Managing Public Key Technologies
The Key Management Framework (KMF) provides a unified approach to managing public key technologies
(PKI). The Solaris OS has several different applications that make use of PKI
technologies. Each application provides its own programming interfaces, key storage mechanisms, and administrative
utilities. If an application provides a policy enforcement mechanism, the mechanism applies to
that application only. With KMF, applications use a unified set of administrative tools,
a single set of programming interfaces, and a single policy enforcement mechanism. These features
manage the PKI needs of all applications that adopt these interfaces.
KMF unifies the management of public key technologies with the following interfaces:
pktool command – This command manages PKI objects, such as certificates, in a variety of keystores.
kmfcfg command – This command manages the PKI policy database and third-party plugins.
PKI policy decisions include operations such as the validation method for an operation. Also, PKI policy can limit the scope of a certificate. For example, PKI policy might assert that a certificate can be used only for specific purposes. Such a policy would prevent that certificate from being used for other requests.
KMF library – This library contains programming interfaces that abstract the underlying keystore mechanism.
Applications do not have to choose one particular keystore mechanism, but can migrate from one mechanism to another mechanism. The supported keystores are PKCS #11, NSS, and OpenSSL. The library includes a pluggable framework so that new keystore mechanisms can be added. Therefore, applications that use the new mechanisms would require only minor modifications to use a new keystore.