This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.
Generate a self-signed certificate.
% pktool gencert [keystore=keystore] label=label-name \ subject=subject-DN serial=hex-serial-number |
Specifies the keystore by type of public key object. The value can be nss, pkcs11, or ssl. This keyword is optional.
Is a unique name that the issuer gives to the certificate.
Is the distinguished name for the certificate.
Is the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.
Verify the contents of the keystore.
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: Fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number n. ... |
This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.
In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme.
% pktool gencert keystore=pkcs11 label="My Cert" \ subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \ serial=0x000000001 Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token |
% pktool list Found 1 certificates. 1. (X.509 certificate) Label: My Cert ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x01 |