Breadcrumbs

For OpenJDK 11 with EC Key

1. Generate a key pair on the Utimaco HSM.

›_ Console

# keytool -genkeypair -alias tomsslec1 -keyalg EC -keystore NONE -storetype

CryptoServer -storepass 123456 -providerpath

"/opt/tomcat/bin/CryptoServerJCE.jar" -providerclass

CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/tomcat/bin/ -

J-cp -J/opt/tomcat/bin/CryptoServerJCE.jar/opt/tomcat/bin/CryptoServerJCE.jar -providername CryptoServer -v

Provide information when prompted.

Here:

  • EC is the key algorithm

  • NONE is the key store for HSM

  • CryptoServer is the store type

  • 123456 is the slot PIN

  • CryptoServer is the provider name

  • tomsslec1 is the key name that will be generated on the Utimaco HSM

adef4a1e-e96e-45f7-8a83-770fe58b2314.jpg

Key generation using the keytool command output


For OpenJDK 11 RSA key algorithm is not supported with Utimaco HSM.

2. Verify that the keys have been generated using the keytool command.

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -storepass 123456 providerpath "/usr/lib/jvm/java-11-openjdk-11.0.2.7-

2.el8.x86_64/lib/CryptoServerJCE.jar" -providerclass

CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/usr/lib/jvm/java-

11-openjdk-11.0.2.7-2.el8.x86_64/lib/ -J-cp -J/usr/lib/jvm/java-11-openjdk-

11.0.2.7-2.el8.x86_64/lib/CryptoServerJCE.jar -providername CryptoServer -v

Here:

  • NONE is the keystore for HSM

  • CryptoServer is the store type

  • 123456 is the PIN

  • CryptoServer is the provider name

343f851b-87a5-48e1-8de8-110f907741c6.jpg

Keytool list output


  1. List the keys using the cxitool.

›_ Console

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 LogonPass=tom,123456 Listkeys

4cb181ca-841f-4cc4-9bfc-1576f2b41d6d.jpg


List keys output using cxitool

  1. Generate a CSR using the keytool command

›_ Console

# keytool -certreq -alias tomsslec1 -file 21dec.csr -keystore NONE -storetype

CryptoServer -storepass 123456 -providerpath

"/opt/tomcat/bin/CryptoServerJCE.jar" -providerclass

CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/tomcat/bin/ -

J-cp -J/opt/tomcat/bin/CryptoServerJCE.jar/opt/tomcat/bin/CryptoServerJCE.jar -providername CryptoServer -v

Here:

  • tomsslec1 is the key name

  • NONE is the key store for HSM

  • CryptoServer is the store type

  • 123456 is the slot PIN

  • CryptoServer is the provider name

  • 21dec.csr is the CSR file name that will be generated

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate along with the root CA certificate chain to the Tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console

# keytool -importcert -trustcacerts -alias tomsslec1 -file /root/21dec.pem storetype CryptoServer -keystore NONE -providerpath "/opt/tomcat/bin/CryptoServerJCE.jar" -providerclass

CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/opt/tomcat/bin/ -

J-cp -J/opt/tomcat/bin/CryptoServerJCE.jar -providername CryptoServer

Signed certificate must also contain certificate chain.

  1. Verify that the keytool command shows the signed certificate as well as the root CA certificate.

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -storepass 123456 providerpath "/usr/lib/jvm/java-11-openjdk-11.0.2.7-

2.el8.x86_64/lib/CryptoServerJCE.jar" -providerclass

CryptoServerJCE.CryptoServerProvider -J-Djava.library.path=/usr/lib/jvm/java-

11-openjdk-11.0.2.7-2.el8.x86_64/lib/ -J-cp -J/usr/lib/jvm/java-11-openjdk-

11.0.2.7-2.el8.x86_64/lib/CryptoServerJCE.jar -providername CryptoServer -v

Here:

  • NONE is the key store for HSM

  • CryptoServer is the store type

  • 123456 is the slot PIN

  • CryptoServer is the provider name

0b1e455d-f16a-461b-967f-948fd9812e99.jpg


Keytool list output