Managing Encryption and Certificates in Oracle® Solaris 11.2

Exit Print View

 
Updated: September 2014
 
 

How to Generate a Passphrase by Using the pktool setpin Command

You can generate a passphrase for an object in a keystore, and for the keystore itself. The passphrase is required to access the object or keystore. For an example of generating a passphrase for an object in a keystore, see Example 4–4.

  1. Generate a passphrase for access to a keystore. 
    % pktool setpin keystore=nss|pkcs11 [dir=directory]

    The default directory for key storage is /var/username.

    The initial password for a PKCS #11 keystore is changeme. The initial password for an NSS keystore is an empty password.

  2. Answer the prompts.

    When prompted for the current token passphrase, type the token PIN for a PKCS #11 keystore, or press the Return key for an NSS keystore.

    Enter current token passphrase:     Type PIN or press the Return key
Create new passphrase:              Type the passphrase that you want to use
Re-enter new passphrase:            Retype the passphrase
Passphrase changed.

    The keystore is now protected by passphrase. If you lose the passphrase, you lose access to the objects in the keystore.

  3. (Optional) Display a list of tokens. 
    # pktool tokens

    The output depends on whether the metaslot is enabled. For more information about the metaslot, see Concepts in the Cryptographic Framework.

    • If the metaslot is enabled, the pktools token command generates output similar to the following:

      ID Slot   Name                        Token Name                       Flags
--        ---------                   ----------                       -----
0         Sun Metaslot                Sun Metaslot
1         Sun Crypto Softtoken        Sun Software PKCS#11 softtoken   LIX
2         PKCS#11 Interface for TPM   TPM                              LXS

    • If the metaslot is disabled, the pktools token command generates output similar to the following:

      ID Slot   Name                        Token Name                       Flags
--        ---------                   ----------                       -----
1         Sun Crypto Softtoken        Sun Software PKCS#11 softtoken   LIX
2         PKCS#11 Interface for TPM   TPM                              LXS

    In the two output versions, flags can be any combination of the following:

    • L – login required

    • I – initialized

    • X – User PIN expired

    • S – SO PIN expired

Example 4-5  Protecting a Keystore With a Passphrase

The following example shows how to set the passphrase for an NSS database. Because no passphrase has been created, the user presses the Return key at the first prompt.

% pktool setpin keystore=nss dir=/var/nss
Enter current token passphrase:Press the Return key
Create new passphrase: has8n0NdaH
Re-enter new passphrase: has8n0NdaH
Passphrase changed.
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next