Home
Using ikeyman to store keys on a PKCS11 device
For IBM HTTP Server, you can use ikeyman for storing keys on a PKCS11 device.
- You will need to obtain the file name and the path location of the cryptographic driver in order to store the keys on the PKCS11 device.
The following are examples of path locations for PKCS11 devices:
- nCipher:
- AIX: /opt/nfast/toolkits/pkcs11/libcknfast.so
- HP-UX: /opt/nfast/toolkits/pkcs11/libcknfast.sl
- Linux: /opt/nfast/toolkits/pkcs11/libcknfast.so
- Solaris: /opt/nfast/toolkits/pkcs11/libcknfast.so
- Windows: C:\nfast\toolkits\pkcs11\cknfast.dll
- IBM 4758
- AIX: /usr/lib/pkcs11/PKCS11_API.so
- Windows: $PKCS11_HOME\bin\NT\cryptoki.dll
- IBM e-business Cryptographic Accelerator
- AIX: /usr/lib/pkcs11/PKCS11_API.so
- Run ikeyman to store the keys on the PKCS11 device.
After launching ikeyman:
- Select Key Database File from the menu, then Open to navigate to the Key database information dialog
- From the drop down for Key Database Type, select CMS Cryptographic Token
- Enter the File Name and Location for the PKCS11 driver name and path location
- Click OK to navigate to the Open Cryptographic Token dialog
- Choose the Cryptographic Token Label of the PKCS11 device
- Provide the Cryptographic Token Password for the PKCS11 device (which is a previously set password that is hardware-specific)
- Select the Create new secondary key database file option and fill in prompts for creating a new secondary key database
After opening a cryptographic token successfully, ikeyman will display the certificates stored in the cryptographic token.
What to do next
You can create, import, or receive a personal certificate as you normally would and the private key will be stored on your PKCS11 device.
Related tasks
Getting started with the cryptographic hardware for SSL (Distributed systems)
Managing keys with the ikeyman graphical interface (Distributed systems)