Go to main content

Managing Encryption and Certificates in Oracle® Solaris 11.4

Exit Print View

Updated: May 2021

Key Management Framework Utilities

    KMF provides methods for managing the storage of keys and provides the overall policy for the use of those keys. KMF can manage the policy, keys, and certificates for three public key technologies:

  • Tokens from PKCS #11 providers, that is, from the Cryptographic Framework

  • NSS, that is, Network Security Services

  • OpenSSL, a file-based keystore

The kmfcfg tool can create, modify, or delete KMF policy entries. The tool also manages plugins to the framework. KMF manages keystores through the pktool command. For more information, see the kmfcfg(1) and pktool(1) man pages, and the following sections.

KMF Policy Management

KMF policy is stored in a database. This policy database is accessed internally by all applications that use the KMF programming interfaces. The database can constrain the use of the keys and certificates that are managed by the KMF library. When an application attempts to verify a certificate, the application checks the policy database. The kmfcfg command modifies the policy database.

KMF Plugin Management

    The kmfcfg command provides the following subcommands for plugins:

  • list plugin – Lists plugins that are managed by KMF.

  • install plugin – Installs the plugin by the module's path name and creates a keystore for the plugin. To remove the plugin from KMF, you remove the keystore.

  • uninstall plugin – Removes the plugin from KMF by removing its keystore.

  • modify plugin – Enables the plugin to be run with an option that is defined in the code for the plugin, such as debug.

For more information, see the kmfcfg(1) man page. For the procedure, see How to Manage Third-Party Plugins in KMF.

KMF Keystore Management

    KMF manages the keystores for three public key technologies, PKCS #11 tokens, NSS, and OpenSSL. For all of these technologies, the pktool command enables you to do the following:

  • Generate a self-signed certificate

  • Generate a certificate request

  • Generate and configure a token

  • Generate a symmetric key

  • Generate a public/private key pair

  • Generate a PKCS #10 certificate signing request (CSR) to be sent to an external certificate authority (CA) to be signed

  • Sign a PKCS #10 CSR

  • Import objects into the keystore

  • List the objects in the keystore

  • Delete objects from the keystore

  • Download a CRL

For the PKCS #11 and NSS technologies, the pktool command also enables you to set a PIN by generating a passphrase for the keystore or for an object in the keystore.

For examples of using the pktool utility, see the pktool(1) man page and Table 5, Using the Key Management Framework Task Map.