iKeyman
iKeyman is a GUI application that provides key, certification request and self-signed certification generation operations. Refer the iKeyman guide for details.
iKeyman can also be used to generate keys and certificates on PKCS#11 enabled hardware crypto device. The procedure is simple:
Add the IBMPKCS11Impl provider.
There are two ways to add IBMPKCS11Impl provider in iKeyman.
- Add the IBMPKCS11Impl provider into the provider list, which is in the
java.security file. For example:
security.provider.5=com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl /home/test/cfg/4758.cfg
- In the iKeyman tool, click the blue-man icon on the panel and type the
following string in the New Provider message box:
com.ibm.crypto.pkcs11impl.provider.IBMPKCS11Impl
. - Click OK.
In the first method, the configuration file /home/test/cfg/4960.cfg is used to initialize the IBMPKCS11Impl provider.
In the second method, no configuration file is used.
Now, a provider that enables connection to the hardware crypto device becomes available. To
create the actual connection to the hardware crypto device, locate the PKCS#11 native library
provided by the hardware crypto device vendor. This can be done by clicking on the Key
Database File tab, select Open and a message box pops up. In the
message box is an option box indicating the type of Keystore to open. For a hardware crypto device,
the PKCS11 Direct or PKCS11Config type (depending on how you add
the provider) should be chosen. The next step is to specify the native PKCS#11 library provided by
the device vendor. For instance, on the AIX® platform, the 4758
device PKCS#11 native library is located at /usr/lib/pkcs11. Add the file name
(in this case PKCS11_API.so) in the File Name box and the location of the
file in the Location box and click OK. You will then
be asked for the slot number.
Note: If you are using the first way to add the provider, then you
cannot specify the library name and slot number here, they will be read from configuration
file.
Now iKeyman is ready to generate self-signed certificates and certification requests
with the hardware crypto device.For details about the self-signed certificate and certification requests, refer to the iKeyman user guide.