Skip to main content
Skip table of contents

PGW officer and RA keystores

PKCS#11 based keystores for officer and RA tokens

Apart from PKCS#12 keystores, Protocol Gateway also supports PKCS#11 based keystores for officer and RA tokens. In order to use PKCS#11 keystores with PGW, the library file jpkcs11.dll (or libjpkcs11.so in a Linux based host) must be made available to the application server hosting Protocol Gateway. This library file is distributed with the Certificate Manager server.

For Windows operating systems, the jpkcs11.dll library file needs to be copied from the Certificate Manager bin directory to a path specified in the variable java.library.path used by the web application server hosting Protocol Gateway.

For Linux based operating systems, the libjpkcs11.so library file needs to be copied to a path pointed out by LD_LIBRARY_PATH environment variable for the web application server hosting Protocol Gateway. Please refer to the documentation of your web application server for setting the LD_LIBRARY_PATH environment variable accordingly. Copying the library file to any of the paths indicated by the variable java.library.path, where the web application server hosting Protocol Gateway can find it, is also possible.

The PKCS#11 specific parameters are documented in the cm-gateway.properties configuration file. While they apply globally for all handlers in all protocols running in PGW, they can also be configured per protocol as default values for all handlers or individually on each handler:

CODE 
default.officer.pkcs11 = {ProgramFiles}/Personal/Bin/personal.dll
default.officer.certificate.subject = Company CA
default.officer.password = abcd1234
CODE 
handler.1.officer.pkcs11 = {ProgramFiles}/Personal/Bin/personal.dll
handler.1.officer.certificate.subject = Enterprise CA
handler.1.officer.password = abcd1234


PKCS#11 and PKCS#12 related parameters for an officer or RA keystore cannot be mixed on the same handler. For example, a PKCS#12 keystore cannot be used in cm-gateway.properties while at the same time using a PKCS#11 keystore for a handler in any of the protocols, as the PKCS#12 related parameters from cmgateway.properties will apply globally to the handlers defined in each protocol and conflict with the PKCS#11 related parameters.

The PKCS#11 keystore can also be used for RA tokens. An example on how to configure RA tokens from a PKCS#11 keystore can be found in Use CMP or SCEP protocol in CA mode.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close