PKI Interoperability Labs: Getting a Certificate onto a Token
Page 1 of 2
How do I get a Certificate
stored on my hardware token?
A certificate is the signed-and-locked combination of your identity (your “Subject”
information, in certificate-speak) and your public key. The certification authority signs
your public key, which makes it useable in a wide variety of applications. So how do you
get a certificate? There are four main steps:
1. Generate a public/private key pair.
2. Create a certificate signing request, and send that to a certification authority.
3. Ask the certification authority to sign your request, and provide any identification or
authentication information needed.
4. Transfer the certificate back so that you can use it.
In this demonstration, we’ll walk you through how you do this with a WWW browser,
such as Netscape or Internet Explorer. Instead of storing your certificate in the browser’s
database, we will show you how to store it on a hardware token, such as an Rainbow
Technologies iKey. Because these tools have had embedded PKI support, a lot of the
steps above happen behind the scenes where you don’t see them.
The hardware token has an encryption engine on-board. What this means to the user is
that the private key is generated on the token, and never actually transferred out of the
token. All public key encryption and decryption is performed on the token.
Generate a public/private key pair
If you’re using a WWW browser, there is no special “make me a key pair” button.
Instead, your browser will generate a key pair when a special chunk of HTML is sent to
the browser. For example, Netscape Communicator will cause your token to make a key
pair if you press the “submit” button generated by a form containing this code fragment:
“<KEYGEN NAME="name" KEYTYPE="type">”.
In the iLabs demonstration, you can go to https://n1.pki.ilabs.interop.net/ to
generate a new public/private key pair. When you request a key pair, your browser may
ask you to select between the internal database and the tok