Some applications require a public/private key pair. In this procedure, you create these key pairs and store them.
Use one of the following methods.
File-based keys are created for applications that read keys directly from files on the disk. Typically, applications that directly use OpenSSL cryptographic libraries require that you store the keys and certificates for the application in files.
% pktool genkeypair keystore=file outkey=key-filename \ [format=der|pem] [keytype=rsa|dsa] [keylen=key-size]
The value file specifies the file type of storage location for the key.
Specifies the name of the file where the key pair is stored.
Specifies the encoding format of the key pair. der output is binary, and pem output is ASCII.
Specifies the type of key pair that can be stored in a file keystore. For definitions, see DSA and RSA.
Specifies the length of the key in bits. The number must be divisible by 8. To determine possible key sizes, use the cryptoadm list -vm command.
You must complete Step 1 before using this method.
The PKCS #11 keystore is used to store objects on a hardware device. The device could be a Sun Crypto Accelerator 6000 card, a trusted platform module (TPM) device, or a smart card that is plugged into the Cryptographic Framework. PKCS #11 can also be used to store objects in the softtoken, or software-based token, which stores the objects in a private subdirectory on the disk. For more information, see the pkcs11_softtoken (5) man page.
You can retrieve the key pair from the keystore by a label that you specify.
% pktool genkeypair label=key-label \ [token=token[:manuf[:serial]]] \ [keytype=rsa|dsa|ec] [curve=ECC-Curve-Name]]\ [keylen=key-size] [listcurves]
Specifies a label for the key pair. The key pair can be retrieved from the keystore by its label.
Specifies the token name. By default, the token name is Sun Software PKCS#11 softtoken.
Specifies the keypair type. For the elliptic curve (ec) type, optionally specifies a curve name. Curve names are listed as output to the listcurves option.
Specifies the length of the key in bits. The number must be divisible by 8.
Lists the elliptic curve names that can be used as values to the curve= option for an ec key type.
The NSS keystore is used by servers that rely on NSS as their primary cryptographic interface.
You must complete Step 1 before using this method.
% pktool keystore=nss genkeypair label=key-nickname \ [token=token[:manuf[:serial]]] \ [dir=directory-path] [prefix=database-prefix] \ [keytype=rsa|dsa|ec] [curve=ECC-Curve-Name]] \ [keylen=key-size] [listcurves]
The value nss specifies the NSS type of storage location for the key.
Specifies a label for the key pair. The key pair can be retrieved from the keystore by its label.
Specifies the token name. By default, the token is Sun Software PKCS#11 softtoken.
Specifies the directory path to the NSS database. By default, directory is the current directory.
Specifies the prefix to the NSS database. The default is no prefix.
Specifies the keypair type. For the elliptic curve type, optionally specifies a curve name. Curve names are listed as output to the listcurves option.
Specifies the length of the key in bits. The number must be divisible by 8.
Lists the elliptic curve names that can be used as values to the curve= option for an ec key type.
Use one of the following commands, depending on where you stored the key:
% pktool list keystore=file objtype=key infile=key-filename Found n keys. Key #1 - keytype:location (keylen)
$ pktool list objtype=key Enter PIN for keystore: Found n keys. Key #1 - keytype:location (keylen)
% pktool list keystore=nss dir=directory objtype=key
In the following example, a user creates a PKCS #11 keystore for the first time. After determining the key sizes for RSA key pairs, the user then generates a key pair for an application. Finally, the user verifies that the key pair is in the keystore. The user notes that the second instance of the RSA key pair can be stored on hardware. Because the user does not specify a token argument, the key pair is stored as a Sun Software PKCS#11 softtoken.
# pktool setpin Create new passphrase: Re-enter new passphrase:Retype password Passphrase changed. % cryptoadm list -vm | grep PAIR ... CKM_DSA_KEY_PAIR_GEN 512 3072 . . . . . . . . . X . . . . CKM_RSA_PKCS_KEY_PAIR_GEN 256 8192 . . . . . . . . . X . . . . ... CKM_RSA_PKCS_KEY_PAIR_GEN 256 2048 X . . . . . . . . X . . . . ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1 % pktool genkeypair label=specialappkeypair keytype=rsa keylen=2048 Enter PIN for Sun Software PKCS#11 softtoken :Type password % pktool list Enter PIN for Sun Software PKCS#11 softtoken :Type password No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 RSA specialappkeypairExample 4-7 Creating a Key Pair That Uses the Elliptic Curve Algorithm
In the following example, a user adds an elliptic curve (ec) key pair to the keystore, specifies a curve name, and verifies that the key pair is in the keystore.
% pktool genkeypair listcurves secp112r1, secp112r2, secp128r1, secp128r2, secp160k1 . . . c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2 prime192v3 % pktool genkeypair label=eckeypair keytype=ec curves=c2tnb431r1 % pktool list Enter PIN for Sun Software PKCS#11 softtoken :Type password No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 ECDSA eckeypair