1. Extract the Directory Server .zip file onto the system.

    In this example, it's assumed that it’s in /demo/PingDirectory.

  2. Make /demo/PingDirectory your current working directory.
  3. Create a provider configuration file that tells Java how to interact with the PKCS #11 token.
    Note:

    If you use a different type of PKCS #11 token, like an actual hardware security module (HSM), then you must specify the appropriate path to its driver library.

    Consult the documentation for the token that you're using for details, but the provider configuration file will generally look something like the following:

    name = pkcs11
    library = /path/to/provider/library.so
    slotListIndex = 0
  4. Create a file with the user PIN needed to access the token.
  5. Ensure that the PKCS #11 token has an appropriate certificate chain to present to clients during TLS negotiation.
    In many cases, you can use the manage-certificates tool to accomplish this. When interacting with a PKCS #11 token with manage-certificates, you must use the --keystore argument to specify the path to the provider configuration file, the --keystore-type argument with a value of PKCS11, and one of the --keystore-password, --keystore-password-file, or --prompt-for-keystore-password arguments to supply the user PIN.
    $ bin/manage-certificates generate-certificate-signing-request \
         --keystore /path/to/provider.conf \
         --keystore-password-file /path/to/pkcs11/user.pin \
         --keystore-type PKCS11 \
         --alias server-cert \
         --subject-dn "CN=demo.example.com,O=Example Corp,C=US" \
         --key-algorithm EC \
         --key-size-bits 256 \
         --signature-algorithm SHA256withECDSA \
         --subject-alternative-name-dns demo.example.com \
         --subject-alternative-name-ip-address 1.2.3.4 \
         --extended-key-usage server-auth \
         --extended-key-usage client-auth \
         --output-file server-cert.csr \
         --output-format PEM

    After you have the signed certificate, use the manage-certificates import-certificate command to import the certificate chain (the signed certificate, any intermediate authority certificates, and the root authority certificate).