Version: 7.2402.x.x RR

Installing a certificate for token signing

Using soft certificates

To use a signer certificate you provide in the file system, the following needs to be considered:

The certificate for verification needs to be a X509 certificate in DER format.
The private key for signing needs to be a PKCS#8 key in DER format.
We recommend using a password protected private key.

A sample configuration may therefore look as follows:

<KeyStore name="DefaultKeyStore">
 <KeyObject name="DefaultSigner"
 certificate="/var/opt/keybox/nevis/authSigner_keystore.jks?alias=authSigner"
 privateKey="/var/opt/keybox/nevis/authSigner_keystore.jks?alias=authSigner"
 passPhrase="pipe:///opt/neviskeybox/bin/keystorepwget
 /var/opt/keybox/nevis/authSigner_keystore.jks"
 />
</KeyStore>

The above password getter is accessing the pre-fetched password, which was acquired by the nevisauth start command .

Using a HSM device

Using a Hardware Security Module (HSM) device implies different configurations depending on the vendor of the PKCS#11 client library (usually called libcryptoki).

A sample configuration may look as follows:

<KeyObject name="DefaultSigner"
certificate="pkcs11://?alias=<alias>?provider=SunPKCS11-<name> "
privateKey="pkcs11://?alias=<alias>?provider=SunPKCS11-<name> "
passPhrase="..."/>

For further information and an example configuration for a "SafeNet Network HSM 1700" HSM, see chapter Signature key material - PKSC11. For an example with a Securosys HSM, see chapter Signature key material - Securosys HSM.

Installing a certificate for token signing

Using soft certificates​

Using a HSM device​

Using soft certificates

Using a HSM device