14.6. Managing Tokens Used by the Subsystems

To see if a token can be detected by Certificate System to be installed or configured, use the TokenInfo utility.

TokenInfo /var/lib/pki/instance_name/alias
Database Path: /var/lib/pki/instance_name/alias
Found external module 'NSS Internal PKCS #11 Module'

This utility will return all tokens which can be detected by the Certificate System, not only tokens which are installed in the Certificate System.

To view a list of the tokens currently installed for a Certificate System instance, use the modutil utility.

The token, internal or external, that stores the key pairs and certificates for the subsystems is protected (encrypted) by a password. To decrypt the key pairs or to gain access to them, enter the token password. This password is set when the token is first accessed, usually during Certificate System installation.

It is good security practice to change the password that protects the server's keys and certificates periodically. Changing the password minimizes the risk of someone finding out the password. To change a token's password, use the certutil command-line utility.

For information about certutil, see http://www.mozilla.org/projects/security/pki/nss/tools/.

The single sign-on password cache stores token passwords in the password.conf file. This file must be manually updated every time the token password is changed.