Drag and Drop

Objects such as key values can be copied from one token to another by dragging and dropping the object.

NOTE   The object must have the CKA_EXTRACTABLE attribute set to TRUE to allow this operation.

Dropping a public key object onto a private key object will create an X.509 certificate request (PKCS #10 format).  This is used to encode a public key together with a subject name (the owner of the key) for distribution to a Certification Authority (CA).

The public key used is from the object being dragged.  The subject's name is taken from the CKA_SUBJECT or CKA_SUBJECT_STR attributes of that public key. These attributes were supplied when the key was generated.

NOTE   Certificate Requests should be signed with the private key that matches the public key inside the certificate request. The certificate request is created as an object on the token from where the public key was taken.

The secret key used to sign the PKCS#10 encoding may be from another token, but should be the secret key that matches the public key being encoded.

Dropping a PKCS#10 certificate request object onto a private key object will create an X.509 certificate.  X.509 certificates are the standard way to securely bind a public key together with a subject name (the owner of the key) for public distribution.  X.509 certificates are normally signed by a trusted Certification Authority (CA), also known as the certificate's "issuer".  The public key and subject name is extracted from the PKCS#10 object (the one being dragged) and the issuer's name is taken from the CKA_SUBJECT or CKA_SUBJECT_STR attributes of the private key used to sign the certificate (the target of the drag).

X.509 certificates also have a serial number that is taken from the CKA_USAGE_COUNT attribute that must also be present on the signing key.  The certificate is created as an object on the token from where the certificate was requested.  The secret key used to sign the X.509 encoding may be from another token and is normally a highly trusted (CA) signing key.