Pkcs #11; Management Tools - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.2 - ADMINISTRATION:
- Manual (240 pages) ,
- Reference manual (337 pages) ,
- Release note (24 pages)
Table of Contents
Advertisement
cryptographic token interfaces. Red Hat uses NSS to support these features in a wide range
of products, including Certificate System. NSS documentation is available on-line at
www.mozilla.org/projects/security/pki/nss/overview.html.
1.4.6. PKCS #11
Public-Key Cryptography Standard (PKCS) #11 specifies an API used to communicate with devices
that hold cryptographic information and perform cryptographic operations. Because it supports PKCS
#11, Certificate System is compatible with a wide range of hardware and software devices.
At least one PKCS #11 module must be available to any Certificate System subsystem instance.
Figure 1.4, "Certificate System
As shown in
cryptographic module or cryptographic service provider) manages cryptographic services such as
encryption and decryption. PKCS #11 modules are analogous to drivers for cryptographic devices that
can be implemented in either hardware or software. Red Hat provides a built-in PKCS #11 module with
the Certificate System.
A PKCS #11 module always has one or more slots which can be implemented as physical hardware
slots in a physical reader such as smart cards or as conceptual slots in software. Each slot for a
PKCS #11 module can in turn contain a token, which is the hardware or software device that actually
provides cryptographic services and optionally stores certificates and keys.
Two cryptographics modules are included in the Certificate System:
• The default internal PKCS #11 module, which comes with two tokens:
• The internal crypto services token, which performs all cryptographic operations such as
encryption, decryption, and hashing.
• The internal key storage token ("Certificate DB token" in
Architecture"), which handles all communication with the certificate and key database files that
store certificates and keys.
• The FIPS 140-1 module. This module complies with the FIPS 140-1 government standard for
cryptographic module implementations. The FIPS 140-1 module includes a single, built-in FIPS
140-1 certificate database token (as shown in
handles both cryptographic operations and communication with the certificate and key database
files.
Any PKCS #11 module can be used with the Certificate System. The server uses a file called
secmod.db to track modules that are available. This file can be modified using the modutil
tool. This file needs to be modified when there are changes to the system like installing hardware
accelerators to use for signing operations. For more information on modutil, see
www.mozilla.org/projects/security/pki/nss/tools/.
1.4.7. Management Tools
The following command-line tools are provided with the Certificate System to help manage the system:
• Audit log signature verification tool (AuditVerify)
• Enrollment PIN generation tool (setpin)
• Mass revocation tool (revoker)
• (Signed) Certificate System request tool
Architecture", a PKCS #11 module (also called a
Figure 1.4, "Certificate System
Figure 1.4, "Certificate System
PKCS #11
http://
Architecture"), which
http://
19
Advertisement
Table of Contents
