- Make sure that the token already includes a suitable certificate and that the PKCS #11 provider configuration files and user PIN files exist as described in Performing initial preparation for PCKS #11 support in PingDirectory Server.
- Make sure that the trust store has the appropriate trust information for the
certificate in the PKCS #11 token. If that certificate is signed by an authority
in the Java virtual machine (JVM)’s default set of trusted issuers, or if it’s
signed by the same private internal authority as the certificate in the current
file-based key store, then you can skip this.
But if the certificate in the PKCS #11 token is self-signed, or if it's signed by an authority that the server isn't currently configured to trust, then you must update the trust store with the necessary certificates.
At present, it seems that if you change the key type that the certificate uses, such as if you change from a certificate that uses an RSA key pair to one that uses an elliptic curve key pair, then you might need to restart the server, or at least disable and re-enable the connection handler.
If you don’t do this, then attempts to establish new secure connections could fail during TLS negotiation, and the server-side error might indicate that it can’t handle the new key type.