This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.
% pktool gencert [keystore=keystore] label=label-name \ subject=subject-DN serial=hex-serial-number keytype=rsa/dsa keylen=key-size
Specifies the keystore by type of public key object. The value can be nss, pkcs11, or file. This keyword is optional.
Specifies a unique name that the issuer gives to the certificate.
Specifies the distinguished name for the certificate.
Specifies the serial number in hexadecimal format. The issuer of the certificate chooses the number, such as 0x0102030405.
Optional variable that specifies the type of private key associated with the certificate. Check the pktool (1) man page to find available key types for the selected keystore.
To use a FIPS 140-approved key, check the approved key types at FIPS 140 Algorithms in the Cryptographic Framework in Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .
Optional variable that specifies the length of the private key associated with the certificate.
To use a FIPS 140-approved key, check the approved key lengths for the key type that you selected at FIPS 140 Algorithms in the Cryptographic Framework in Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .
% pktool list Found number certificates. 1. (X.509 certificate) Label: label-name ID: fingerprint that binds certificate to private key Subject: subject-DN Issuer: distinguished-name Serial: hex-serial-number n. ...
This command lists all certificates in the keystore. In the following example, the keystore contains one certificate only.
In the following example, a user at My Company creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme, and you can use the pktool setpin command to reset the PIN. Note that a FIPS-approved key type and key length, RSA 2048, is specified in the command options.
% pktool gencert keystore=pkcs11 label="My Cert" \ subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \ serial=0x000000001 keytype=rsa keylen=2048 Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token
% pktool list No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 RSA My Cert Certificates: 1 X.509 certificate Label: My Cert ID: d2:7e:20:04:a5:66:e6:31:90:d8:53:28:bc:ef:55:55:dc:a3:69:93 Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA ... ... Serial: 0x00000010 ...