KMF provides methods for managing the storage of keys and provides the overall policy for the use of those keys. KMF can manage the policy, keys, and certificates for three public key technologies:
Tokens from PKCS #11 providers, that is, from the Cryptographic Framework
NSS, that is, Network Security Services
OpenSSL, a file-based keystore
The kmfcfg tool can create, modify, or delete KMF policy entries. The tool also manages plugins to the framework. KMF manages keystores through the pktool command. For more information, see the kmfcfg(1) and pktool(1) man pages, and the following sections.
KMF policy is stored in a database. This policy database is accessed internally by all applications that use the KMF programming interfaces. The database can constrain the use of the keys and certificates that are managed by the KMF library. When an application attempts to verify a certificate, the application checks the policy database. The kmfcfg command modifies the policy database.
The kmfcfg command provides the following subcommands for plugins:
list plugin – Lists plugins that are managed by KMF.
install plugin – Installs the plugin by the module's path name and creates a keystore for the plugin. To remove the plugin from KMF, you remove the keystore.
uninstall plugin – Removes the plugin from KMF by removing its keystore.
modify plugin – Enables the plugin to be run with an option that is defined in the code for the plugin, such as debug.
For more information, see the kmfcfg(1) man page. For the procedure, see How to Manage Third-Party Plugins in KMF.
KMF manages the keystores for three public key technologies, PKCS #11 tokens, NSS, and OpenSSL. For all of these technologies, the pktool command enables you to do the following:
Generate a self-signed certificate
Generate a certificate request
Generate a symmetric key
Generate a public/private key pair
Generate a PKCS #10 certificate signing request (CSR) to be sent to an external certificate authority (CA) to be signed
Sign a PKCS #10 CSR
Import objects into the keystore
List the objects in the keystore
Delete objects from the keystore
Download a CRL
For the PKCS #11 and NSS technologies, the pktool command also enables you to set a PIN by generating a passphrase for the keystore or for an object in the keystore.
For examples of using the pktool utility, see the pktool(1) man page and Figure 4, Table 4, Using the Key Management Framework Task Map.