Breadcrumbs

For OpenJDK8 with RSA Key

1. Generate a keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -keyalg RSA -keysize 2048 -keystore NONE -storetype PKCS11 storepass 123456  -providername SunPKCS11-CryptoServer -alias tomcatsslkey

Provide information when prompted here:

  • RSA is the key algorithm

  • 2048 is the key size

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 123456 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomcatsslkey is the key name that will be generated on Utimaco HSM

tmpf929jms9.jpg

Key generation using Keytool command

2. Verify that the keys have been generated using keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-
CryptoServer -storepass 123456 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 123456 is the slot PIN

  • SunPKCS11-CryptoServer is the provider’s name

tmpfjfr6jvp.jpg

Listkeys output

  1. List the keys using p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=123456 ListObjects
tmp0a6h0fyi.jpg

List keys output using p11tool2

4. Generate a CSR using Keytool command.

›_ Console 

# keytool -certreq -keystore NONE -storetype PKCS11 -storepass 123456 providername SunPKCS11-CryptoServer -alias tomcatsslkey -file tomcatssl.csr

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 123456 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomcatsslkey is the key name

  • tomcatssl.csr is the CSR file name that will be generated

  1. Get this CSR signed by CA.

  2. Copy the signed certificate along with root CA certificate chain on the tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console 

# keytool -importcert -trustcacerts -alias tomcatsslkey -file /home 
/tomcat_demo.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-
CryptoServer -storepass 123456
tmpsih2g2wo.jpg
tmptyr1vs_2.jpg

Import user certificate into keystore

Signed certificate must also contain certificate chain.

  1. Verify that the keytool command shows the signed certificate as well as root CA certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-
CryptoServer -storepass 123456 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 123456 is the slot PIN

  • SunPKCS11-CryptoServer is the provider’s name

tmp7gdf_iyo.jpg
tmphjdhfiy3.jpg

Keytool list output