This article describes how to manage keystores in Nexus Timestamp Server .
A keystore contains a private key, a corresponding subject certificate and optionally one or more issuer (CA) certificates. Nexus Timestamp Server accepts two different keystore formats, PKCS#12 and JKS (Java KeyStore), as well as PKCS#11 libraries for HSM support.
-
JKS keystores
Manage JKS keystores with keytool which is a tool included in the Java JRE/JDK as <javadir>/bin/keytool. -
PKCS#12 keystores
Manage PKCS#12 keystores with a tool such as openssl or Smart ID Certificate Manager . -
PKCS#11 keystores
Manage PKCS#11 keystores with the bundled tool hwsetup, see Initialize Hardware Security Module in Timestamp Server , or tools from the HSM vendor. See documentation and explanations from the vendor for a complete reference.
Keys to use in a PKCS#11 keystore MUST have a mapped certificate with the same CKA_LABEL and CKA_PRIVATE set to false.