svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pktool(1)
pktool(1) User Commands pktool(1)
NAME
pktool - manage certificates and keys
SYNOPSIS
pktool [-f option_file] [-i] subcommand subcommand_options ...
DESCRIPTION
The pktool command allows users to manage the certificates and keys on
multiple keystores including PKCS#11 tokens (that is, Cryptographic
Framework) and standard file based keystore for OpenSSL.
pktool also provides support to list, delete and import a Certificate
Revocation List (CRL). pktool does not provide support for creating
CRLs, signing CRLs, or exporting CRLs. The CRL support for the PKCS#11
keystore is file-based.
OPTIONS
The following command options are supported:
-f option_file
Allows the user to set up the options in a file instead of entering
the options on the command line.
This option is provided as a convenience for users because pktool
can potentially have a large list of subcommands and associated
options to be specified on the command line.
The format of the option_file is one option or value pair per-line.
An example option_file might looks as follows:
list
keystore=file
dir=/export/foo
objtype=key
-i
Allows the user to specify the subject-DN interactively for the
gencert and gencsr subcommands. When -i is specified, the user is
prompted to input some data to form a subject-DN.
An example of using the -i option follows:
Country Name (2 letter code) [US]: US
State or Province Name (full name) [Some-State]: CA
Locality Name (eg, city) []: Menlo Park
Organization Name (eg, company): Example Corp.
Organizational Unit Name (eg, section): DevOps
Common Name (eg, YOUR name): John Smith
Email Address []: john.smith@example.com
The resulting subject-DN is:
"C=US, ST=CA, L=Menlo Park, O=Example Corp.,\
OU=DevOps, emailAddress=john.smith@example.com, \
CN=John Smith"
-?, --help
The -? option displays usage and help information. --help is a syn‐
onym for -?.
SUBCOMMANDS
The following subcommands are supported:
delete
The format for the delete subcommand is as follows:
pktool delete [token=token[:manuf[:serial]]]
[objtype=private|public|both]
[label=object-label]
pktool delete keystore=pkcs11
objtype=cert[:public | private | both]]
[token=token[:manuf[:serial]]]
[label=cert-label]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool delete keystore=pkcs11
objtype=key[:public | private | both]]
[token=token[:manuf[:serial]]]
[label=key-label]
pktool delete keystore=pkcs11
objtype=crl
infile=input-fn
pktool delete keystore=file
objtype=cert
[infile=input-fn]
[dir=directory-path]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool delete keystore=file
objtype=key
[infile=input-fn]
[dir=directory-path]
pktool delete keystore=file
objtype=crl
infile=input-fn
Deletes a certificate, key, or certificate revocation list (CRL).
To delete a private certificate or key from PKCS#11 token, the user
is prompted to authenticate to the PKCS#11 by entering the correct
Personal Identification Number (PIN).
download
The format for the download subcommand is as follows:
pktool download url=url_str
[objtype=crl|cert]
[http_proxy=proxy_str]
[outfile=output-fn]
[dir=directory-path]
Downloads a CRL file or a certificate file from the specified URL
location. Once the file is successfully downloaded, checks the
validity of the downloaded CRL or certificate file. If the CRL or
the certificate is expired, download issues a warning.
export
The format for the export subcommand is as follows:
pktool export [token=token[:manuf[:serial]]]
[outfile=output-fn]
pktool export keystore=pkcs11
[outfile=output-fn]
[objtype=cert|key]
[label=label]
[subject=subject-DN]
[issuer=issuer-DN]
[serial=hex-serial-number]
[outformat=pem|der|pkcs12|raw]
[token=token[:manuf[:serial]]]
pktool export keystore=file
certfile=cert-input-fn
keyfile=key-input-fn
[outfile=output-pkcs12-fn]
Saves the contents of PKCS#11 token or certificates in the file-
based keystore to the specified file.
gencert
The format for the gencert subcommand is as follows:
pktool gencert [-i] [ keystore=pkcs11]
label=key/cert-label
subject=subject-DN
serial=hex_serial_number
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[token=token[:manuf[:serial]]]
[ keytype=rsa | ec [curve=ECC Curve Name] \
[hash=md5 | sha1 | sha224 | sha256 | sha384 | sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[eku=[critical:]EKU_name,...]
[listcurves]
[lifetime=number-hour|number-day|number-year]
pktool gencert [-i] keystore=file
outcert=cert-fn
outkey=key-fn
subject=subject-DN
serial=hex_serial_number
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[format=der|pem]
[ keytype=rsa
[hash=md5|sha1|sha224|sha256|sha384|sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[eku=[critical:]EKU_name,...]
[lifetime=number-hour|number-day|number-year]
Generates a self-signed certificate and installs it and its associ‐
ated private key to the specified keystore.
Unless a hash is specified as an option to pktool gencert, the
default hash used is SHA-256.
gencert prompts the user to enter a PIN for token-based keystore.
gencsr
The format for the gencsr subcommand is as follows:
pktool gencsr [-i] keystore=pkcs11
label=key-label
outcsr=csr-fn
subject=subject-DN
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[token=token[:manuf[:serial]]]
[ keytype=rsa | ec [curve=ECC Curve Name] \
[hash=md5 | sha1 | sha224 | sha256 | sha384 | sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[format=pem|der]
[eku=[critical:]EKU_name,...]
[rfc2986attr=y|n]
[listcurves]
pktool gencsr [-i] keystore=file
outcsr=csr-fn
outkey=key-fn
subject=subject-DN
[altname=[critical:]subjectAltName,subjectAltName...]
[keyusage=[critical:]usage,usage...]
[dir=directory-path]
[ keytype=rsa
[hash=md5|sha1|sha224|sha256|sha384|sha512]]
[ keytype=dsa [hash=sha1 | sha224 | sha256 ]]
[keylen=key-size]
[format=pem|der]
[rfc2986attr=y|n]
[eku=[critical:]EKU_name,...]
Creates a PKCS#10 certificate signing request (CSR) file. This CSR
can be sent to a Certifying Authority (CA) for signing. The gencsr
subcommand prompts the user to enter a PIN for token-based key‐
store.
Unless a hash is specified as an option to pktool gencsr, the
default hash used is SHA-256.
genkey
The format for the genkey subcommand is as follows:
pktool genkey [keystore=pkcs11]
label=key-label
[keytype=aes|arcfour|des|3des|generic]
[keylen=key-size (for aes, arcfour, or \
generic keytypes only)]
[token=token[:manuf[:serial]]]
[sensitive=y|n]
[extractable=y|n]
[print=y|n]
pktool genkey keystore=file
outkey=key-fn
[keytype=aes|arcfour|des|3des|generic]
[keylen=key-size (for aes, arcfour, \
or generic keytypes only)]
[print=y|n]
Generates a symmetric key in the specified keystore. The genkey
subcommand prompts the user to enter a PIN for token-based key‐
store.
genkeypair
The format for the genkeypair subcommand is as follows:
pktool genkeypair [keystore=pkcs11]
label=key-label
[token=token[:manuf[:serial]]]
[keytype=rsa|dsa|ec [curve=ECC Curve Name]]
[keylen=key-size]
[listcurves]
pktool genkeypair keystore=file
outkey=key_filename
[format=der|pem]
[keytype=rsa|dsa]
[keylen=key-size]
Generates a keypair in the specified keystore.
import
The format for the import subcommand is as follows:
pktool import [token=token[:manuf[:serial]]]
infile=input-fn
pktool import [keystore=pkcs11]
infile=input-fn
label=object-label
[keytype=aes|arcfour|des|3des|generic]
[sensitive=y|n]
[extractable=y|n]
[token=token[:manuf[:serial]]]
[objtype=cert|key]
pktool import keystore=pkcs11
objtype=crl
infile=input-fn
outcrl=output-crl-fn
outformat=pem|der
pktool import keystore=file
infile=input-fn
outkey=output-key-fn
outcert=output-key-fn
[outformat=pem|der]
pktool import keystore=file
objtype=crl
infile=input-fn
outcrl=output-crl-fn
outformat=pem|der
Loads certificates, keys, or CRLs from the specified input file
into the specified keystore.
inittoken
The format for the inittoken subcommand is as follows:
pktool inittoken [ slotid=slot number ]
[ currlabel=token[:manuf[:serial]]]
[ newlabel=new token label ]
This command initializes a PKCS#11 token using C_InitToken API. The
preferred method of locating a token is to specify its default
label. Optionally, a new label can be assigned to the token by
using the newlabel argument. If newlabel is not present, the token
label is not modified. The user is prompted to enter the security
officer (SO) PIN for this command to proceed. See the output of
pktool tokens to get the slot number.
list
The format for the list subcommand is as follows:
pktool list [token=token[:manuf[:serial]]]
[objtype=private|public|both]
[label=label]
pktool list [keystore=pkcs11]
[objtype=cert[:public | private | both]]
[token=token[:manuf[:serial]]]
[label=cert-label]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool list [keystore=pkcs11]
objtype=key[:public | private | both]]
[token=token[:manuf[:serial]]]
[label=key-label]
[keyvalue=y|n]
pktool list keystore=pkcs11
objtype=crl
infile=input-fn
pktool list keystore=file
objtype=cert
[infile=input-fn]
[dir=directory-path]
[serial=hex-serial-number]
[issuer=issuer-DN]
[subject=subject-DN]
pktool list keystore=file
objtype=key
[infile=input-fn]
[dir=directory-path]
[keyvalue=y|n]
Lists certificates, list keys, or list certificate revocation lists
(CRL). When displaying a private certificate or key in PKCS#11
token, the user is prompted to authenticate to the PKCS#11 token by
entering the correct PIN.
setpin
The format for the setpin subcommand is as follows:
pktool setpin [ keystore=pkcs11]
[token=token[:manuf[:serial]]]
[usertype=user | so]
Changes the passphrase used to authenticate a user to the PKCS#11
token. Passphrases can be any string of characters with lengths
between 1 and 256 with no nulls.
setpin prompts the user for the old passphrase, if any. If the old
passphrase matches, pktool prompts for the new passphrase twice. If
the two entries of the new passphrases match, it becomes the cur‐
rent passphrase for the token.
For the Sun Software PKCS#11 softtoken keystore (default), the user
must use the setpin command with the default passphrase changeme as
the old passphrase to change the passphrase of the object store.
This action is needed to initialize and set the passphrase to a
newly created token object store.
If the usertype=so option is specified for PKCS#11 based tokens,
the Security Officer (SO) user PIN is changed as opposed to the
normal user PIN. By default the usertype is assumed to be user.
signcsr
The format for the signcsr subcommand is as follows:
signcsr keystore=pkcs11
signkey=label (label of key to use for signing)
csr=CSR_filename
serial=serial_number_hex_string_for_final_certificate
outcert=filename_for_final_certificate
issuer=issuer-DN
[store=y|n] (store the new cert in on the token, default=n)
[outlabel=certificate label]
[format=pem|der] (certificate output format)
[subject=subject-DN] (override the CSR subject name)
[altname=subjectAltName,subjectAltName...] (add subjectAltName)
[keyusage=[critical:]usage,...] (add key usage bits)
[eku=[critical:]EKU_Name,...] (add Extended Key Usage)
[lifetime=number-hour|number-day|number-year]
[token=token[:manuf[:serial]]]
signcsr keystore=file
signkey=filename
csr=CSR_filename
serial=serial_number_hex_string_for_final_certificate
outcert=filename_for_final_certificate
issuer=issuer-DN
[dir=directory-path]
[format=pem|der] (certificate output format)
[subject=subject-DN] (override the CSR subject name)
[altname=subjectAltName,subjectAltName...] (add a subjectAltName)
[keyusage=[critical:]usage,...] (add key usage bits)
[lifetime=number-hour|number-day|number-year]
[eku=[critical:]EKU_Name,...] (add Extended Key Usage)
tokens
The format for the tokens subcommand is as follows:
pktool tokens
The tokens subcommand lists all visible PKCS#11 tokens. The default
token (keystore) is listed even when the meta slot is enabled.
Moreover, when the meta slot is enabled, or when there are more
than two tokens present, the metaslot will also be presented as a
virtual token in the list.
USAGE
The pktool subcommands support the following options:
altname=[critical:]subjectAltName,subjectAltName...
Subject Alternative Names the certificate. The argument that fol‐
lows the altname option should be in the form of tag=value. Valid
tags are IP, DNS, EMAIL, URI, DN, KRB, UPN, and RID. The Subjec‐
tAltName extension is marked as critical if the altname string is
pre-pended with the word critical.
The critical flag is shared by all the altnames, and should be
placed at the beginning of the first subject alternative name.
The delimiter between altname tags (for example, IP, EMAIL, DN, and
so forth) isa comma (,). The delimiter between components in the DN
type is a semicolon (;).
Example 1: Add an IP address to the subjectAltName extension. alt‐
name="IP=1.2.3.4" Example 2: Add an email address to the subjec‐
tAltName extension, and mark it as being critical. altname="criti‐
cal:EMAIL=first.last@example.com"
Example 3: Add multiple subject alternative names IP address, email
address and distinguished name to the subjectAltName extension, and
mark it as being critical.
altname="critical:IP=1.2.3.4,EMAIL=first.last@example.com,\
DN=C=US;O=Oracle;OU=Security;CN=John Smith"
currlabel=token label
This option is only used by the inittoken command. This is used to
locate the default token that is being initialized. See the token
option for details about the format of the token name to be used.
curve=Elliptic_Curve_Name
This option is for specifying the Elliptic Curve parameters to be
used when generating an X.509 certificate or certificate signing
request or when generating an Elliptic Curve keypair.
The following named curves are supported:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1
secp160r1, secp160r2, secp192k1, secp192r1, secp224k1
secp224r1, secp256k1, secp256r1, secp384r1, secp521r1
sect113r1, sect113r2, sect131r1, sect131r2, sect163k1
sect163r1, sect163r2, sect193r1, sect193r2, sect233k1
sect233r1, sect239k1, sect283k1, sect283r1, sect409k1
sect409r1, sect571k1, sect571r1, c2pnb163v1, c2pnb163v2
c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3
c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1
c2pnb304w1, c2tnb359v1, c2pnb368w1, c2tnb431r1, prime192v2
prime192v3
The list of named curves can also be seen by using the listcurves
option with the gencert, gencsr, or genkeypair subcommands.
dir=directory_path
Specifies the OpenSSL keystore directory where the requested object
is stored. For the signcsr subcommand when it applies to the file
based keystore, this option specifies the directory where the
issuer of the certificate exists, and the default is current direc‐
tory.
eku=[critical:]EKU_Name,[critical:]EKU_Name, ...]
Specifies the extended key usage X.509v3 extension values to add to
the certificate or certificate request.
Specify EKU_Name as one of the following: serverAuth, clientAuth,
codeSigning, emailProtection, ipsecEndSystem, ipsecTunnel, ipse‐
cUser, timeStamping, OCSPSigning, KPClientAuth, KPKdc, or scLogon.
An example is:
eku=KPClientAuth,clientAuth
extractable=y | n
Specifies the resulting symmetric key in the PKCS#11 token is
extractable or not extractable. The valid values are: y and n. The
default value is y.
format=pem | der | pkcs12
For the gencert subcommand, this option only applies to the file
based keystore such as OpenSSL. It is used to specify the output
format of the key or certificate file to be created. The valid for‐
mats are: pem or der. The default format is pem.
For the gencsr subcommand, this option specifies the output encoded
format of the CSR file. The valid formats are: pem or der. The
default format is pem.
hash=md5 | sha1 | sha224 | sha256 | sha384 | sha512
For the gencert and gencsr subcommands, this option allows the
caller to specify the hash algorithm to be use for generating the
X.509 certificate signature. This can be used when creating EC or
RSA based certificates by using the PKCS#11 keystores. Elliptic
Curve support is not available when using the OpenSSL file-based
keystore.
infile=input-fn
Specifies the certificate filename for list and delete subcommands
when objtype=cert and keystore=file. For the import subcommand,
this option specifies the filename to be imported. Specifies the
input CRL filename for list, delete and import subcommands when
objtype=crl.
issuer=issuer-DN
Specifies the issuer of a certificate.
keylen=key-size
Specifies the size (bits) of the private or symmetric key to gener‐
ate.
For the gencert and gencsr subcommands, the default key length is
2048 bits.
For the genkey subcommand, the minimum and maximum bits of the sym‐
metric key to generate using AES algorithm are 128 and 256. Using
the ARCFOUR algorithm, the minimum and maximum bits are 8 and 2048.
The minimum bits for a generic secret key is 8 and the maximum bits
is arbitrary. The default key length for the AES, ARCFOUR or
generic secret keys is 128. For a DES key or a 3DES key, the key
length is fixed and this option is ignored if specified.
keystore=pkcs11 | file
Specifies the type of the underlying keystore: PKCS#11 token or
file-based plugin.
keytype=rsa | dsa | ec | aes | arcfour | des | 3des | generic
Specifies the type of the private or symmetric key to generate.
For the gencert and gencsr subcommands, the valid private key types
are: rsa, ec, or dsa. The default key type is rsa.
For the genkey subcommand, the valid symmetric key types are: aes,
arcfour, des, 3des, or generic. The default key type is aes.
keyusage=[critical:]usage,usage,usage,...
Key Usage strings:
* digitalSignature
* nonRepudiation
* keyEncipherment
* dataEncipherment
* keyAgreement
* keyCertSign
* cRLSign
* encipherOnly
* decipherOnly
Example 1: Set the KeyUsage so that the cert (or csr) can be used
for signing and verifying data other than certificates or CRLs
(digitalSignature) and also can be used for encrypting and decrypt‐
ing data other than cryptographic keys (dataEncipherment).
keyusage=digitalSignature,dataEncipherment
Example 2: The same as above (Example 1), but with the critical bit
set. keyusage=critical:digitalSignature,dataEncipherment
keyvalue=y | n
This option displays the key value in hex format for the symmetric
keys in the file-based and PKCS#11 keystores. The valid values are
y and n. The default value is n.
label=key-label | cert-label
For the gencert subcommand, this option specifies the label of the
private key and self-signed certificate in the PKCS#11 token.
For the gencsr subcommand, this option specifies the label of the
private key in the PKCS#11 token.
For the list subcommand, this option specifies the label of the
X.509 Certificate (when objtype=cert) or the private key (when obj‐
type=key) in the PKCS#11 token to refine the list.
For the delete subcommand, this option specifies the label of the
X.509 Certificate (when objtype=cert) or the private key (when obj‐
type=key) to delete a designated object from the PKCS#11 token.
listcurves
This causes the list of supported Elliptic Curve names to be dis‐
played. This option is only available with the gencert, gencsr, or
genkeypair subcommands.
lifetime=number-hour|number-day|number-year
Specifies the validity period a certificate is valid. The certifi‐
cate life time can be specified by number-hour, number-day, or num‐
ber-year. Only one format can be specified. The default is 1-year.
Examples of this option might be: lifetime=1-hour, lifetime=2-day,
lifetime=3-year
newlabel=token label
This option is only used by the inittoken command. This is used to
change the label assigned to the token that is being initialized.
See the token option for details about the format of the token name
to be used.
nickname=cert-nickname
For the PKCS#11 token, this can be used as an alternative to the
'label' option for the gencert command.
objtype=cert | key | crl
Specifies the class of the object: cert, key, or crl. For the down‐
load subcommand, if this option is not specified, default to crl.
objtype=public | private | both
Specifies the type of object: private object, public object, or
both. This option only applies to list and delete subcommands for
the PKCS#11 token when objtype=key is specified. The default value
is public.
For the list subcommand, the label option can be combined with this
option to further refine the list of keys. For the delete subcom‐
mand, this option can used to narrow the keys to be deleted to only
public, or private ones. Alternately, the label option can be omit‐
ted to indicate that all public, private, or both type of keys are
to be deleted. The use of public, private and both as choices for
the objtype parameter are only applicable with the PKCS#11 keystore
in order to maintain compatibility with earlier versions of the
pktool command.
outcert=cert-fn
Specifies the output certificate filename to write to. This option
is required for the file based plugin such as OpenSSL. Option out‐
key=key-fn is required with this option.
outcrl=output-crl-fn
Specifies the output CRL filename to write to.
outcsr=csr-fn
Specifies the output CSR filename to write to.
outfile=output-fn
For the export subcommand, this option specifies the output file‐
name to be created. For the import subcommand, this option speci‐
fies the output filename of the certificate or CRL. It only applies
to the file based plugin such as OpenSSL. For the download subcom‐
mand, if this option is not specified, the downloaded file name is
the basename of the URL string.
outformat=pem | der | pkcs12
For the import subcommand, this option specifies the output format
of the certificate or key that is extracted from a specified
PKCS#12 file into the file based plugin, The valid values are: pem
or der. The default is pem. When importing a CRL to the CRL file
based keystore, this option specifies the output format of the CRL.
The valid values are: pem or der. The default is der. For the
export subcommand, this option specifies the format of the speci‐
fied output file to be created. The supported formats are: pem, der
or pkcs12. The default is pkcs12.
outkey=key-fn
Specifies the output private key filename to which to write. This
option is only required when using the files keystore.
print=y | n
This option is used in the genkey subcommand and it applies to the
PKCS11 and file-based keystores. If print=y, the genkey subcommand
prints out the key value of the generated key in a single line of
hex. The default value is n. For the PKCS11 keystore, if a symmet‐
ric key is created with sensitive=y or extractable=n, the key value
is not displayed, even the print option is set to y. The key is
still created, but a warning like cannot reveal the key value is
issued.
rfc2986attr=y | n
Specifies whether to encode 'attributes' as an empty ASN.1 con‐
struct 'SET OF' or not. The valid values are: y and n. The default
value is y indicating that pktool adheres to PKCS#10 standard (RFC
2986). Some old broken certificate authorities may require specify‐
ing n.
sensitive=y | n
Specifies the resulting symmetric key in the PKCS#11 token is sen‐
sitive or not sensitive. The valid values are: y and n. The default
value is n.
serial=hex-serial-number
Specifies a unique serial number for a certificate. The serial num‐
ber must be specified as a hex value. Example:
0x0102030405060708090a0b0c0d0e0f
slotid=slot number
Specifies the ID of the slot that interfaces with the token. The
slotid can change. This could happen if a token provider is modi‐
fied, added, or removed with the cryptoadm command. For more infor‐
mation, see the cryptoadm(8) man page.
For that reason, it is preferable to use label= instead of slotid=
to identify a token provider. The token label is shown under the
"Token Name" column in the pktool tokens output.
subject=subject-DN
Specifies a particular certificate owner for a certificate or cer‐
tificate request. An example subject= setting might be:
subject=O=Sun Microsystems Inc., \
OU=Solaris Security Technologies Group, \
L=Ashburn, ST=VA, C=US, CN=John Smith
token=token[:manuf[:serial]]
When a token label contains trailing spaces, this option does not
require them to be typed as a convenience to the user.
Colon separate token identification string token:manuf:serial. If
any of the parts have a literal : char then it needs to be escaped
using a backslash (\). If no : is found then the entire string (up
to 32 chars) is taken as the token label. If only one : is found
then the string is the token label and the manufacturer. When key‐
store=pkcs11 is specified, default to pkcs11_softtoken if this
option is not specified.
usertype=user | so
Specifies the type of user for which the setpin command is being
performed. The default is for a standard user, but so can be speci‐
fied in order to set the PIN for the security officer of the token.
url=url_string
Specifies the URL to download a CRL or a certificate file.
http_proxy=proxy_str
Specifies the proxy server hostname and port number. The format can
be either http://hostname[:port] or hostname[:port]. If this option
is not specified, the download subcommand checks the http_proxy
environment variable. The command line option has a higher priority
than the environment variable.
EXAMPLES
Example 1 Generating a Self-Signed Certificate
The following example creates the certificate and stores it in the key‐
store indicated in the command:
$ pktool gencert keystore=pkcs11 label=WebServerCert \
subject="O=Example Company Inc., OU=Security Technologies Group, \
L=Ashburn, ST=VA, C=US, CN=John Smith" serial=0x01 \
keytype=rsa keylen=2048 hash=sha512
Example 2 Generating a Certificate Signing Request
The following example creates the CSR and stores it in the keystore
indicated in the command:
$ pktool gencsr keystore=pkcs11 subject="O=Example Company Inc., \
OU=HR Department, L=Ashburn, ST=VA, C=US, CN=John Smith" \
keytype=rsa keylen=2048 hash=sha256 outcsr=csr.dat \
label=TestCert
Example 3 Importing a Certificate
The following example imports a certificate object from the specified
input file into the keystore indicated in the command:
$ pktool import keystore=pkcs11 objtype=cert infile=mycert.pem \
label=mycert
EXIT STATUS
The following exit values are returned:
0 Successful completion.
> 0 An error occurred.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilitySee
below
Command invocation and parsable output for the list subcommand with
keystore=[file|pkcs11] objtype=key keyvalue=y|n is Committed. All other
output is Not-an-interface.
SEE ALSO
attributes(7), pkcs11_softtoken(7)
OASIS PKCS#11 v2.40 specification
https://www.oasis-open.org/committees/pkcs11/
RSA PKCS#12 v1.0
https://tools.ietf.org/html/rfc7292
SECG Recommended Elliptic Curve Domain Parameters
https://www.secg.org/
Oracle Solaris 11.4 21 Jun 2021 pktool(1)