PingDirectory

Setting up certificate key and trust stores

About this task

Because FIPS 140-2-compliant mode requires secure communication, you must provide arguments that indicate how the server should obtain the certificate chain, private key, and trusted certificate information that it should use during TLS negotiation.

Steps

  • Configure the server with appropriate key and trust stores during setup. Choose from:

    Choose from:

    • If you have existing key and trust stores in the BCFKS format:

    • Use the --useBCFKSKeyStore and --useBCFKSTrustStore arguments to provide the paths to those stores.

    • Use either the --keyStorePassword or --keyStorePasswordFile argument to specify the PIN needed to access the contents of the key store.

    • Use either the --trustStorePassword or --trustStorePasswordFile argument to specify the PIN needed to access the contents of the trust store.

      Unlike the JKS format, a PIN is always required when using a BCFKS key store, even if you don’t need to access the private key.

    • If you have existing key and trust stores in a non-BCFKS format:

    • Convert the non-BCFKS files using manage-certificates copy-keystore with the --destination-key-store-type BCFKS argument.

    • Follow the steps for existing key and trust stores in the BCFKS format.

    • If you have PEM files containing the certificate chain and private key from a certificate authority, and you want to use them to generate new BCFKS key and trust stores:

    • Use the --certificateChainPEMFile and --certificatePrivateKeyPEMFile arguments to specify the paths to those files.

    • If you have PEM files containing trusted certificates that you want to include in a new BCFKS trust store, you can use the --trustedCertificatePEMFile argument to provide the paths to those files.

    • If the listener certificate chain and private key that you want to use reside in a PKCS #11 token:

    • Use the --usePKCS11KeyStore argument to enable that support for creating a BCFKS key store.

      PingDirectory only supports key store creation using PKCS #11 tokens. In order to create a trust store, you must use either the --useBCFKSTrustStore or --trustedCertificatePEMFile arguments in conjunction with --usePKCS11KeyStore.

    • If the Java virtual machine (JVM) has not been pre-configured with the necessary PKCS #11 provider, then use the --pkcs11ProviderConfigFile argument to specify the path to the necessary provider configuration file.

    • Use either the --keyStorePassword or --keyStorePasswordFile argument to specify the PIN needed to access the token.

    • If you want the server to generate a self-signed certificate and use it to create BCFKS key and trust stores, use the --generateSelfSignedCertificate argument.

      Self-signed certificates are convenient for testing or evaluation purposes, but they aren’t trusted by any clients (by default) and shouldn’t be used in production environments.