test

System Administration Guide: Security Services

ProcedureHow to Create a Certificate by Using the pktool gencert Command

This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.

  1. Generate a self-signed certificate.


    % pktool gencert [keystore=keystore] label=label-name \
subject=subject-DN serial=hex-serial-number
    keystore=keystore

    Specifies the keystore by type of public key object. The value can be nss, pkcs11, or ssl. This keyword is optional.

    label=label-name

    Is a unique name that the issuer gives to the certificate.

    subject=subject-DN

    Is the distinguished name for the certificate.

    serial=hex-serial-number

    Is the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.

  2. Verify the contents of the keystore.


    % pktool list
Found number certificates.
1. (X.509 certificate)
      Label:  label-name
      ID: Fingerprint that binds certificate to private key
      Subject: subject-DN
      Issuer:  distinguished-name
      Serial:  hex-serial-number
n. ...

    This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.

Example 15–1 Creating a Self-Signed Certificate by Using pktool

In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme.


% pktool gencert keystore=pkcs11 label="My Cert" \
subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \
serial=0x000000001
Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token


% pktool list
Found 1 certificates.
1. (X.509 certificate)
      Label: My Cert
      ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
      Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Serial: 0x01