Application Packaging Developer's Guide

Certificate Management

Before creating a signed package, you must have a package keystore. This package keystore contains certificates in the form of objects. Two types of objects exist in a package keystore:

Trusted certificate

A trusted certificate contains a single public key certificate that belongs to another entity. The trusted certificate is named as such because the keystore owner trusts that the public key in the certificate indeed belongs to the identity indicated by the “subject” (owner) of the certificate. The issuer of the certificate vouches for this trust by signing the certificate.

Trusted certficates are used when verifying signatures and when initiating a connection to a secure (SSL) server.

User key

A user key holds sensitive cryptographic key information. This information is stored in a protected format to prevent unauthorized access. A user key consists of both the user's private key and the public key certificate that corresponds to the private key.

User keys are used when creating a signed package.

By default, the package keystore is stored in the /var/sadm/security directory. Individual users can also have their own keystore stored by default in the $HOME/.pkg/security directory.

On disk, a package keystore can be in two formats: a multiple-file format and a single-file format. A multiple-file format stores its objects in multiple files. Each type of object is stored in a separate file. All of these files must be encrypted using the same passphrase. A single-file keystore stores all of its objects in a single file on the file system.

The primary utility used to manage the certificates and the package keystore is the pkgadm command. The following subsections describe the more common tasks used for managing the package keystore.

Adding Trusted Certificates to the Package Keystore

A trusted certficate can be added to the package keystore using the pkgadm command. The certificate can be in PEM or DER format. For example:

$ pkgadm addcert -t /tmp/mytrustedcert.pem

In this example, the PEM format certificate called mytrustedcert.pem is added to the package keystore.

Adding a User Certificate and Private Key to the Package Keystore

The pkgadm command does not generate user certificates or private keys. User certificates and private keys are normally obtained from a Certificate Authority, such as Verisign. Or, they are generated locally as a self-signed certificate. Once the key and certificate are obtained, they can be imported into the package keystore using the pkgadm command. For example:

pkgadm addcert -n myname -e /tmp/myprivkey.pem /tmp/mypubcert.pem

In this example, the following options are used:

-n myname

Identifies the entity (myname) in the package keystore on which you wish to operate. The myname entity becomes the alias under which the objects are stored.

-e /tmp/myprivkey.pem

Specifies the file that contains the private key. In this case, the file is myprivkey.pem, which is located in the /tmp directory.


Specifies the PEM format certificate file called mypubcert.pem.

Verifying the Contents in the Package Keystore

The pkgadm command is also used to view the contents of the package keystore. For example:

$ pkgadm listcert

This command displays the trusted certificates and private keys in the package keystore.

Deleting Trusted Certificates and Private Keys From the Package Keystore

The pkgadm command can be used to delete trusted certificates and private keys from the package keystore.

When you delete user certificates, the alias of the certificate/key pair must be specified. For example:

$ pkgadm removecert -n myname

The alias of the certificate is the common name of the certificate, which can be identified using the pkgadm listcert command. For example, this command deletes a trusted certificate entitled Trusted CA Cert 1:

$ pkgadm removecert -n "Trusted CA Cert 1"

Note –

If you have both a trusted certificate and a user certificate stored using the same alias, they are both deleted when you specify the -n option.