Breadcrumbs

For OpenJDK17 with an RSA Key Using a Self-Signed Certificate

  1. Generate an RSA keypair on the Utimaco HSM.

›_ Console 

# keytool -genkey -keyalg RSA -keysize 2048 -keystore NONE -storetype PKCS11 storepass 12345678  -providername SunPKCS11-CryptoServer -alias tomcatrsa17

Provide information when prompted here:

  • RSA is the key algorithm

  • 2048 is the key size

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • 12345678 is the slot PIN

  • SunPKCS11-CryptoServer is the provider name

  • tomcatrsa is the key name that will be generated on the Utimaco HSM

RSA SelfSigned -20260416-214714.jpg


RSA Key Generation Using a Self‑Signed Certificate

It is recommended to use a CA-signed certificate for the production environment.

  1. Verify that the keys have been generated by p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=<passcode> ListObjects
ListObject RSA SelfSigned-20260416-215128.jpg


Certificate Details


RSA Selsigned Key-20260416-215321.jpg


Key Details

  1. List the keys using the keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • SunPKCS11-CryptoServer is the provider name

  • 12345678 is the slot PIN

RSA SelfSigned KeyStore Command -20260416-220029.jpg


Keytool List Command

Selfsigned RSA Cert detaisl-20260416-220146.jpg


Keytool List Output