALIDITY_START=Validity Start Time:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VALIDITY_END=Validity End Time:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VALIDITY_STATE_VALID=Validity State:  The \
  certificate is currently within the validity window.
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VALIDITY_STATE_NOT_YET_VALID=Validity \
  State:  The certificate is not yet valid.
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VALIDITY_STATE_EXPIRED=Validity State:  \
  The certificate is expired.
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_FINGERPRINT={0} Fingerprint:  {1}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_VERSION=X.509 Certificate Version:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_SERIAL_NUMBER=Serial Number:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_SIG_ALG=Signature Algorithm:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_SIG_VALUE=Signature Value:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_PK_ALG=Public Key Algorithm:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_ENCODED_PK=Encoded Public Key:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_MODULUS={0,number,0}-bit RSA Modulus:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_EXPONENT=RSA Public Exponent:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_RSA_KEY_SIZE=RSA Key Size:  {0,number,0} \
  bits
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_CURVE=Elliptic Curve Named Curve:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_IS_COMPRESSED=Elliptic Curve Public Key \
  Is Compressed:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_X=Elliptic Curve X-Coordinate:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y=Elliptic Curve Y-Coordinate:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EC_Y_IS_EVEN=Elliptic Curve Y-Coordinate \
  Is Even:  {0}
INFO_MANAGE_CERTS_GET_PK_SUMMARY_RSA_MODULUS_SIZE={0,number,0}-bit
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_SUBJECT_UNIQUE_ID=Subject Unique Identifier:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_ISSUER_UNIQUE_ID=Issuer Unique Identifier:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXTENSIONS=Certificate Extensions:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID=OID:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL=Is Critical:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_EXT=Authority Key \
  Identifier Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_ID=Key Identifier:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_ISSUER=Authority \
  Certificate Issuer:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_SERIAL=Authority \
  Certificate Serial Number:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_EXT=Basic Constraints \
  Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_IS_CA=Is CA:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_LENGTH=Path Length \
  Constraint:  {0,number,0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_EXT=CRL Distribution Points \
  Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_HEADER=CRL Distribution Point:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_FULL_NAME=Full Name:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_REL_NAME=Name Relative to CRL \
  Issuer:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_REASON=Potential Revocation \
  Reasons:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_CRL_ISSUER=CRL Issuer:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_EKU_EXT=Extended Key Usage Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_EKU_ID=Key Purpose ID:  {0}
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IAN_EXT=Issuer Alternative Name \
  Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_EXT=Key Usage Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_USAGES=Key Usages:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DS=Digital Signature
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_NR=Non-Repudiation
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KE=Key Encipherment
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DE=Data Encipherment
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KA=Key Agreement
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KCS=Key Cert Sign
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_CRL_SIGN=CRL Sign
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_EO=Encipher Only
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DO=Decipher Only
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SAN_EXT=Subject Alternative Name \
  Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SKI_EXT=Subject Key Identifier \
  Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SKI_ID=Key Identifier:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_GENERIC=Extension:
INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_VALUE=Extension Value:
INFO_MANAGE_CERTS_PRINT_CSR_LABEL_VERSION=PKCS #10 Certificate Signing \
  Request Version:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_DNS=DNS Name:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_IP=IP Address:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_RFC_822_NAME=RFC 822 Name (Email \
  Address):  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_DIRECTORY_NAME=Directory Name:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_URI=URI:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_REGISTERED_ID=Registered ID:  {0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_OTHER_NAME_COUNT=Other Name Count:  \
  {0,number,0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_X400_ADDR_COUNT=X.400 Address Count:  \
  {0,number,0}
INFO_MANAGE_CERTS_GENERAL_NAMES_LABEL_EDI_PARTY_NAME_COUNT=EDI Party Name \
  Count:  {0,number,0}
ERR_MANAGE_CERTS_CANNOT_INVOKE_COMMAND=ERROR:  An error occurred while trying \
  to invoke the ''{0}'' command:
ERR_MANAGE_CERTS_ERROR_WAITING_FOR_COMMAND=ERROR:  An error occurred while \
  waiting for the ''{0}'' command to complete:
ERR_MANAGE_CERTS_GET_KS_PW_TOO_SHORT=ERROR:  The specified key store password \
  is too short.  The password must contain at least six characters.
ERR_MANAGE_CERTS_GET_KS_PW_EMPTY_FILE=ERROR:  Unable to read the key store \
  password from file ''{0}'' because the file is empty.  The file must have \
  exactly one line, consisting only of the clear-text key store password.
ERR_MANAGE_CERTS_GET_KS_PW_MULTI_LINE_FILE=ERROR:  Unable to read the \
  key store password from file ''{0}'' because the file has multiple lines.  \
  The file must have exactly one line, consisting only of the clear-text \
  key store password.
ERR_MANAGE_CERTS_GET_KS_PW_ERROR_READING_FILE=ERROR:  An error occurred while \
  attempting to read the key store password from file ''{0}'':  {1}
INFO_MANAGE_CERTS_KEY_KS_PW_EXISTING_CURRENT_PROMPT=Please enter the current \
  password needed to access key store ''{0}'':
INFO_MANAGE_CERTS_KEY_KS_PW_EXISTING_NEW_PROMPT=Please enter the new password \
  for the key store:
INFO_MANAGE_CERTS_KEY_KS_PW_EXISTING_PROMPT=Please enter the password needed \
  to access key store ''{0}'':
INFO_MANAGE_CERTS_KEY_KS_PW_NEW_PROMPT_1=Please enter the password to use \
  to protect the contents of key store ''{0}'':
INFO_MANAGE_CERTS_KEY_KS_PW_NEW_PROMPT_2=Confirm the key store password:
ERR_MANAGE_CERTS_KEY_KS_PW_PROMPT_MISMATCH=ERROR:  The provided passwords do \
  not match.
ERR_MANAGE_CERTS_GET_PK_ENC_PW_ERROR_READING_FILE=ERROR:  An error occurred \
  while attempting to read the private key encryption password from file \
  ''{0}'':  {1}
INFO_MANAGE_CERTS_GET_PK_ENC_PW_PROMPT_DECRYPT=Enter the password used to \
  encrypt the private key:
INFO_MANAGE_CERTS_GET_PK_ENC_PW_PROMPT_ENCRYPT_1=Enter the password to use to \
  encrypt the private key:
INFO_MANAGE_CERTS_GET_PK_ENC_PW_PROMPT_ENCRYPT_2=Confirm the private key \
  encryption password:
INFO_MANAGE_CERTS_GET_PK_ENC_PW_PROMPT_MISMATCH=ERROR:  The private key \
  encryption passwords do not match.
ERR_MANAGE_CERTS_PROMPT_FOR_PW_EMPTY_PW=ERROR:  The password must not be empty.
ERR_MANAGE_CERTS_PROMPT_FOR_YES_NO_INVALID_RESPONSE=ERROR:  Your response \
  must be either ''yes'' or ''no''.
ERR_MANAGE_CERTS_PROMPT_FOR_YES_NO_READ_ERROR=ERROR:  An error occurred while \
  trying to read the response from standard input:  {0}
ERR_MANAGE_CERTS_GET_PK_PW_TOO_SHORT=ERROR:  The specified private key \
  password is too short.  The password must contain at least six characters.
ERR_MANAGE_CERTS_GET_PK_PW_EMPTY_FILE=ERROR:  Unable to read the private key \
  password from file ''{0}'' because the file is empty.  The file must have \
  exactly one line, consisting only of the clear-text private key password.
ERR_MANAGE_CERTS_GET_PK_PW_MULTI_LINE_FILE=ERROR:  Unable to read the \
  private key password from file ''{0}'' because the file has multiple \
  lines.  The file must have exactly one line, consisting only of the \
  clear-text private key password.
ERR_MANAGE_CERTS_GET_PK_PW_ERROR_READING_FILE=ERROR:  An error occurred while \
  attempting to read the private key password from file ''{0}'':  {1}
INFO_MANAGE_CERTS_GET_PK_PW_CURRENT_PROMPT=Please enter the current private \
  key password for alias ''{0}'':
INFO_MANAGE_CERTS_GET_PK_PW_EXISTING_PROMPT=Please enter the password used \
  to encrypt the private key for alias ''{0}'':
INFO_MANAGE_CERTS_GET_PK_PW_NEW_PROMPT=Please enter the new private key \
  password:
INFO_MANAGE_CERTS_GET_PK_PW_NEW_PROMPT_1=Please enter the password to use \
  to protect the private key for alias ''{0}'':
INFO_MANAGE_CERTS_GET_PK_PW_NEW_PROMPT_2=Confirm the new private key password:
ERR_MANAGE_CERTS_GET_PK_PW_PROMPT_MISMATCH=ERROR:  The provided passwords do \
  not match.
ERR_MANAGE_CERTS_GET_PK_PW_PROMPT_ERROR=ERROR:  An error occurred while \
  attempting to prompt for the private key password for alias ''{0}'':  {1}
ERR_MANAGE_CERTS_INFER_KS_TYPE_EMPTY_FILE=ERROR:  Unable to infer the \
  key store type for the key store held in file ''{0}'' because that file is \
  empty and cannot represent a valid JKS, PKCS #12, or BCFKS key store.
ERR_MANAGE_CERTS_INFER_KS_TYPE_UNEXPECTED_FIRST_BYTE=ERROR:  Unable to infer \
  the key store type for the key store held in file ''{0}'' because the file \
  had a first byte of {1}, which is not the expected first byte of a JKS, \
  PKCS #12, or BCFKS key store.
ERR_MANAGE_CERTS_INFER_KS_TYPE_ERROR_READING_FILE=ERROR:  Unable to infer the \
  type for file ''{0}'' because an error occurred while reading from the \
  file:  {1}
ERR_MANAGE_CERTS_CANNOT_INSTANTIATE_KS_TYPE=ERROR:  Unable to instantiate a \
  key store of type ''{0}'':  {1}
ERR_MANAGE_CERTS_CANNOT_OPEN_KS_FILE_FOR_READING=ERROR:  Unable to open \
  key store file ''{0}'' for reading:  {1}
ERR_MANAGE_CERTS_CANNOT_LOAD_KS_WRONG_PW=ERROR:  Unable to load the contents \
  of key store file ''{0}'' because the correct key store password was not \
  provided.  Please provide the correct key store password.
ERR_MANAGE_CERTS_ERROR_CANNOT_LOAD_KS=ERROR:  An error occurred while trying \
  to load the contents of the key store from file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_READ_ERROR=ERROR:  An error occurred \
  while attempting to read the certificates from file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_DER_NOT_VALID_ASN1=ERROR:  Unable to \
  read an ASN.1 DER element from certificate file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_DER_NOT_VALID_CERT=ERROR:  Unable to \
  decode a DER element read from certificate file ''{0}'' as an X.509 \
  certificate:  {1}
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_MULTIPLE_BEGIN=ERROR:  Unable to read a \
  PEM-encoded certificate from file ''{0}'' because the file contains \
  multiple ''BEGIN CERTIFICATE'' headers without an ''END CERTIFICATE'' \
  footer between them.
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_END_WITHOUT_BEGIN=ERROR:  Unable to \
  read a PEM-encoded certificate from file ''{0}'' because the file contains \
  an ''END CERTIFICATE'' footer without a corresponding ''BEGIN CERTIFICATE'' \
  header.
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_DATA_WITHOUT_BEGIN=ERROR:  Unable to \
  read a PEM-encoded certificate from file ''{0}'' because the file contains \
  a non-empty, non-comment line that does not appear between a ''BEGIN \
  CERTIFICATE'' header and an ''END CERTIFICATE'' footer.
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_EOF_WITHOUT_END=ERROR:  Unable to \
  read a PEM-encoded certificate from file ''{0}'' because the end of the \
  file was reached before finding an ''END CERTIFICATE'' footer to mark the \
  end of the current certificate.
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_PEM_CERT_NOT_BASE64=ERROR:  Unable to \
  read a PEM-encoded certificate from file ''{0}'' because the data read \
  between a ''BEGIN CERTIFICATE'' header and an ''END CERTIFICATE'' footer is \
  not valid base64-encoded data:  {0}
ERR_MANAGE_CERTS_READ_CERTS_FROM_FILE_PEM_CERT_NOT_CERT=ERROR:  Unable to \
  read a PEM-encoded certificate from file ''{0}'' because the data read \
  between a ''BEGIN CERTIFICATE'' header and an ''END CERTIFICATE'' footer \
  could not be parsed as a valid X.509 certificate:  {1}
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_EMPTY_FILE=ERROR:  Unable to read a \
  private key from file ''{0}'' because the file is empty or does not contain \
  a private key.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_DER_NOT_VALID_ASN1=ERROR:  Unable to read \
  an ASN.1 DER element from private key file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_DER_NOT_VALID_PK=ERROR:  Unable to decode \
  a DER element read from certificate file ''{0}'' as an PKCS #8 private \
  key:  {1}
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_MULTIPLE_KEYS=ERROR:  Unable to read a \
  private key from file ''{0}'' because that file contains multiple keys.  \
  The private key file is only allowed to have a single private key.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_MULTIPLE_BEGIN=ERROR:  Unable to read a \
  PEM-encoded private key from file ''{0}'' because the file contains \
  multiple ''BEGIN PRIVATE KEY'' headers.  A private key file may only \
  contain a single private key.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_PK_ENCRYPTED_NO_PW=ERROR:  File ''{0}'' \
  appears to contain the PEM representation of an encrypted private key, but \
  no encryption password was provided.  Use one of the --encryption-password, \
  --encryption-password-file, or --prompt-for-encryption-password arguments to \
  specify the encryption password.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_END_WITHOUT_BEGIN=ERROR:  Unable to read \
  a PEM-encoded private key from file ''{0}'' because the file contains an \
  ''END PRIVATE KEY'' footer without a corresponding ''BEGIN PRIVATE KEY'' \
  header.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_DATA_WITHOUT_BEGIN=ERROR:  Unable to read \
  a PEM-encoded private key from file ''{0}'' because the file contains \
  a non-empty, non-comment line that does not appear between a ''BEGIN \
  PRIVATE KEY'' header and an ''END PRIVATE KEY'' footer.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_EOF_WITHOUT_END=ERROR:  Unable to read a \
  PEM-encoded private key from file ''{0}'' because the end of the file was \
  reached before finding an ''END PRIVATE KEY'' footer to mark the end of the \
  key.
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_PEM_PK_NOT_BASE64=ERROR:  Unable to read a \
  PEM-encoded private key from file ''{0}'' because the data read between a \
  ''BEGIN PRIVATE KEY'' header and an ''END PRIVATE KEY'' footer is not valid \
  base64-encoded data:  {0}
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_PEM_PK_NOT_PK=ERROR:  Unable to read a \
  PEM-encoded private key from file ''{0}'' because the data read between the \
  ''BEGIN PRIVATE KEY'' header and ''END PRIVATE KEY'' footer could not be \
  parsed as a valid PKCS #8 private key:  {1}
ERR_MANAGE_CERTS_READ_PK_FROM_FILE_READ_ERROR=ERROR:  An error occurred while \
  trying to read a private key from file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_EMPTY_FILE=ERROR:  Unable to read a \
  certificate signing request from file ''{0}'' because the file is empty or \
  does not contain a request.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_DER_NOT_VALID_ASN1=ERROR:  Unable to read \
  an ASN.1 DER element from certificate signing request file ''{0}'':  {1}
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_DER_NOT_VALID_CSR=ERROR:  Unable to \
  decode a DER element read from certificate signing request file ''{0}'' as a \
  PKCS #10 certificate signing request:  {1}
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_MULTIPLE_CSRS=ERROR:  Unable to read a \
  certificate signing request from file ''{0}'' because that file contains \
  multiple requests.  The certificate signing request file is only allowed to \
  have a single request.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_MULTIPLE_BEGIN=ERROR:  Unable to read a \
  PEM-encoded certificate signing request from file ''{0}'' because the file \
  contains multiple begin headers.  A certificate signing request file may \
  only contain a single request.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_END_WITHOUT_BEGIN=ERROR:  Unable to read \
  a PEM-encoded certificate signing request from file ''{0}'' because the \
  file contains an end footer without a corresponding begin header.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_DATA_WITHOUT_BEGIN=ERROR:  Unable to read \
  a PEM-encoded certificate signing request from file ''{0}'' because the \
  file contains a non-empty, non-comment line that does not appear between a \
  begin header and an end footer.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_EOF_WITHOUT_END=ERROR:  Unable to read a \
  PEM-encoded certificate signing request from file ''{0}'' because the end \
  of the file was reached before finding an end footer to mark the end of the \
  request.
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_PEM_CSR_NOT_BASE64=ERROR:  Unable to read \
  a PEM-encoded certificate signing request from file ''{0}'' because the \
  data read between a begin header and an end footer is not valid \
  base64-encoded data:  {0}
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_PEM_CSR_NOT_CSR=ERROR:  Unable to read a \
  PEM-encoded certificate signing request from file ''{0}'' because the data \
  read between the begin header and end footer could not be parsed as a valid \
  PKCS #10 certificate signing request:  {1}
ERR_MANAGE_CERTS_READ_CSR_FROM_FILE_READ_ERROR=ERROR:  An error occurred \
  while trying to read a certificate signing request from file ''{0}'':  {1}
INFO_MANAGE_CERTS_FORMAT_DATE_AND_TIME_IN_FUTURE={0} at {1} ({2} from now)
INFO_MANAGE_CERTS_FORMAT_DATE_AND_TIME_IN_PAST={0} at {1} ({2} ago)
ERR_MANAGE_CERTS_GET_CHAIN_ERROR=ERROR:  An error occurred while trying to \
  retrieve the certificate chain for alias ''{0}'':  {1}
ERR_MANAGE_CERTS_GET_ISSUER_ERROR=ERROR:  An error occurred while trying to \
  retrieve the issuer certificate with subject ''{0}'':  {1}
ERR_MANAGE_CERTS_PKCS11_WRITE_ERROR=ERROR:  Unable to write to the PKCS #11 \
  key store:  {0}
ERR_MANAGE_CERTS_WRITE_KS_ERROR_COPYING_EXISTING_KS=ERROR:  Unable to write a \
  backup copy of existing key store ''{0}'' to file ''{1}'':  {2}
ERR_MANAGE_CERTS_WRITE_KS_ERROR_WRITING_NEW_KS=ERROR:  Unable to write \
  key store file ''{0}'':  {1}
ERR_MANAGE_CERTS_WRITE_KS_ERROR_OVERWRITING_KS=ERROR:  Unable to write \
  updates to key store file ''{0}'':  {1}.  A backup copy of the previous \
  version of the key store is available as ''{2}''.
ERR_MANAGE_CERTS_WRITE_KS_ERROR_DELETING_KS_BACKUP=ERROR:  Unable to \
  delete the temporary backup ''{0}'' of key store ''{1}'':  {2}
INFO_MANAGE_CERTS_EXAMPLE_LIST_1=List verbose information about each of the \
  certificates in key store file ''{0}''.  Also, display a command that can be \
  used to obtain a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_EXPORT_CERT_1=Exports a PEM-formatted \
  representation of the certificate contained in the ''server-cert'' alias in \
  the ''{0}'' key store and writes it to the ''{1}'' output file.  Also, \
  display a command that can be used to obtain a similar result with the Java \
  keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_EXPORT_KEY_1=Exports a PEM-formatted representation \
  of the private key contained in the ''server-cert'' alias in the ''{0}'' \
  key store and writes it to the ''{1}'' output file.
INFO_MANAGE_CERTS_EXAMPLE_IMPORT_1=Imports a certificate chain read from file \
  ''{0}'' and the corresponding private key read from file ''{1}'' into the \
  ''server-cert'' alias in the ''{2}'' key store.  If the key store does not \
  already exist, then it will be created using the JKS key store format.
INFO_MANAGE_CERTS_EXAMPLE_DELETE_1=Deletes the certificate stored in the \
  ''server-cert'' alias in the ''{0}'' key store.
INFO_MANAGE_CERTS_EXAMPLE_GEN_CERT_1=Generates a self-signed certificate with \
  alias ''ca-cert'' in the ''{0}'' key store.  If the key store does not \
  already exist, then it will be created using the standard PKCS #12 format.  \
  The certificate will have a subject DN of ''CN=Example Authority,O=Example \
  Corporation,C=US'', a 4096-bit RSA key, and a signature generated using the \
  SHA256withRSA algorithm.  The certificate will be valid for 7300 days \
  starting at midnight local time on January 1, 2017.  It will include a \
  basic constraints extension that indicates the certificate can act as a \
  certification authority, and a key usage extension that indicates that the \
  key can be used for signing certificates and CRLs.  Also, display a command \
  that can be used to obtain a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_GEN_CSR_1=Generates a certificate signing request \
  for a new certificate with subject ''CN=ldap.example.com,O=Example \
  Corporation,C=US'' that will be stored in the ''server-cert'' alias in the \
  ''{0}'' key store.  A new 256-bit elliptic curve key pair will be created, \
  the request will be signed with the SHA256withECDSA signature algorithm, \
  and the request will include a subject alternative name extension with \
  alternate DNS names of ''ldap1.example.com'' and ''ldap2.example.com'', and \
  an extended key usage extension to indicate that the certificate should be \
  usable for either TLS server authentication or TLS client authentication.  \
  The certificate signing request will be written in PEM format to output \
  file ''{1}''.
INFO_MANAGE_CERTS_EXAMPLE_GEN_CSR_2=Generates a certificate signing request \
  intended to renew the existing certificate stored in alias ''server-cert'' \
  in the ''{0}'' key store.  The request will use the same subject DN and set \
  of extensions as the certificate currently stored in that alias, and it \
  will be written to standard output in PEM format.
INFO_MANAGE_CERTS_EXAMPLE_SIGN_CERT_1=Uses the ''ca-cert'' certificate in \
  key store ''{0}'' to sign the certificate signing request (CSR) contained \
  in file ''{1}'' and writes the signed certificate to PEM-formatted output \
  file ''{2}''.  The signed certificate will use the subject DN and set of \
  extensions included in the request, and the resulting certificate will be \
  valid for 730 days, starting immediately.  Also, display a command that can \
  be used to obtain a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_CHANGE_ALIAS_1=Updates the ''{0}'' key store to \
  change the alias of the ''server-cert'' certificate to be \
  ''server-certificate''.  Also, display a command that can be used to obtain \
  a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_TRUST_SERVER_1=Connects to the ldap.example.com \
  server on port 636 to retrieve the certificate chain that the server \
  presents during TLS negotiation.  That certificate chain will be added to \
  the ''{0}'' key store with a base alias of ''ldap.example.com:636'' after \
  interactively confirming that the certificate chain should be trusted.
INFO_MANAGE_CERTS_EXAMPLE_CHECK_USABILITY_1=Examines the ''server-cert'' \
  certificate in the ''{0}'' key store to determine whether that certificate \
  is suitable for use as a TLS server certificate.
INFO_MANAGE_CERTS_EXAMPLE_DISPLAY_CERT_1=Displays verbose information about \
  all of the certificates contained in file ''{0}'', along with a command \
  that can be used to obtain a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_DISPLAY_CSR_1=Displays information about the \
  certificate signing request contained in file ''{0}'', along with a command \
  that can be used to obtain a similar result with the Java keytool utility.
INFO_MANAGE_CERTS_EXAMPLE_HELP_SUBCOMMANDS_1=Displays a list of the \
  subcommands available for use with this tool.
INFO_MANAGE_CERTS_CERT_COLLECTOR_CONNECTING=Connecting to {0} ...
INFO_MANAGE_CERTS_CERT_COLLECTOR_CONNECTED=Connected successfully.
ERR_MANAGE_CERTS_CERT_COLLECTOR_CONNECT_FAILED=ERROR:  Unable to establish a \
  connection to {0}.
INFO_MANAGE_CERTS_CERT_COLLECTOR_SENDING_START_TLS=Sending an LDAP StartTLS \
  extended request to the server ...
INFO_MANAGE_CERTS_CERT_COLLECTOR_START_TLS_SUCCESSFUL=The server accepted the \
  StartTLS request.
ERR_MANAGE_CERTS_CERT_COLLECTOR_START_TLS_FAILED=ERROR:  The server rejected \
  the StartTLS request.
INFO_MANAGE_CERTS_CERT_COLLECTOR_BEGINNING_TLS_NEGOTIATION=Beginning TLS \
  negotiation on the connection ...
ERR_MANAGE_CERTS_CERT_COLLECTOR_ERROR_STARTING_TLS_NEGOTIATION=An error \
  occurred while trying to start TLS negotiation.
ERR_MANAGE_CERTS_CERT_COLLECTOR_NO_CERT_CHAIN_RECEIVED=ERROR:  Did not \
  receive the certificate chain from {0} after waiting for up to 60 seconds.
INFO_MANAGE_CERTS_CERT_COLLECTOR_NEGOTIATED_TLS_PROTOCOL=Negotiated TLS \
  protocol:  {0}
INFO_MANAGE_CERTS_CERT_COLLECTOR_NEGOTIATED_TLS_SUITE=Negotiated TLS \
  cipher suite:  {0}
INFO_MANAGE_CERTS_CERT_COLLECTOR_GOT_CERT_CHAIN=Successfully retrieved the \
  server certificate chain.
INFO_MANAGE_CERTS_CERT_COLLECTOR_CONNECTION_DONE=This connection was only \
  established for the purpose of obtaining the server''s certificate chain.  \
  That certificate chain has been acquired, so this connection is no longer \
  needed and TLS negotiation can be aborted.
ERR_MANAGE_CERTS_CERT_COLLECTOR_ERROR_PARSING_CERT_CHAIN=ERROR:  Unable to \
  parse the certificate chain received from the server {0} as a set of \
  X.509 certificates.
ERR_X509_PEM_READER_EOF_WITHOUT_END=Unable to read a PEM-encoded X.509 \
  certificate because the end of the data was encountered without finding \
  an expected ''{0}'' footer that corresponds to the ''{1}'' header.
ERR_X509_PEM_READER_REPEATED_BEGIN=Unable to read a PEM-encoded X.509 \
  certificate because an unexpected ''{0}'' header was found after having \
  already begun the process of decoding a certificate.
ERR_X509_PEM_READER_END_WITHOUT_BEGIN=Unable to read a PEM-encoded X.509 \
  certificate because an unexpected ''{0}'' footer was found without a \
  preceding ''{1}'' header.
ERR_X509_PEM_READER_END_WITHOUT_DATA=Unable to read a PEM-encoded X.509 \
  certificate because the ''{0}'' footer was encountered immediately after \
  the ''{1}'' header and without reading any base64-encoded certificate data.
ERR_X509_PEM_READER_CANNOT_BASE64_DECODE=Unable to base64-decode the \
  PEM-encoded certificate data.
ERR_X509_PEM_READER_DATA_WITHOUT_BEGIN=Unable to read a PEM-encoded X.509 \
  certificate because unexpected data was found before encountering a \
  ''{0}'' header.
ERR_PKCS8_PEM_READER_EOF_WITHOUT_END=Unable to read a PEM-encoded PKCS #8 \
  private key because the end of the data was encountered without finding \
  an expected ''{0}'' footer that corresponds to the ''{1}'' header.
ERR_PKCS8_PEM_READER_REPEATED_BEGIN=Unable to read a PEM-encoded PKCS #8 \
  private key because an unexpected ''{0}'' header was found after having \
  already begun the process of decoding a private key.
ERR_PKCS8_PEM_READER_NO_PW_FOR_ENCRYPTED_KEY=Unable to read a PEM-encoded \
  PKCS #8 private key because the private key is encrypted but no encryption \
  password was provided.
ERR_PKCS8_PEM_READER_END_WITHOUT_BEGIN=Unable to read a PEM-encoded PKCS #8 \
  private key because an unexpected ''{0}'' footer was found without a \
  preceding ''{1}'' header.
ERR_PKCS8_PEM_READER_END_WITHOUT_DATA=Unable to read a PEM-encoded PKCS #8 \
  private key because the ''{0}'' footer was encountered immediately after \
  the ''{1}'' header and without reading any base64-encoded private key data.
ERR_PKCS8_PEM_READER_CANNOT_BASE64_DECODE=Unable to base64-decode the \
  PEM-encoded private key data.
ERR_PKCS8_PEM_READER_DATA_WITHOUT_BEGIN=Unable to read a PEM-encoded PKCS #8 \
  private key because unexpected data was found before encountering a \
  ''{0}'' header.
INFO_PKCS5_ALG_ID_DESC_PBES2=The PBES2 encryption scheme
INFO_PKCS5_ALG_ID_DESC_PBKDF2=The PBKDF2 key derivation function
INFO_PKCS5_ALG_ID_DESC_HMAC_SHA_1=The HMAC-SHA-1 pseudorandom function
INFO_PKCS5_ALG_ID_DESC_HMAC_SHA_224=The HMAC-SHA-224 pseudorandom function
INFO_PKCS5_ALG_ID_DESC_HMAC_SHA_256=The HMAC-SHA-256 pseudorandom function
INFO_PKCS5_ALG_ID_DESC_HMAC_SHA_384=The HMAC-SHA-384 pseudorandom function
INFO_PKCS5_ALG_ID_DESC_HMAC_SHA_512=The HMAC-SHA-512 pseudorandom function
INFO_PKCS5_ALG_ID_DESC_DES_EDE_CBC_PAD=The DESede/CBC/PKCS5Padding cipher \
  transformation
INFO_PKCS5_ALG_ID_DESC_AES_128_CBC_PAD=The 128-bit AES/CBC/PKCS5Padding \
  cipher transformation
INFO_PKCS5_ALG_ID_DESC_AES_192_CBC_PAD=The 192-bit AES/CBC/PKCS5Padding \
  cipher transformation
INFO_PKCS5_ALG_ID_DESC_AES_256_CBC_PAD=The 256-bit AES/CBC/PKCS5Padding \
  cipher transformation
ERR_PKCS8_ENC_HANDLER_CANNOT_PARSE_AS_ENC_KEY_SEQUENCE=Unable to decode an \
  encrypted PKCS #8 private key because the encrypted key bytes cannot be \
  parsed as a valid DER sequence.
ERR_PKCS8_ENC_HANDLER_SEQUENCE_UNEXPECTED_ENC_KEY_ELEMENT_COUNT=Unable to \
  decode an encrypted PKCS #8 private key because the encrypted key sequence \
  did not contain the expected 2 elements (intended to represent the \
  encryption scheme algorithm identifier and the encrypted key data).  The \
  number of elements in the sequence was {0,number,0}.
ERR_PKCS8_ENC_HANDLER_KEY_SCHEME_ELEMENT_NOT_SEQUENCE=Unable to decode an \
  encrypted PKCS #8 private key because the first element of the encrypted \
  key sequence could not be parsed as a sequence (intended to hold the \
  encryption scheme algorithm identifier).
ERR_PKCS8_ENC_HANDLER_SEQUENCE_UNEXPECTED_KEY_SCHEME_ELEMENT_COUNT=Unable to \
  decode an encrypted PKCS #8 private key because the encryption scheme \
  sequence did not contain the expected 2 elements (intended to represent \
  the encryption scheme OID and parameters).  The number of elements in the \
  sequence was {0,number,0}.
ERR_PKCS8_ENC_HANDLER_CANNOT_PARSE_KEY_SCHEME_OID=Unable to decode an \
  encrypted PKCS #8 private key because the first element of the encryption \
  scheme sequence could not be parsed as an OID intended to identify the \
  encryption scheme algorithm.
ERR_PKCS8_ENC_HANDLER_ENC_SCHEME_NOT_PBES2=Unable to decode an encrypted \
  PKCS #8 private key because it used an unsupported encryption scheme \
  algorithm with OID ''{0}''.  Only the PBES2 encryption scheme is supported.
ERR_PKCS8_ENC_HANDLER_PBES2_PARAMS_NOT_SEQUENCE=Unable to decode an encrypted \
  PKCS #8 private key because the PBES2 algorithm parameters could not be \
  parsed as a sequence (intended to hold the algorithm identifiers for the \
  key derivation function and encryption algorithm).
ERR_PKCS8_ENC_HANDLER_PBES2_UNEXPECTED_PARAMS_SEQUENCE_ELEMENT_COUNT=Unable \
  to decode an encrypted PKCS #8 private key because the PBES2 algorithm \
  parameters sequence did not contain the expected 2 elements (intended to \
  represent the algorithm identifiers for the key derivation function and \
  encryption algorithm).  The number of elements in the sequence was \
  {0,number,0}.
ERR_PKCS8_ENC_HANDLER_UNSUPPORTED_KDF=Unable to decode an encrypted PKCS #8 \
  private key because the PBES2 algorithm parameters sequence indicated that \
  it uses an unsupported key derivation function with OID ''{0}''.  Only the \
  PKBDF2 key derivation function is supported.
ERR_PKCS8_ENC_HANDLER_UNSUPPORTED_PBKDF2_PRF=Unable to decode an encrypted \
  PKCS #8 private key because the PBKDF2 key derivation function uses an \
  unsupported pseudorandom function with oid ''{0}''.
ERR_PKCS8_ENC_HANDLER_CANNOT_DECODE_KDF_SETTINGS=Unable to decode an \
  encrypted PKCS #8 private key because an unexpected error occurred while \
  attempting to decode the key derivation function settings:  {0}
ERR_PKCS8_ENC_HANDLER_UNSUPPORTED_CIPHER=Unable to decode an encrypted PKCS \
  #8 private key because the PBES2 algorithm parameters sequence indicated \
  that it uses an unsupported cipher transformation with OID ''{0}''.
ERR_PKCS8_ENC_HANDLER_CANNOT_DECODE_CIPHER_SETTINGS=Unable to decode an \
  encrypted PKCS #8 private key because an unexpected error occurred while \
  attempting to decode the encryption cipher settings:  {0}
ERR_PKCS8_ENC_HANDLER_CANNOT_CREATE_DEC_SECRET_KEY=Unable to decode an \
  encrypted PKCS #8 private key because an error occurred while attempting to \
  create the secret key using the ''{0}'' algorithm with the provided \
  password:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_CREATE_DEC_CIPHER=Unable to decode an encrypted \
  PKCS #8 private key because an error occurred while attempting to create a \
  cipher using the ''{0}'' cipher transformation:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_DECRYPT_KEY=Unable to decode an encrypted \
  PKCS #8 private key because an error occurred while attempting to decrypt \
  the encrypted key data using the ''{0}'' cipher transformation:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_PARSE_DECRYPTED_KEY=Unable to decode an \
  encrypted PKCS #8 private key because although the encrypted key data was \
  successfully decrypted using the ''{0}'' cipher transformation, the \
  decrypted key could not be parsed as a valid PKCS #8 secret key:  {1}
ERR_PKCS8_ENC_PROPS_INVALID_KEY_FACTORY_PRF_ALG=Unable to use {0} ({1}) as a \
  key factory pseudorandom function because that identifier does not \
  represent a supported pseudorandom function.
ERR_PKCS8_ENC_PROPS_INVALID_CIPHER_TRANSFORMATION_ALG=Unable to use {0} ({1}) \
  as a cipher transformation because that identifier does not represent a \
  supported cipher transformation.
ERR_PKCS8_ENC_HANDLER_CANNOT_CREATE_ENC_SECRET_KEY=Unable to encrypt the \
  provided PKCS #8 private key because an error occurred while attempting to \
  create the secret key using the ''{0}'' algorithm with the provided \
  password:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_CREATE_ENC_CIPHER=Unable to encrypt the provided \
  PKCS #8 private key because an error occurred while attempting to create a \
  cipher using the ''{0}'' cipher transformation:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_ENCRYPT_PRIVATE_KEY=Unable to encrypt the \
  provided PKCS #8 private key using the ''{0}'' cipher transformation:  {1}
ERR_PKCS8_ENC_HANDLER_CANNOT_ENCODE_ENC_PRIVATE_KEY=Unable to encode the \
  encrypted PKCS #8 private key:  {0}