Managing Tokens; Tokens For Storing Certificate System Keys And Certificates; Internal Tokens; External Tokens - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 12.

Managing Tokens

This chapter gives an overview of using hardware security modules, also called HSMs or tokens, to
generate and store Certificate System instance certificates and keys. This chapter includes installation
and usage considerations for supported HSMs, describes different tasks for managing tokens, and
contains other information for using hardware tokens with Certificate System.
12.1. Tokens for Storing Certificate System Keys and
Certificates
A token is a hardware or software device that performs cryptographic functions and stores public-key
certificates, cryptographic keys, and other data.
The Certificate System defines two types of tokens, internal and external, for storing key pairs and
certificates that belong to the Certificate System subsystems.

12.1.1. Internal Tokens

An internal (software) token is a pair of files, usually called the certificate database and key database,
that the Certificate System uses to generate and store its key pairs and certificates. The Certificate
System automatically generates these files in the filesystem of its host machine when first using the
internal token. These files were created during the Certificate System subsystem configuration if the
internal token was selected for key-pair generation.
In the Certificate System, the certificate database is named cert8.db; the key database is named
key3.db. These files are located in the instanceID/alias directory.

12.1.2. External Tokens

An external token refers to an external hardware device, such as a smart card or hardware security
module (HSM), that the Certificate System uses to generate and store its key pairs and certificates.
The Certificate System supports any hardware tokens that are compliant with PKCS #11.
PKCS #11 is a standard set of APIs and shared libraries which isolate an application from the details
of the cryptographic device. This enables the application to provide a unified interface for PKCS #11-
compliant cryptographic devices.
The PKCS #11 module implemented in the Certificate System supports cryptographic devices supplied
by many different manufacturers. This module allows the Certificate System to plug in shared libraries
supplied by manufacturers of external encryption devices and use them for generating and storing
keys and certificates for the Certificate System managers.
Consider using external tokens for generating and storing the key pairs and certificates used by
Certificate System. These devices are another security measure to safeguard private keys because
hardware tokens are sometimes considered more secure than software tokens.

12.1.3. Considerations for External Tokens

• All system keys for a subsystem must be generated on the same token.
• Install the subsystem in an empty HSM slot. If the HSM slot has previously been used to store other
keys, then use the HSM vendor's utilities to delete the contents of the slot. The Certificate System
265