Managing Encryption and Certificates in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014
 
 

How to Create a Certificate by Using the pktool gencert Command

This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.

  1. Generate a self-signed certificate.
    % pktool gencert [keystore=keystore] label=label-name \
    subject=subject-DN serial=hex-serial-number keytype=rsa/dsa keylen=key-size
    –keystore=keystore

    Specifies the keystore by type of public key object. The value can be nss, pkcs11, or file. This keyword is optional.

    –label=label-name

    Specifies a unique name that the issuer gives to the certificate.

    –subject=subject-DN

    Specifies the distinguished name for the certificate.

    –serial=hex-serial-number

    Specifies the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.

    –keytype=key type

    Optional variable that specifies the type of private key associated with the certificate. Check the pktool (1) man page to find available key types for the selected keystore.

    To use a FIPS 140-approved key, check the approved key types at FIPS 140 Algorithms in the Cryptographic Framework in Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .

    –keylen=key size

    Optional variable that specifies the length of the private key associated with the certificate.

    To use a FIPS 140-approved key, check the approved key lengths for the key type that you selected at FIPS 140 Algorithms in the Cryptographic Framework in Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .

  2. Verify the contents of the keystore.
    % pktool list
    Found number certificates.
    1. (X.509 certificate)
    Label:  label-name
    ID: fingerprint that binds certificate to private key
    Subject: subject-DN
    Issuer:  distinguished-name
    Serial:  hex-serial-number
    n. ...

    This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.

Example 4-1  Creating a Self-Signed Certificate by Using pktool

In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme, and you can use the pktool setpin command to reset the PIN. Note that a FIPS-approved key type and key length, RSA 2048, is specified in the command options.

% pktool gencert keystore=pkcs11 label="My Cert" \
subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \
serial=0x000000001 keytype=rsa keylen=2048
Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token
% pktool list
No.  Key Type  Key Len.  Key Label
----------------------------------------------------
Asymmetric public keys:
1    RSA                 My Cert
Certificates:
1    X.509 certificate
Label: My Cert
ID: d2:7e:20:04:a5:66:e6:31:90:d8:53:28:bc:ef:55:55:dc:a3:69:93
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
...
...
Serial: 0x00000010
...