Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 10 1/13 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Managing Public Key Technologies
Key Management Framework Utilities
Using the Key Management Framework (Task Map)
Using the Key Management Framework (Tasks)
How to Create a Certificate by Using the pktool gencert Command
How to Import a Certificate Into Your Keystore
How to Export a Certificate and Private Key in PKCS #12 Format
How to Generate a Passphrase by Using the pktool setpin Command
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Secure Shell (Tasks)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Auditing in Oracle Solaris
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
This section describes how to use the pktool command to manage your public key objects, such as passwords, passphrases, files, keystores, certificates, and CRLs.
This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.
% pktool gencert [keystore=keystore] label=label-name \ subject=subject-DN serial=hex-serial-number
Specifies the keystore by type of public key object. The value can be nss, pkcs11, or ssl. This keyword is optional.
Specifies a unique name that the issuer gives to the certificate.
Specifies the distinguished name for the certificate.
Specifies the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: Fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number n. ...
This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.
Example 15-1 Creating a Self-Signed Certificate by Using pktool
In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme.
% pktool gencert keystore=pkcs11 label="My Cert" \ subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \ serial=0x000000001 Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token
% pktool list Found 1 certificates. 1. (X.509 certificate) Label: My Cert ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x01
This procedure describes how to import a file with PKI information that is encoded with PEM or with raw DER into your keystore. For an export procedure, see Example 15-4.
% pktool import keystore=keystore infile=infile-name label=label-name
If you are importing PKI information that is private, such as an export file in PKCS #12 format, the file requires a password. The creator of the file that you are importing provides you with the PKCS #12 password.
Enter password to use for accessing the PKCS12 file:Type PKCS #12 password
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: Fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number 2. ...
Example 15-2 Importing a PKCS #12 File Into Your Keystore
In the following example, the user imports a PKCS #12 file from a third party. The pktool import command extracts the private key and the certificate from the gracedata.p12 file, and stores them in the user's preferred keystore.
% pktool import keystore=pkcs11 infile=gracedata.p12 label=GraceCert Enter password to use for accessing the PKCS12 file:Type PKCS #12 password Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Found 1 certificate(s) and 1 key(s) in gracedata.p12 % pktool list Found 1 certificates. 1. (X.509 certificate) Label: GraceCert ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x01
Example 15-3 Importing an X.509 Certificate Into Your Keystore
In the following example, the user imports an X.509 certificate in PEM format into the user's preferred keystore. This public certificate is not protected with a password. The user's public keystore is also not protected by a password.
% pktool import keystore=pkcs11 infile=somecert.pem label="TheirCompany Root Cert" % pktool list Found 1 certificates. 1. (X.509 certificate) Label: TheirCompany Root Cert ID: 21:ae:83:98:24:d1:1f:cb:65:5b:48:75:7d:02:47:cf:98:1f:ec:a0 Subject: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA Issuer: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA Serial: 0x01
You can create a file in PKCS #12 format to export private keys and their associated X.509 certificate to other systems. Access to the file is protected by a password.
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: Fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number 2. ...
Use the keystore and label from the pktool list command. Provide a file name for the export file. When the name contains a space, surround the name with double quotes.
% pktool export keystore=keystore outfile=outfile-name label=label-name
At the prompt, type the current password for the keystore. At this point, you create a password for the export file. The receiver must provide this password when importing the file.
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
Tip - Send the password separately from the export file. Best practice suggests that you provide the password out of band, such as during a telephone call.
Example 15-4 Exporting a Certificate and Private Key in PKCS #12 Format
In the following example, a user exports the private keys with their associated X.509 certificate into a standard PKCS #12 file. This file can be imported into other keystores. The PKCS #11 password protects the source keystore. The PKCS #12 password is used to protect private data in the PKCS #12 file. This password is required to import the file.
% pktool list Found 1 certificates. 1. (X.509 certificate) Label: My Cert ID: 12:82:17:5f:80:78:eb:44:8b:98:e3:3c:11:c0:32:5e:b6:4c:ea:eb Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x01
% pktool export keystore=pkcs11 outfile=mydata.p12 label="My Cert" Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
The user then telephones the recipient and provides the PKCS #12 password.
You can generate a passphrase for an object in a keystore, and for the keystore itself. The passphrase is required to access the object or keystore. For an example of generating a passphrase for an object in a keystore, see Example 15-4.
% pktool setpin keystore=nss|pkcs11 dir=directory
If the keystore does not have a password already set, press the Return key to create the password.
Enter current token passphrase:Press the Return key Create new passphrase:Type the passphrase that you want to use Re-enter new passphrase:Retype the passphrase Passphrase changed.
The keystore is now protected by passphrase. If you lose the passphrase, you lose access to the objects in the keystore.
Example 15-5 Protecting a Keystore With a Passphrase
The following example shows how to set the passphrase for an NSS database. Because no passphrase has been created, the user presses the Return key at the first prompt.
% pktool setpin keystore=nss dir=/var/nss Enter current token passphrase:Press the Return key Create new passphrase: has8n0NdaH Re-enter new passphrase: has8n0NdaH Passphrase changed.