Breadcrumbs

For OpenJDK17 with an EC Key

1. Generate an EC keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -alias tomssleckey -keyalg EC -keystore NONE -storetype 

PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted here:

  • EC is the key algorithm

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomssleckey is the key name that will be generated on Utimaco HSM

tmp6lp8fq95.jpg

Key Generation Using the Keytool Command

2. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

tmpvpq2wt18.jpg

Listkeys Output

  1. List the keys using p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=12345678 ListObjects
tmp_d5k57r5.jpg

List Keys Output Using p11tool2

  1. Generate a CSR using the keytool command.

›_ Console 

# keytool -certreq -keystore NONE -storetype PKCS11 -storepass 12345678 providername SunPKCS11-CryptoServer -alias tomssleckey -file tomcateckey.csr

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomssleckey is the key name

  • tomcateckey.csr is the CSR file name that will be generated

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate along with the root CA certificate chain on the Tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console 

 #keytool -importcert -trustcacerts -alias tomssleckey -file 

/root/test_test.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-CryptoServer -storepass 12345678
merged_test_test_full-20260426-173249.jpg


Signed Certificate Imported


The signed certificate must also contain the certificate chain.

  1. Verify that the keytool command shows the signed certificate as well as the root CA certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • SunPKCS11-CryptoServer is the provider name

  • 12345678 is the slot PIN

merged_pkcs11_list_extensions-20260426-173755.jpg


Keytool List Output