How to Enable PKCS #11 Consumers to Use TPM as a Secure Keystore

Language:

Before You Begin

To perform this procedure, you must install and enable TPM on the system. Ensure that the tcsd daemon is also running.

Verify that the TPM device is installed.

# ls -alF /dev/tpm
lrwxrwxrwx 1 root 39 Dec 27 2011 /dev/tpm -> ../devices/pci@0,0/isa@1/tpm@1,1670:tpm

Enable the tcsd daemon.
```
# svcadm enable tcsd
```
Initialize the personal TPM-protected token storage area.
```
$ pktool inittoken currlabel=TPM
```
Note - All individual users must perform this step.
Set the token PIN for the security officer.
```
$ pktool setpin token=tmp/TPM so
```
Set the user's PIN.
```
$ pktool setpin token=tmp/TPM
```
Generate keys and certificates that use the TPM device by specifying the token name that was used when the token was initialized.
```
$ pktool gencert token=tpm/TPM -i
$ pktool list token=tpm/TPM
```
Any existing applications that already use the Cryptographic Framework in libpkcs11 can use the TPM token for their operations by making the applications select the TPM token device for the sessions.

Example 2-1 Enabling PKCS #11 Consumers to Use TPM

In this example, the TPM token is first assigned a new name. Thereafter, all subsequent actions on the token refer to the new name.

$ pktool inittoken currlable=TPM newlabel=JohnDoeTPM
$ pktool setpin token=tmp/JohnDoeTPM so
$ pktool gencert token=tpm/JohnDoeTPM -i
$ pktool list token=tpm/JohnDoeTPM