To manage certificates and keys, create a keystore. The keystore stores the CA, the CA key, and client certificates and keys.
The tool used for keystore management is pktool. See the pktool(1) man page for more information.
The default keystore location for pktool is /var/user/username, where username is the name of the current system user. This keystore default location can be problematic when a keystore is managed by multiple users. In addition, IPS package repository management should have a dedicated keystore to avoid confusing certificates. To set a custom location for the pktool keystore for the IPS package repository, set the environment variable SOFTTOKEN_DIR. Reset the SOFTTOKEN_DIR variable as necessary to manage multiple keystores.
Use the following commands to create a directory for the keystore. Set the owner, group, and permissions appropriately if multiple users need to manage the keystore.
$ mkdir /path-to-keystore $ export SOFTTOKEN_DIR=/path-to-keystore
Access to the keystore is protected by a passphrase that you must enter every time you invoke the pktool command. The default passphrase for a newly created keystore is changeme. Be sure to change the changeme passphrase to a more secure passphrase.
Use the following command to set the passphrase (PIN) for the keystore:
$ pktool setpin Enter token passphrase: changeme Create new passphrase: Re-enter new passphrase: Passphrase changed. $ ls /path-to-keystore pkcs11_softtoken