System Administration Guide: Security Services

ProcedureHow to Create a Certificate by Using the pktool gencert Command

This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.

  1. Generate a self-signed certificate.

    % pktool gencert [keystore=keystore] label=label-name \
    subject=subject-DN serial=hex-serial-number

    Specifies the keystore by type of public key object. The value can be nss, pkcs11, or ssl. This keyword is optional.


    Is a unique name that the issuer gives to the certificate.


    Is the distinguished name for the certificate.


    Is the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.

  2. Verify the contents of the keystore.

    % pktool list
    Found number certificates.
    1. (X.509 certificate)
          Label:  label-name
          ID: Fingerprint that binds certificate to private key
          Subject: subject-DN
          Issuer:  distinguished-name
          Serial:  hex-serial-number
    n. ...

    This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.

Example 15–1 Creating a Self-Signed Certificate by Using pktool

In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme.

% pktool gencert keystore=pkcs11 label="My Cert" \
subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \
Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token

% pktool list
Found 1 certificates.
1. (X.509 certificate)
      Label: My Cert
      ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb
      Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
      Serial: 0x01