11.2. 使用方法

运行以下命令，检查 tkstool 的版本：

tkstool -V

tkstool -V

Copy to Clipboard

Toggle word wrap

这应该返回类似如下的输出：

tkstool: Version 1.0

tkstool: Version 1.0

Copy to Clipboard

Toggle word wrap

创建新软件数据库。

tkstool -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:

tkstool -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:

Copy to Clipboard

Toggle word wrap

注意

如果 modutil 工具首次用于将 HSM 插槽和令牌插入到 secmod.db 数据库中，则可以使用硬件 HSM 而不是软件数据库。

如果使用 HSM，则必须将 -h hsm_token 选项添加到以下每个命令中。

列出本地软件密钥数据库的内容。

tkstool -L -d .
 
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
tkstool: the specified token is empty

tkstool -L -d .
 
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
tkstool: the specified token is empty

Copy to Clipboard

Toggle word wrap

创建名为传输的传输密钥。

tkstool -T -d . -n transport

tkstool -T -d . -n transport

Copy to Clipboard

Toggle word wrap

出现提示时，填写数据库密码，然后在 some noise 中输入以查看随机数字生成器。

会话密钥共享和对应的 KCV 会显示。写入这两个操作。

运行以下命令以生成相同的传输密钥；这通常在需要使用相同的传输密钥的另一组数据库中使用。当运行时，会生成多个会话密钥共享和 KCV。写入所有此信息。

tkstool -I -d . -n verify_transport

tkstool -I -d . -n verify_transport

Copy to Clipboard

Toggle word wrap

此时会出现类似如下的响应：

Generating first symmetric key . . .
Generating second symmetric key . . .
Generating third symmetric key . . .
Extracting transport key from operational token . . .
     transport key KCV: A428 53BA
Storing transport key on final specified token . . .
Naming transport key "transport" . . .
Successfully generated, stored, and named the transport key!

Generating first symmetric key . . .
Generating second symmetric key . . .
Generating third symmetric key . . .
Extracting transport key from operational token . . .
     transport key KCV: A428 53BA
Storing transport key on final specified token . . .
Naming transport key "transport" . . .
Successfully generated, stored, and named the transport key!

Copy to Clipboard

Toggle word wrap

再次列出密钥数据库的内容。

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 transport

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 transport

Copy to Clipboard

Toggle word wrap

使用传输密钥生成和嵌套主密钥，并将主密钥存储在名为 file 的文件中。

tkstool -W -d . -n wrapped_master -t transport -o file

Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key (for wrapping) from the specified token . . .
Generating and storing the master key on the specified token . . .
Naming the master key "wrapped_master" . . .
Successfully generated, stored, and named the master key!
Using the transport key to wrap and store the master key . . .
Writing the wrapped data (and resident master key KCV) into the file 
called "file" . . .

       wrapped data:   47C0 06DB 7D3F D9ED 
                       FE91 7E6F A7E5 91B9
       master key KCV: CED9 4A7B 
       (computed KCV of the master key residing inside the wrapped data)

tkstool -W -d . -n wrapped_master -t transport -o file

Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key (for wrapping) from the specified token . . .
Generating and storing the master key on the specified token . . .
Naming the master key "wrapped_master" . . .
Successfully generated, stored, and named the master key!
Using the transport key to wrap and store the master key . . .
Writing the wrapped data (and resident master key KCV) into the file 
called "file" . . .

       wrapped data:   47C0 06DB 7D3F D9ED 
                       FE91 7E6F A7E5 91B9
       master key KCV: CED9 4A7B 
       (computed KCV of the master key residing inside the wrapped data)

Copy to Clipboard

Toggle word wrap

再次列出软件密钥数据库的内容。

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 wrapped_master
 1 transport

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 wrapped_master
 1 transport

Copy to Clipboard

Toggle word wrap

注意

密钥的顺序不重要，有些系统可能会以不同顺序显示密钥。

使用传输密钥生成和解压缩存储在名为 file 的文件中的、名为 unwrapped_master 的主密钥。

tkstool -U -d . -n unwrapped_master -t transport -i file

Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key from the specified token (for unwrapping) . . .
Reading in the wrapped data (and resident master key KCV) from the file 
called "file" . . .

     wrapped data:   47C0 06DB 7D3F D9ED
                     FE91 7E6F A7E5 91B9
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to temporarily unwrap the master key to 
recompute its KCV value to check against its pre-computed KCV value . . .
     master key KCV: CED9 4A7B
     (computed KCV of the master key residing inside the wrapped data)
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to unwrap and store the master key on the 
specified token . . .
Naming the master key "unwrapped_master" . . .
Successfully unwrapped, stored, and named the master key!

tkstool -U -d . -n unwrapped_master -t transport -i file

Enter Password or Pin for "NSS Certificate DB":
Retrieving the transport key from the specified token (for unwrapping) . . .
Reading in the wrapped data (and resident master key KCV) from the file 
called "file" . . .

     wrapped data:   47C0 06DB 7D3F D9ED
                     FE91 7E6F A7E5 91B9
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to temporarily unwrap the master key to 
recompute its KCV value to check against its pre-computed KCV value . . .
     master key KCV: CED9 4A7B
     (computed KCV of the master key residing inside the wrapped data)
     master key KCV: CED9 4A7B
     (pre-computed KCV of the master key residing inside the wrapped data)

Using the transport key to unwrap and store the master key on the 
specified token . . .
Naming the master key "unwrapped_master" . . .
Successfully unwrapped, stored, and named the master key!

Copy to Clipboard

Toggle word wrap

列出密钥数据库的内容，以显示所有密钥。

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 unwrapped_master
 1 wrapped_master
 2 transport

tkstool -L -d .

 slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 unwrapped_master
 1 wrapped_master
 2 transport

Copy to Clipboard

Toggle word wrap

从数据库中删除密钥。

tkstool -D -d . -n wrapped_master

Enter Password or Pin for "NSS Certificate DB":
tkstool: 1 key(s) called "wrapped_master" were deleted

tkstool -D -d . -n wrapped_master

Enter Password or Pin for "NSS Certificate DB":
tkstool: 1 key(s) called "wrapped_master" were deleted

Copy to Clipboard

Toggle word wrap

再次列出密钥数据库的内容，以显示所有密钥。

tkstool -L -d .

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 unwrapped_master
 1 transport

tkstool -L -d .

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

Enter Password or Pin for "NSS Certificate DB":
 0 unwrapped_master
 1 transport

Copy to Clipboard

Toggle word wrap

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links