Setting up certificate key and trust stores
About this task
Because FIPS 140-2-compliant mode requires secure communication, you must provide arguments that indicate how the server should obtain the certificate chain, private key, and trusted certificate information that it should use during TLS negotiation.
Steps
-
Configure the server with appropriate key and trust stores during setup. Choose from:
Choose from:
-
If you have existing key and trust stores in the BCFKS format:
-
Use the
--useBCFKSKeyStore
and--useBCFKSTrustStore
arguments to provide the paths to those stores. -
Use either the
--keyStorePassword
or--keyStorePasswordFile
argument to specify the PIN needed to access the contents of the key store. -
Use either the
--trustStorePassword
or--trustStorePasswordFile
argument to specify the PIN needed to access the contents of the trust store.Unlike the JKS format, a PIN is always required when using a BCFKS key store, even if you don’t need to access the private key.
-
If you have existing key and trust stores in a non-BCFKS format:
-
Convert the non-BCFKS files using
manage-certificates copy-keystore
with the--destination-key-store-type BCFKS
argument. -
Follow the steps for existing key and trust stores in the BCFKS format.
-
If you have PEM files containing the certificate chain and private key from a certificate authority, and you want to use them to generate new BCFKS key and trust stores:
-
Use the
--certificateChainPEMFile
and--certificatePrivateKeyPEMFile
arguments to specify the paths to those files. -
If you have PEM files containing trusted certificates that you want to include in a new BCFKS trust store, you can use the
--trustedCertificatePEMFile
argument to provide the paths to those files. -
If the listener certificate chain and private key that you want to use reside in a PKCS #11 token:
-
Use the
--usePKCS11KeyStore
argument to enable that support for creating a BCFKS key store.PingDirectory only supports key store creation using PKCS #11 tokens. In order to create a trust store, you must use either the
--useBCFKSTrustStore
or--trustedCertificatePEMFile
arguments in conjunction with--usePKCS11KeyStore
. -
If the Java virtual machine (JVM) has not been pre-configured with the necessary PKCS #11 provider, then use the
--pkcs11ProviderConfigFile
argument to specify the path to the necessary provider configuration file. -
Use either the
--keyStorePassword
or--keyStorePasswordFile
argument to specify the PIN needed to access the token. -
If you want the server to generate a self-signed certificate and use it to create BCFKS key and trust stores, use the
--generateSelfSignedCertificate
argument.Self-signed certificates are convenient for testing or evaluation purposes, but they aren’t trusted by any clients (by default) and shouldn’t be used in production environments.
-