test

Sun Java System Web Server 6.1 SP12 Administrator's Guide

Using pk12util

The pk12util allows you to export certificates and keys from your internal database and import them into an internal or external PKCS#11 module. You can export certificates and keys to your internal database, but many external tokens do not let you export certificates and keys. By default, the pk12util uses the cert8.db and key3.db certificate and key databases.

Exporting with pk12util

To export a certificate and key from an internal database, perform the following steps:

ProcedureTo export a certificate and key from an internal database

  1. Go to the server_root/alias directory containing the databases.

  2. Add server_root/bin/https/admin/bin to your PATH.

  3. Locate pk12util in server_root/bin/https/admin/bin.

  4. Set the environment. For example:

    • On UNIX: setenv

      LD_LIBRARY_PATH/server_root/bin/https/lib:${LD_LIBRARY_PATH}

      • On IBM-AIX: LIBPATH

      • On HP-UX: SHLIB_PATH

      • On Windows, add it to the PATH

        LD_LIBRARY_PATH server_root/bin/https/bin

        You can find the PATH for your machine listed under: server_root/https-admin/start.

  5. Enter the pk12util command.

    The options are listed.

  6. Perform required actions.

    For example, in UNIX enter:

    pk12util -o certpk12 -n Server-Cert [-d /server/alias] [-P https-test-host-]

  7. Enter the database password.

  8. Enter the pkcs12 command password.

Importing with pk12util

To import a certificate and key into an internal or external PKCS#11 module, perform the following steps:

ProcedureTo import a certificate and key into an internal PKCS#11 module

  1. Go to the server_root/alias directory containing the databases.

  2. Add server_root/bin/https/admin/bin to your PATH.

  3. Locate the pk12util in the server_root/bin/https/admin/bin.

  4. Set the environment. For example:

    • On UNIX, use the setenv command

      LD_LIBRARY_PATH/server_root/bin/https/lib:${LD_LIBRARY_PATH}

      • On IBM-AIX, use the LIBPATH command

      • On HP-UX, use the SHLIB_PATH command

      • On Windows, add it to the PATH

        LD_LIBRARY_PATH server_root/bin/https/bin

        The PATH for your machine is listed under the server_root/https-admin/start.

  5. Enter pk12util command.

    The options are listed.

  6. Perform required actions.

    For example, in UNIX enter:

    pk12util -i pk12_sunspot [-d certdir][-h “nCipher”][-P https-jones.redplanet.com-jones-]

    -P must follow the -h option and be the last argument.

    Enter the exact token name including capital letters and spaces between quotation marks.

  7. Enter the database password.

  8. Enter the pkcs12 command password. Starting the Server with an External Certificate

    If you install a certificate into an external PKCS#11 module (for example, a hardware accelerator), the server is unable to start using the certificate until you edit the server.xml file, or specify the certificate name.

    The server always tries to start with the “Server-Cert” certificate. Certificates in external PKCS#11 modules contains one of the module’s token names in their identifier. For example, a server certificate installed on an external smartcard reader called “smartcard0” would be named “smartcard0:Server-Cert.”

    To start a server with a certificate installed in an external module, you need to specify the certificate name for the listen socket it runs on.