Using the Key Management Framework (Tasks)
This section describes how to use the pktool command to manage your public
key objects, such as passwords, passphrases, files, keystores, certificates, and CRLs.
How to Create a Certificate by Using the pktool gencert Command
This procedure creates a self-signed certificate and stores the certificate in the PKCS #11
keystore. As a part of this operation, an RSA public/private key pair is
also created. The private key is stored in the keystore with the certificate.
- Generate a self-signed certificate.
% pktool gencert [keystore=keystore] label=label-name \
subject=subject-DN serial=hex-serial-number
- keystore=keystore
Specifies the keystore by type of public key object. The value can be nss, pkcs11, or ssl. This keyword is optional.
- label=label-name
Is a unique name that the issuer gives to the certificate.
- subject=subject-DN
Is the distinguished name for the certificate.
- serial=hex-serial-number
Is the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.
- Verify the contents of the keystore.
% pktool list
Found number certificates.
1. (X.509 certificate)
Label: label-name
ID: Fingerprint that binds certificate to private key
Subject: subject-DN
Issuer: distinguished-name
Serial: hex-serial-number
n. ...This command lists all certificates in the keystore. In the following example, the
keystore contains one certificate only.
Example 15-1 Creating a Self-Signed Certificate by Using pktool
In the following example, a user at My Company creates a self-signed certificate and
stores the certificate in a keystore for PKCS #11 objects. The keystore is initially
empty. If the keystore has not been initialized, the PIN for the softtoken
is changeme.
% pktool gencert keystore=pkcs11 label="My Cert" \
subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \
serial=0x000000001
Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token
% pktool list
Found 1 certificates.
1. (X.509 certificate)
Label: My Cert
ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Serial: 0x01
How to Import a Certificate Into Your Keystore
This procedure describes how to import a file with PKI information that is
encoded with PEM or with raw DER into your keystore. For an
export procedure, see Example 15-4.
- Import the certificate.
% pktool import keystore=keystore infile=infile-name label=label-name
- If you are importing private PKI objects, provide passwords when prompted.
- At the prompt, provide the password for the file.
If you are importing PKI information that is private, such as an export
file in PKCS #12 format, the file requires a password. The creator of the file
that you are importing provides you with the PKCS #12 password.
Enter password to use for accessing the PKCS12 file:Type PKCS #12 password
- At the prompt, type the password for your keystore.
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
- Verify the contents of the keystore.
% pktool list
Found number certificates.
1. (X.509 certificate)
Label: label-name
ID: Fingerprint that binds certificate to private key
Subject: subject-DN
Issuer: distinguished-name
Serial: hex-serial-number
2. ...
Example 15-2 Importing a PKCS #12 File Into Your Keystore
In the following example, the user imports a PKCS #12 file from a third
party. The pktool import command extracts the private key and the certificate from the
gracedata.p12 file, and stores them in the user's preferred keystore.
% pktool import keystore=pkcs11 infile=gracedata.p12 label=GraceCert
Enter password to use for accessing the PKCS12 file:Type PKCS #12 password
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Found 1 certificate(s) and 1 key(s) in gracedata.p12
% pktool list
Found 1 certificates.
1. (X.509 certificate)
Label: GraceCert
ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Serial: 0x01Example 15-3 Importing an X.509 Certificate Into Your Keystore
In the following example, the user imports an X.509 certificate in PEM format
into the user's preferred keystore. This public certificate is not protected with a
password. The user's public keystore is also not protected by a password.
% pktool import keystore=pkcs11 infile=somecert.pem label="TheirCompany Root Cert"
% pktool list
Found 1 certificates.
1. (X.509 certificate)
Label: TheirCompany Root Cert
ID: 21:ae:83:98:24:d1:1f:cb:65:5b:48:75:7d:02:47:cf:98:1f:ec:a0
Subject: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA
Issuer: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA
Serial: 0x01
How to Export a Certificate and Private Key in PKCS #12 Format
You can create a file in PKCS #12 format to export private keys and
their associated X.509 certificate to other systems. Access to the file is protected
by a password.
- Find the certificate to export.
% pktool list
Found number certificates.
1. (X.509 certificate)
Label: label-name
ID: Fingerprint that binds certificate to private key
Subject: subject-DN
Issuer: distinguished-name
Serial: hex-serial-number
2. ...
- Export the keys and certificate.
Use the keystore and label from the pktool list command. Provide a file name for
the export file. When the name contains a space, surround the name with
double quotes.
% pktool export keystore=keystore outfile=outfile-name label=label-name
- Protect the export file with a password.
At the prompt, type the current password for the keystore. At this point,
you create a password for the export file. The receiver must provide this
password when importing the file.
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
Tip - Send the password separately from the export file. Best practice suggests that you
provide the password out of band, such as during a telephone call.
Example 15-4 Exporting a Certificate and Private Key in PKCS #12 Format
In the following example, a user exports the private keys with their associated
X.509 certificate into a standard PKCS #12 file. This file can be imported into other
keystores. The PKCS #11 password protects the source keystore. The PKCS #12 password is used
to protect private data in the PKCS #12 file. This password is required
to import the file.
% pktool list
Found 1 certificates.
1. (X.509 certificate)
Label: My Cert
ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Serial: 0x01% pktool export keystore=pkcs11 outfile=mydata.p12 label="My Cert"
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
The user then telephones the recipient and provides the PKCS #12 password.
How to Generate a Passphrase by Using the pktool setpin Command
You can generate a passphrase for an object in a keystore, and
for the keystore itself. The passphrase is required to access the object or
keystore. For an example of generating a passphrase for an object in a
keystore, see Example 15-4.
- Generate a passphrase for access to a keystore.
% pktool setpin keystore=nss|pkcs11 dir=directory
- Answer the prompts.
If the keystore does not have a password already set, press the Return
key to create the password.
Enter current token passphrase:Press the Return key
Create new passphrase:Type the passphrase that you want to use
Re-enter new passphrase:Retype the passphrase
Passphrase changed.
The keystore is now protected by passphrase. If you lose the passphrase, you
lose access to the objects in the keystore.
Example 15-5 Protecting a Keystore With a Passphrase
The following example shows how to set the passphrase for an NSS
database. Because no passphrase has been created, the user presses the Return key at
the first prompt.
% pktool setpin keystore=nss dir=/var/nss
Enter current token passphrase:Press the Return key
Create new passphrase: has8n0NdaH
Re-enter new passphrase: has8n0NdaH
Passphrase changed.
How to Manage Third-Party Plugins in KMF
You identify your plugin by giving it a keystore name. When you
add the plugin to KMF, the software identifies it by its keystore
name. The plugin can be defined to accept an option. This procedure
includes how to remove the plugin from KMF.
- Install the plugin.
% /usr/bin/kmfcfg install keystore=keystore-name \
modulepath=path-to-plugin [option="option-string"]
where
keystore-name – Is a unique name for the keystore that you provide.
path-to-plugin – Is the full path to the shared library object for
the KMF plugin.
option-string – Is an optional argument to the shared library object.
- List the plugins.
% kmfcfg list plugin
keystore-name:path-to-plugin [(built-in)] | [;option=option-string]
- To remove the plugin, uninstall it and verify its removal.
% kmfcfg uninstall keystore=keystore-name
% kmfcfg plugin list
Example 15-6 Calling a KMF Plugin With an Option
In the following example, the administrator stores a KMF plugin in a
site-specific directory. The plugin is defined to accept a debug option. The
administrator adds the plugin and verifies that the plugin is installed.
# /usr/bin/kmfcfg install keystore=mykmfplug \
modulepath=/usr/lib/security/site-modules/mykmfplug.so
# kmfcfg list plugin
KMF plugin information:
-----------------------
pkcs11:kmf_pkcs11.so.1 (built-in)
file:kmf_openssl.so.1 (built-in)
nss:kmf_nss.so.1 (built-in)
mykmfplug:/usr/lib/security/site-modules/mykmfplug.so
# kmfcfg modify plugin keystore=mykmfplug option="debug"
# kmfcfg list plugin
KMF plugin information:
-----------------------
...
mykmfplug:/usr/lib/security/site-modules/mykmfplug.so;option=debug
The plugin now runs in debugging mode.
