4 Managing Certificates in Oracle Solaris
The Key Management Framework (KMF) feature of Oracle Solaris provides tools and programming interfaces for managing public key objects. Public key objects include X.509 certificates and public/private key pairs. The formats for storing these objects can vary. KMF also provides a tool for managing policies that define the use of X.509 certificates by applications. KMF supports third-party plugins. Key management can require manual intervention, such as adding CA certificates to the directory where Oracle Solaris stores them.
This chapter covers the following topics:
Managing Public Key Technologies With the Key Management Framework
KMF centralizes the management of public key technologies (PKI). Oracle Solaris has several different applications that make use of PKI technologies. Each application provides its own programming interfaces, key storage mechanisms, and administrative utilities. If an application provides a policy enforcement mechanism, the mechanism applies to that application only. With KMF, applications use a unified set of administrative tools, a single set of programming interfaces, and a single policy enforcement mechanism. These features manage the PKI needs of all applications that adopt these interfaces.
KMF unifies the management of public key technologies with the following interfaces:
-
pktool
command – Manages PKI objects, such as certificates, in a variety of keystores. -
kmfcfg
command – Manages the PKI policy database and third-party plugins.PKI policy decisions include operations such as the validation method for an operation. Also, PKI policy can limit the scope of a certificate. For example, PKI policy might assert that a certificate can be used only for specific purposes. Such a policy would prevent that certificate from being used for other requests.
-
KMF library – Contains programming interfaces that abstract the underlying keystore mechanism.
Applications do not have to choose one particular keystore mechanism, but can migrate from one mechanism to another mechanism. The supported keystores are PKCS #11, NSS, and OpenSSL. The library includes a pluggable framework so that new keystore mechanisms can be added. Therefore, applications that use the new mechanisms would require only minor modifications to use a new keystore.
Key Management Framework Utilities
KMF provides methods for managing the storage of keys and provides the overall policy for the use of those keys. KMF can manage the policy, keys, and certificates for three public key technologies:
-
Tokens from PKCS #11 providers, that is, from the Cryptographic Framework
-
NSS, that is, Network Security Services
-
OpenSSL, a file-based keystore
The kmfcfg
tool can create, modify, or delete KMF policy entries. The tool also manages plugins to the framework. KMF manages keystores through the pktool
command. For more information, see the kmfcfg(1) and pktool(1) man pages, and the following sections.
KMF Policy Management
KMF policy is stored in a database. This policy database is accessed internally by all applications that use the KMF programming interfaces. The database can constrain the use of the keys and certificates that are managed by the KMF library. When an application attempts to verify a certificate, the application checks the policy database. The kmfcfg
command modifies the policy database.
KMF Plugin Management
The kmfcfg
command provides the following subcommands for plugins:
-
list plugin
– Lists plugins that are managed by KMF. -
install
plugin – Installs the plugin by the module's path name and creates a keystore for the plugin. To remove the plugin from KMF, you remove the keystore. -
uninstall
plugin – Removes the plugin from KMF by removing its keystore. -
modify
plugin – Enables the plugin to be run with an option that is defined in the code for the plugin, such asdebug
.
For more information, see the kmfcfg(1) man page. For the procedure, see How to Manage Third-Party Plugins in KMF.
KMF Keystore Management
KMF manages the keystores for three public key technologies, PKCS #11 tokens, NSS, and OpenSSL. For all of these technologies, the pktool
command enables you to do the following:
-
Generate a self-signed certificate
-
Generate a certificate request
-
Generate and configure a token
-
Generate a symmetric key
-
Generate a public/private key pair
-
Generate a PKCS #10 certificate signing request (CSR) to be sent to an external certificate authority (CA) to be signed
-
Sign a PKCS #10 CSR
-
Import objects into the keystore
-
List the objects in the keystore
-
Delete objects from the keystore
-
Download a CRL
For the PKCS #11 and NSS technologies, the pktool
command also enables you to set a PIN by generating a passphrase for the keystore or for an object in the keystore.
For examples of using the pktool
utility, see the pktool(1) man page and Using the Key Management Framework Task Map.
Using the Key Management Framework
This section describes how to use the pktool
command to manage your public key objects, such as passwords, passphrases, files, keystores, certificates, and CRLs.
The Key Management Framework (KMF) enables you to centrally manage public key technologies.
Table 4-1 Using the Key Management Framework Task Map
Task | Description | For Instructions |
---|---|---|
Create a certificate. |
Creates a certificate for use by PKCS #11, NSS, or OpenSSL. |
How to Create a Certificate by Using the pktool gencert Command |
Export a certificate. |
Creates a file with the certificate and its supporting keys. The file can be protected with a password. |
How to Export a Certificate and Private Key in PKCS #12 Format |
Import a certificate. |
Imports a certificate from another system. |
|
Imports a certificate in PKCS #12 format from another system. |
||
Create a keystore or token. |
Creates a token, assigns a PIN, and names a label. |
|
Generate a passphrase. |
Generates a passphrase for access to a PKCS #11 keystore or an NSS keystore. |
How to Generate a Passphrase by Using the pktool setpin Command |
Generate a symmetric key. |
Generates symmetric keys for use in encrypting files, in creating a MAC of a file, and for applications. |
|
Generate a key pair. |
Generates a public/private key pair for use with applications. |
How to Generate a Key Pair by Using the pktool genkeypair Command |
Generate a PKCS #10 CSR. |
Generates a PKCS #10 certificate signing request (CSR) for an external certificate authority (CA) to sign. |
pktool(1) man page |
Sign a PKCS #10 CSR. |
Signs a PKCS #10 CSR. |
How to Sign a Certificate Request by Using the pktool signcsr Command |
Add a plugin to KMF. |
Installs, modifies, and lists a plugin. Also, removes the plugin from the KMF. |
How to Create a Certificate by Using the pktool Command
This procedure creates a self-signed certificate and stores the certificate in the PKCS #11 keystore. As a part of this operation, an RSA public/private key pair is also created. The private key is stored in the keystore with the certificate.
Example 4-1 Creating a Self-Signed Certificate by Using pktool
In the following example, a user at My Company
creates a self-signed certificate and stores the certificate in a keystore for PKCS #11 objects. The keystore is initially empty. If the keystore has not been initialized, the PIN for the softtoken is changeme
, and you can use the pktool setpin
command to reset the PIN. Note that a FIPS 140-2 approved key type and key length, RSA 2048, is specified in the command options.
$ pktool gencert keystore=pkcs11 label="My Cert" \ subject="C=US, O=My Company, OU=Security Engineering Group, CN=MyCA" \ serial=0x000000001 keytype=rsa keylen=2048 Enter pin for Sun Software PKCS#11 softtoken:Type PIN for token
$ pktool list
No. Key Type Key Len. Key Label
----------------------------------------------------
Asymmetric public keys:
1 RSA My Cert
Certificates:
1 X.509 certificate
Label: My Cert
ID: d2:7e:20:04:a5:66:e6:31:90:d8:53:28:bc:ef:55:55:dc:a3:69:93
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
...
...
Serial: 0x00000010
...
How to Import a Certificate Into Your Keystore
This procedure describes how to import a file with PKI information that is encoded with PEM or with raw DER into your keystore. For an export procedure, see How to Export a Certificate and Private Key in PKCS #12 Format.
Example 4-2 Importing a PKCS #12 File Into Your Keystore
In the following example, the user imports a PKCS #12 file from a third party. The pktool import
command extracts the private key and the certificate from the gracedata.p12
file and stores them in the user's preferred keystore.
$ pktool import keystore=pkcs11 infile=gracedata.p12 label=GraceCert Enter password to use for accessing the PKCS12 file:Type PKCS #12 password Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token Found 1 certificate(s) and 1 key(s) in gracedata.p12 $ pktool list No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 RSA GraceCert Certificates: 1 X.509 certificate Label: GraceCert ID: 71:8f:11:f5:62:10:35:c2:5d:b4:31:38:96:04:80:25:2e:ad:71:b3 Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA Serial: 0x00000010
Example 4-3 Importing an X.509 Certificate Into Your Keystore
In the following example, the user imports an X.509 certificate in PEM format into the user's preferred keystore. This public certificate is not protected with a password. The user's public keystore is also not protected by a password.
$ pktool import keystore=pkcs11 infile=somecert.pem label="TheirCompany Root Cert" $ pktool list No. Key Type Key Len. Key Label Certificates: 1 X.509 certificate Label: TheirCompany Root Cert ID: ec:a2:58:af:83:b9:30:9d:de:b2:06:62:46:a7:34:49:f1:39:00:0e Subject: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA Issuer: C=US, O=TheirCompany, OU=Security, CN=TheirCompany Root CA Serial: 0x00000001
How to Export a Certificate and Private Key in PKCS #12 Format
You can create a file in PKCS #12 format to export private keys and their associated X.509 certificate to other systems. Access to the file is protected by a password.
Example 4-4 Exporting a Certificate and Private Key in PKCS #12 Format
In the following example, a user exports the private keys with their associated X.509 certificate into a standard PKCS #12 file. This file can be imported into other keystores. The PKCS #11 password protects the source keystore. The PKCS #12 password is used to protect private data in the PKCS #12 file. This password is required to import the file.
$ pktool list
No. Key Type Key Len. Key Label
----------------------------------------------------
Asymmetric public keys:
1 RSA My Cert
Certificates:
1 X.509 certificate
Label: My Cert
ID: d2:7e:20:04:a5:66:e6:31:90:d8:53:28:bc:ef:55:55:dc:a3:69:93
Subject: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Issuer: C=US, O=My Company, OU=Security Engineering Group, CN=MyCA
Serial: 0x000001
$ pktool export keystore=pkcs11 outfile=mydata.p12 label="My Cert"
Enter pin for Sun Software PKCS#11 softtoken: Type PIN for token
Enter password to use for accessing the PKCS12 file:Create PKCS #12 password
The user then telephones the recipient and provides the PKCS #12 password.
How to Create a PKCS #11 Keystore
Use this procedure to create a brand new PKCS #11 keystore. This same procedure also applies if you want to re-create a keystore that has been previously used. When creating keystores, you should use the pktool inittoken
command as a preferred method instead of the traditional pktool setpin
command.
Caution:
Using thepktool inittoken
command in this procedure destroys all of the existing objects in the keystore. If you are re-creating a keystore that has been previously used, export the keystore's objects to a secure location. After you have completed the procedure, you can import the objects.
Example 4-5 Creating a Brand New Keystore With a New Name
This example shows how to assign a new name to the keystore that you are creating.
Note that you will be prompted to enter your Security Officer PIN to complete the process.
# pktool inittoken currlabel="Sun Software PKCS#11 softtoken" \ newlabel="Company XYZ softtoken" Enter SO PIN: Type Security Officer PIN Token Company XYZ softtoken initialized. # pktool tokens ID Slot Name Token Name Flags -- --------- ---------- ----- 1 Sun Crypto Softtoken Company XYZ softtoken LI Flags: L=Login required, I=Initialized, X=User PIN expired, S=SO PIN expired, R=Write protected
How to Generate a Passphrase by Using the pktool Command
You can generate a passphrase for an object in a keystore, and for the keystore itself. The passphrase is required to access the object or keystore. For an example of generating a passphrase for an object in a keystore, see Exporting a Certificate and Private Key in PKCS #12 Format.
Example 4-6 Protecting a Keystore With a Passphrase
The following example shows how to set the passphrase for an NSS database. Because no passphrase has been created, the user presses the Return key at the first prompt.
$ pktool setpin keystore=nss dir=/var/nss Enter current token passphrase:Press the Return key Create new passphrase: xxxx xxx xxx Re-enter new passphrase: xxxx xxx xxx Passphrase changed.
How to Generate a Key Pair by Using the pktool genkeypair Command
Some applications require a public/private key pair. In this procedure, you create these key pairs and store them.
Example 4-7 Creating a Key Pair by Using the pktool
Command
In the following example, a user creates a PKCS #11 keystore for the first time. After determining the key sizes for RSA key pairs, the user then generates a key pair for an application. Finally, the user verifies that the key pair is in the keystore. The user notes that the second occurrence of the RSA key pair can be stored on hardware. Because the user does not specify a token
argument, the key pair is stored as a Sun Software PKCS#11 softtoken
.
# pktool setpin Create new passphrase: Re-enter new passphrase:xxxxxxxxxx Passphrase changed. $ cryptoadm list -vm | grep PAIR ... CKM_DSA_KEY_PAIR_GEN 512 3072 . . . . . . . . . X . . . . CKM_RSA_PKCS_KEY_PAIR_GEN 256 8192 . . . . . . . . . X . . . . ... CKM_RSA_PKCS_KEY_PAIR_GEN 256 2048 X . . . . . . . . X . . . . ecc: CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,CKM_ECDSA_SHA1 $ pktool genkeypair label=specialappkeypair keytype=rsa keylen=2048 Enter PIN for Sun Software PKCS#11 softtoken : xxxxxxxxxx $ pktool list Enter PIN for Sun Software PKCS#11 softtoken : xxxxxxxxxx No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 RSA specialappkeypair
Example 4-8 Creating a Key Pair That Uses the Elliptic Curve Algorithm
In the following example, a user adds an elliptic curve (ec
) key pair to the keystore, specifies a curve name, and verifies that the key pair is in the keystore.
$ pktool genkeypair listcurves secp112r1, secp112r2, secp128r1, secp128r2, secp160k1 . . . c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2 prime192v3 $ pktool genkeypair label=eckeypair keytype=ec curves=c2tnb431r1 $ pktool list Enter PIN for Sun Software PKCS#11 softtoken : xxxxxxxxxx No. Key Type Key Len. Key Label ---------------------------------------------------- Asymmetric public keys: 1 ECDSA eckeypair
How to Sign a Certificate Request by Using the pktool signcsr Command
This procedure assumes that you are a certificate authority (CA), you have received a CSR, and it is stored in a file. For an example of creating a CSR, see Example 4-9.
This procedure is used to sign a PKCS #10 certificate signing request (CSR). The CSR can be in PEM or DER format. The signing process issues an X.509 v3 certificate. To generate a PKCS #10 CSR, see the pktool(1) man page.
Example 4-9 Generating a CSR
This example shows two methods to generate a CSR.
-
Use the
pktool
command and store the CSR in the PKCS #11 keystore. You must provide the password to the keystore.$ pktool gencsr keystore=pkcs11 label=example3csr \ keytype=rsa keylen=2048 hash=sha2 \ format=pem outcsr=/var/tmp/example3.csr-1 \ subject="CN=example3.company.au, OU=HR Department, O=Example3, L=Sydney, ST=NSW, C=AU"
-
Use the
openssl
command to generate the CSR.$ openssl req -text -noout -in /var/tmp/example3.csr-1
How to Manage Third-Party Plugins in KMF
You identify your plugin by giving it a keystore name. When you add the plugin to KMF, the software identifies it by its keystore name. The plugin can be defined to accept an option. This procedure includes how to remove the plugin from KMF.
Example 4-10 Calling a KMF Plugin With an Option
In the following example, the administrator stores a KMF plugin in a site-specific directory. The plugin is defined to accept a debug
option. The administrator adds the plugin and verifies that the plugin is installed.
# /usr/bin/kmfcfg install keystore=mykmfplug \ modulepath=/lib/security/site-modules/mykmfplug.so $ kmfcfg list plugin KMF plugin information: ----------------------- pkcs11:kmf_pkcs11.so.1 (built-in) file:kmf_openssl.so.1 (built-in) nss:kmf_nss.so.1 (built-in) mykmfplug:/lib/security/site-modules/mykmfplug.so # kmfcfg modify plugin keystore=mykmfplug option="debug" # kmfcfg list plugin KMF plugin information: ----------------------- ... mykmfplug:/lib/security/site-modules/mykmfplug.so;option=debug
The plugin now runs in debugging mode.
Managing Certificates in the Oracle Solaris CA Keystore
Oracle Solaris provides a keystore for Certificate Authority (CA) certificate files. To manage the keystore, you restart the SMF ca-certificates
service after you add, remove, or exclude certificates from the keystore.
X.509 certificates contain an RSA public key and the key's signer ("CN" or "Subject"). The key and signer verifies that some file or object was signed with the key holder's private key. CA certificates are issued by well-known organizations to verify that a certificate is legitimate and that the public key in the certificate can be trusted.
Oracle Solaris keeps the CA certificates in the /etc/certs/CA
directory. Hashed links to the CA certificates are in the /etc/openssl/certs
directory to enable fast lookup and access, typically by OpenSSL. Usually, each filename in the /etc/certs/CA
directory is the certificate holder's CN with spaces replaced by underscores ("_") and appended with a .pem
extension. For example, the file /etc/certs/CA/ExampleCo-_G3.pem
contains the certificate for CN "ExampleCo Class 4 Public Primary Certification Authority - G3".
Note:
Certificates in the/etc/certs
directory are not automatically included in the Java keystore. You must add them separately.
You can add certificates and exclude certificates.
How to Add a Certificate to the Oracle Solaris CA Keystore
You must assume the root
role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
If the service hasn't started, the certificate could be corrupt or could be a duplicate of an existing CA certificate. Look for error messages in the log file listed in the svcs -x
command output. Also check the /system/volatile/system-ca-certificates:default.log
file.
How to Exclude Certificates From the Oracle Solaris CA Keystore
You must assume the root
role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Excluding prevents Oracle Solaris libraries and programs from using the excluded CA certificate. Excluded certificates are not copied to the /etc/certs/ca-certificates.crt
and are not linked to from the OpenSSL CA certificate directory, /etc/openssl/certs
.