Breadcrumbs

For OpenJDK11 with EC Key

1. Generate a keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -alias tomssleckey -keyalg EC -keystore NONE -storetype 

PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted Here:

  • EC is the key algorithm

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomssleckey is the key name that will be generated on Utimaco HSM

tmp6lp8fq95.jpg

Key generation using Keytool command

2. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-
CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider’s name

tmpvpq2wt18.jpg

Listkeys output

  1. List the keys using p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=12345678 ListObjects
tmp_d5k57r5.jpg

List Keys output using p11tool2

  1. Generate a CSR using Keytool command.

›_ Console 

# keytool -certreq -keystore NONE -storetype PKCS11 -storepass 12345678 providername SunPKCS11-CryptoServer -alias tomssleckey  -file tomcateckey.csr

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomssleckey is the key name

  • tomcateckey.csr is the CSR file name that will be generated


  1. Get this CSR signed by CA.

  2. Copy the signed certificate along with root CA certificate chain on the tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console 

 #keytool -importcert -trustcacerts -alias tomssleckey -file 

/root/test_test.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-

CryptoServer -storepass 12345678
tmpw07auwcg.jpg
tmpcniyacpw.jpg

Signed certificate must also contain certificate chain.

  1. Verify that the keytool command shows the signed certificate as well as root CA certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-
CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • SunPKCS11-CryptoServer is the provider’s name

  • 12345678 is the slot PIN

tmpjdl46voq.jpg
tmpzkmic72q.jpg

Keytool list output