Manage keystores in Nexus Timestamp Server
This article describes how to manage keystores in Nexus Timestamp Server.
A keystore contains a private key, a corresponding subject certificate and optionally one or more issuer (CA) certificates. Nexus Timestamp Server accepts two different keystore formats, PKCS#12 and JKS (Java KeyStore), as well as PKCS#11 libraries for HSM support.
JKS keystores
Manage JKS keystores with keytool which is a tool included in the Java JRE/JDK as <javadir>/bin/keytool.PKCS#12 keystores
Manage PKCS#12 keystores with a tool such as openssl or Smart ID Certificate Manager.PKCS#11 keystores
Manage PKCS#11 keystores with the bundled tool hwsetup, see Initialize Hardware Security Module in Timestamp Server, or tools from the HSM vendor. See documentation and explanations from the vendor for a complete reference.
Keys to use in a PKCS#11 keystore MUST have a mapped certificate with the same CKA_LABEL and CKA_PRIVATE set to false.