Breadcrumbs

For OpenJDK17 with an EC Key Using a Self-Signed Certificate

  1. Generate an EC keypair on the Utimaco HSM.

›_ Console 

# keytool -genkey -alias tomssleckey -keyalg EC -keystore NONE -storetype 
PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted here:

  • EC is the key algorithm

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomssleckey is the key name that will be generated on the Utimaco HSM

Selfsigned EC key generation-20260416-221042.jpg


Keytool Command to Generate Keys

It is recommended to use a CA-signed certificate for the production environment.

  1. Verify that the keys have been generated by p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=<passcode> ListObjects
SelfSigned EC KEy-20260416-221148.jpg


Created Key Details

Selfsigned EC Certificate detaisl-20260416-221354.jpg


List Keys Output Using p11tool2

  1. List the keys using the keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

ec self signed keytool command-20260416-222148.jpg


Keytool Command to List Keys

self signed EC cert detaisl Keytool-20260416-222230.jpg


Keytool List Output