Chapter 5. Using and Configuring the Token Management System: TPS, TKS, and Enterprise Security Client
cd /var/lib/pki-tks/alias
3. Generate the new master key. For example:
tkstool -M -n new_master1 -d /var/lib/pki-tks/alias -h token_name
Enter Password or Pin for "NSS Certificate DB":
Generating and storing the master key on the specified token . . .
Naming the master key "new_master" . . .
Computing and displaying KCV of the master key on the specified token . . .
new_master key KCV:
Successfully generated, stored, and named the master key
including computing and displaying its KCV!
4. Verify that the keys have been added properly to the database.
tkstool -L -d .
slot:
NSS User Private Key and Certificate Services
token:
NSS Certificate DB
Enter Password or Pin for "NSS Certificate DB":
<0> new_master
Using the tkstool is explained in more detail in the Certificate System Command-Line Tools Guide.
5.6.2. Generating and Transporting Wrapped Master Keys
If a master key is going to be used on an external token or in multiple locations, then that key must be
wrapped so that it can be safely transported to the hardware tokens. The tkstool utility can be used
to generate both new master and transport keys. The transport key is used to send the master key
securely to the facility where the tokens are generated.
NOTE
Tokens that are generated with a particular master key can only be used with that master
key.
1. Get the PIN to use to access the TKS's security databases. The internal PIN is the one used
for the security databases.
cat /var/lib/pki-tks/conf/password.conf
internal=649713464822
internaldb=secret12
replicationdb=-752230707
146
CA5E 1764
Need help?
Do you have a question about the CERTIFICATE SYSTEM 8.0 - ADMINISTRATION and is the answer not in the manual?
Questions and answers