Using Hsm For Generating Keys - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

tkstool -U -d directory -n new_master -t transport -i file
Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key from the specified token (for
unwrapping) . . .
Reading in the wrapped data (and resident master key KCV) from
the file called "file" . . .
wrapped data:
master key KCV: CED9 4A7B
(pre-computed KCV of the master key residing inside the wrapped data)
Using the transport key to temporarily unwrap the master key to
recompute its KCV value to check against its pre-computed KCV value . . .
master key KCV: CED9 4A7B
(computed KCV of the master key residing inside the wrapped data)
master key KCV: CED9 4A7B
(pre-computed KCV of the master key residing inside the wrapped data)
Using the transport key to unwrap and store the master key on the
specified token . . .
Naming the master key "new_master" . . .
Successfully unwrapped, stored, and named the master key!
9. Verify that the keys have been added properly to the database.
tkstool -L -d .
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
Enter Password or Pin for "NSS Certificate DB":
<0> transport
<1> new_master
Using the tkstool is explained in more detail in the Certificate System Command-Line Tools Guide.

5.6.3. Using HSM for Generating Keys

By default the TKS is configured to use the internal software token to generate and store its master
keys, but some deployments may require using a hardware security module (HSM) instead of the
software token.
To generate keys on HSMs:
1. Install and configure the TKS subsystem.
2. Get the PIN to use to access the TKS's security databases. The internal PIN is the one used
for the security databases.
cat /var/lib/pki-tks/conf/password.conf
internal=649713464822
internaldb=secret12
replicationdb=-752230707
47C0 06DB 7D3F D9ED
FE91 7E6F A7E5 91B9
Using HSM for Generating Keys
149