Skip to main content
Version: 8.2405.x.x RR

Installing a certificate for token signing

Using soft certificates

To use a signer certificate you provide in the file system, the following needs to be considered:

  • The certificate for verification needs to be a X509 certificate in DER format.
  • The private key for signing needs to be a PKCS#8 key in DER format.
  • We recommend using a password protected private key.

A sample configuration may therefore look as follows:

<KeyStore name="DefaultKeyStore">
<KeyObject name="DefaultSigner"

The above password getter is accessing the pre-fetched password, which was acquired by the nevisauth start command .

Using a HSM device

Using a Hardware Security Module (HSM) device implies different configurations depending on the vendor of the PKCS#11 client library (usually called libcryptoki).

A sample configuration may look as follows:

<KeyObject name="DefaultSigner"
certificate="pkcs11://?alias=<alias>?provider=SunPKCS11-<name> "
privateKey="pkcs11://?alias=<alias>?provider=SunPKCS11-<name> "

For further information and an example configuration for a "SafeNet Network HSM 1700" HSM, see chapter Signature key material - PKSC11. For an example with a Securosys HSM, see chapter Signature key material - Securosys HSM.