Configuring The Tks To Associate The Master Key With Its Version; Using Hsm For Generating Keys - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Using the tksTool is explained in more detail in the Certificate System Command-Line Tools Guide.
9.3. Configuring the TKS to Associate the Master Key with
Its Version
Master keys have a numeric identifier such as 01. The TKS maps these IDs to PKCS #11 object
nicknames specified in masterKeyId. To map the keys, add a mapping parameter like the following
to the CS.cfg file:
tks.mk_mappings.#02#01=tokenname:masterKeyId
NOTE
Stop the TKS instance before editing the configuration file.
To reference the security database, set the tokenname to internal. All numeric key identifiers in
mapping configurations must be suffixed with #01. #02 represents the master key version.
NOTE
Smart cards from the Axalto Web Store come with a default developer key set where all
keys are set to 404142434445464748494a4b4c4d4e4f. TKS has this key built-in, and
it is referred to with the master key set #01. TKS uses key set #01 by default.

9.4. Using HSM for Generating Keys

By default the TKS is configured to use the internal software token to generate and store its master
keys, but some deployments may require using a hardware security module (HSM) instead of the
software token.
To generate keys on HSMs:
1. Install the TKS subsystem.
2. After the TKS instance is configured, generate the TKS master key on the HSM using the
tksTool. By default during installation, the TKS master key is generated on the software token.
For example:
tksTool -M -n new_master -d /var/lib/rhpki-tks/alias -h nethsm
This generates a master key named new_master on the nethsm token for the rhpki-tks
instance.
For more information on using the tksTool, see the Certificate System Command-Line Tools
Guide.
3. Update the TKS instance's CS.cfg to contain the following values:

Configuring the TKS to Associate the Master Key with Its Version

219