6.13. 设置新主密钥
本节介绍了在令牌密钥服务(TKS)中设置新主密钥所需的步骤和配置。有关背景信息,请参阅 Red Hat Certificate System Planning、安装和部署指南。
过程 6.1. 创建新主密钥
- 获取内部访问 TKS 安全数据库所需的 PIN:
#cat /var/lib/pki/pki-tomcat/tks/conf/password.conf internal=649713464822 internaldb=secret12 replicationdb=-752230707 - 打开 TKS 实例
的别名/目录:#cd /var/lib/pki/pki-tomcat/alias - 使用 tkstool 工具生成新的主密钥。例如:
#tkstool -M -n new_master -d /var/lib/pki/pki-tomcat/alias -h <token_name> Enter Password or Pin for "NSS Certificate DB": Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Computing and displaying KCV of the master key on the specified token . . . new_master key KCV: CA5E 1764 - 验证密钥是否已正确添加到数据库中:
#tkstool -L -d . slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> new_master
6.13.1. 生成和传输 Wrapped Master 密钥(Key Ceremony)
如果要在外部令牌或多个位置使用主密钥,则必须 嵌套 它,以便安全地将其传送到硬件令牌。tkstool 工具可用于生成传输密钥,然后用于将主密钥发送到生成令牌的工具。传输嵌套主密钥的过程通常称为 Key Ceremony。
注意
传输密钥只能与它们生成的主密钥一起使用。
过程 6.2. 生成和传输 Wrapped 主密钥
- 获取访问 Token Key Service 安全数据库所需的内部 PIN:
#cat /var/lib/pki/pki-tomcat/tks/conf/password.conf internal=649713464822 internaldb=secret12 replicationdb=-752230707 - 打开 TKS 实例
别名/目录:#cd /var/lib/pki/pki-tomcat/alias - 创建名为 transport 的
传输密钥:#tkstool -T -d . -n transport注意tkstool 工具打印每个生成的三个会话键的密钥共享和 KCV 值。将它们保存到文件中,因为有必要在此流程以后在新数据库中重新生成传输密钥,并在丢失时重新生成密钥。 - 出现提示时,填写数据库密码。然后,按照屏幕说明生成随机 seed。
A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Type the word "proceed" and press enter
- 下一提示将生成一系列会话密钥。按照屏幕说明进行操作,直到最终信息:
Successfully generated, stored, and named the transport key!
- 使用传输密钥生成并嵌套主密钥,并将其存储在名为
file的文件中:#tkstool -W -d . -n new_master -t transport -o file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key (for wrapping) from the specified token . . . Generating and storing the master key on the specified token . . . Naming the master key "new_master" . . . Successfully generated, stored, and named the master key! Using the transport key to wrap and store the master key . . . Writing the wrapped data (and resident master key KCV) into the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) - 将嵌套的主密钥复制到适当的位置或工具中。
- 如有必要,在 HSM 或工具中生成新的安全数据库:
#tkstool -N -d <directory>或者,添加-I选项来生成与最初在新数据库中生成的密钥相同的密钥。以这种方式重新生成传输密钥要求您为此流程前面生成的每个会话密钥输入会话密钥共享和 KCV。#tkstool -I -d <directory> -n verify_transport - 使用传输密钥解压缩存储在文件中的主密钥。提示时提供安全数据库 PIN:
#tkstool -U -d directory -n new_master -t verify_transport -i file Enter Password or Pin for "NSS Certificate DB": Retrieving the transport key from the specified token (for unwrapping) . . . Reading in the wrapped data (and resident master key KCV) from the file called "file" . . . wrapped data: 47C0 06DB 7D3F D9ED FE91 7E6F A7E5 91B9 master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to temporarily unwrap the master key to recompute its KCV value to check against its pre-computed KCV value . . . master key KCV: CED9 4A7B (computed KCV of the master key residing inside the wrapped data) master key KCV: CED9 4A7B (pre-computed KCV of the master key residing inside the wrapped data) Using the transport key to unwrap and store the master key on the specified token . . . Naming the master key "new_master" . . . Successfully unwrapped, stored, and named the master key! - 验证密钥是否已正确添加到数据库中:
#tkstool -L -d slot: NSS User Private Key and Certificate Services token: NSS Certificate DB Enter Password or Pin for "NSS Certificate DB": <0> transport <1> new_master
