6.12. 设置新的主密钥

本节介绍了在令牌密钥服务(TKS)中设置新主密钥所需的步骤和配置。有关背景信息，请参阅 Red Hat Certificate System 规划、安装和部署指南。

步骤：创建新 master 密钥

获取内部访问 TKS 安全数据库所需的 PIN：

cat /var/lib/pki/pki-tomcat/tks/conf/password.conf
internal=649713464822
internaldb=secret12
replicationdb=-752230707

# cat /var/lib/pki/pki-tomcat/tks/conf/password.conf
internal=649713464822
internaldb=secret12
replicationdb=-752230707

Copy to Clipboard

打开 TKS 实例 的别名/ 目录：

cd /var/lib/pki/pki-tomcat/alias

# cd /var/lib/pki/pki-tomcat/alias

Copy to Clipboard

使用 caTokenUserDelegateAuthKeyEnrollment 工具生成一个新的 master 密钥。例如：

tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h <token_name>

# tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h <token_name>
Enter Password or Pin for "NSS Certificate DB":

Generating and storing the master key on the specified token . . .

Naming the master key "new_master" . . .

Computing and displaying KCV of the master key on the specified token . . .

new_master key KCV:  CA5E 1764

Copy to Clipboard

验证密钥是否已正确添加到数据库中：

tkstool -L -d .

# tkstool -L -d .


 slot:  NSS User Private Key and Certificate Services
token:  NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
        <0> new_master

Copy to Clipboard

6.12.1. 生成和传输嵌套的主密钥(key ceremony)

如果要在外部令牌或多个位置使用主密钥，则必须嵌套它，以便安全地将其传送到硬件令牌。caTokenUserDelegateAuthKeyEnrollment 工具可用于生成传输密钥，然后用于将主密钥发送到生成令牌的工具。传输嵌套的主密钥的过程通常称为密钥 Ceremony。

注意

传输密钥只能与它们生成的主密钥一起使用。

流程：生成和传输嵌套的主密钥

获取访问 Token Key Service 安全数据库所需的内部 PIN：

cat /var/lib/pki/pki-tomcat/tks/conf/password.conf

internal=649713464822
internaldb=secret12
replicationdb=-752230707

# cat /var/lib/pki/pki-tomcat/tks/conf/password.conf

internal=649713464822
internaldb=secret12
replicationdb=-752230707

Copy to Clipboard

打开 TKS 实例 别名/ 目录：

cd /var/lib/pki/pki-tomcat/alias

# cd /var/lib/pki/pki-tomcat/alias

Copy to Clipboard

创建名为 transport 的 传输 密钥：
```
tkstool -T -d . -n transport
```
```
# tkstool -T -d . -n transport
```
Copy to Clipboard
注意
caTokenUserDelegateAuthKeyEnrollment 工具为生成的三个会话键打印出密钥共享和 KCV 值。将它们保存到文件中，因为有必要在此流程以后在新数据库中重新生成传输密钥，并在丢失时重新生成密钥。

出现提示时，填写数据库密码。然后，按照屏幕说明生成随机 seed。

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

||

Finished.


Type the word "proceed" and press enter

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

||

Finished.


Type the word "proceed" and press enter

Copy to Clipboard

下一提示将生成一系列会话密钥。按照屏幕说明进行操作，直到最终信息：
```
Successfully generated, stored, and named the transport key!
```
```
Successfully generated, stored, and named the transport key!
```
Copy to Clipboard

使用传输密钥生成并嵌套一个主密钥，并将其存储在名为 文件 的文件中：

tkstool -W -d . -n new_master -t transport -o file

# tkstool -W -d . -n new_master -t transport -o file
Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key (for wrapping) from the specified token . . .
Generating and storing the master key on the specified token . . .
Naming the master key "new_master" . . .
Successfully generated, stored, and named the master key!
Using the transport key to wrap and store the master key . . .
Writing the wrapped data (and resident master key KCV) into the
 file called "file" . . .

       wrapped data:   47C0 06DB 7D3F D9ED
                       FE91 7E6F A7E5 91B9
       master key KCV: CED9 4A7B
       (computed KCV of the master key residing inside the wrapped data)

Copy to Clipboard

将嵌套的主密钥复制到适当的位置或工具中。
如有必要，在 HSM 或工具中生成新的安全数据库：
```
tkstool -N -d <directory>
```
```
# tkstool -N -d <directory>
```
Copy to Clipboard
或者，添加 -I 选项来生成与最初在新数据库中生成的密钥相同。以这种方式重新生成传输密钥要求您为此流程前面生成的每个会话密钥输入会话密钥共享和 KCV。
```
tkstool -I -d <directory> -n verify_transport
```
```
# tkstool -I -d <directory> -n verify_transport
```
Copy to Clipboard

使用传输密钥解压缩存储在文件中的主密钥。提示时提供安全数据库 PIN：

tkstool -U -d directory -n new_master -t verify_transport -i file

# tkstool -U -d directory -n new_master -t verify_transport -i file
Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key from the specified token (for
 unwrapping) . . .
Reading in the wrapped data (and resident master key KCV) from
 the file called "file" . . .

     wrapped data:   47C0 06DB 7D3F D9ED
                     FE91 7E6F A7E5 91B9
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to temporarily unwrap the master key to
recompute its KCV value to check against its pre-computed KCV value . . .
     master key KCV: CED9 4A7B
     (computed KCV of the master key residing inside the wrapped data)
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to unwrap and store the master key on the
 specified token . . .
Naming the master key "new_master" . . .
Successfully unwrapped, stored, and named the master key!

Copy to Clipboard

验证密钥是否已正确添加到数据库中：

tkstool -L -d

# tkstool -L -d
slot:  NSS User Private Key and Certificate Services
token:  NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
			 <0> transport
			 <1> new_master

Copy to Clipboard

返回顶部

6.12. 设置新的主密钥

6.12.1. 生成和传输嵌套的主密钥(key ceremony)

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links