Breadcrumbs

For OpenJDK 8 with EC Key

HR 1. Generate an EC key pair on the Utimaco HSM.

›_ Console

# keytool -genkey -keyalg EC -keystore NONE -storetype CryptoServer -storepass

12345678 -providername CryptoServer -alias tomcatsslECKey

Provide information when prompted.

Here:

  • EC is the key algorithm

  • NONE is the keystore for HSM

  • CryptoServer is the store type

  • 12345678 is the PIN

  • CryptoServer is the provider name

  • tomcatsslECKey is the key name that will be generated on the Utimaco HSM


abd97e2c-4ccc-4abf-902f-967228f487c3.jpg

Key generation using keytool command output

2. Verify that the keys have been generated using the keytool command.

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -providername

CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM

  • CryptoServer is the store type

  • 12345678 is the slot PIN

  • CryptoServer is the provider name

f91d8cee-9811-4b9d-88f1-59c182d8bf36.jpg

Keytool list output

  1. List the keys using cxitool.

›_ Console

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 Logonpass=tomcat,12345678 Group=JCE ListKeys

5c5a6d07-d453-47af-8862-46349c25fa31.jpg


List keys output using cxitool

  1. Generate a CSR using the keytool command.

›_ Console

# keytool -certreq -alias tomcatsslkey -file test.csr -storetype CryptoServer -keystore NONE -v

219d638f-9071-44bf-8493-30ab044e628c.jpg


keytool -certreq output

Provide user PIN when prompted for keystore password.

Here:

  • tomcatsslECKey is the key name

  • NONE is the keystore for HSM

  • CryptoServer is the store type

  • test.csr is the CSR file name that will be generated

  1. Get this CSR signed by CA.

  2. Copy the signed certificate along with the root CA certificate chain to the Tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console

# keytool -importcert -trustcacerts -alias tomcatsslECKey -file /root/Utimaco_Signedcert.p7b -storetype CryptoServer -keystore

NONE -providername CryptoServer -storepass 12345678

18a18dee-3d8d-47d2-89d8-fa1baadb4968.jpg
db5371e6-5fa5-4d27-ae4a-8cbdf1885eaa.jpg

Import user certificate into key store


Signed certificates must also contain the certificate chain.

  1. Verify that the keytool command shows the signed certificate

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -providername

CryptoServer -storepass 12345678 -v

Here:

  • NONE is the key store for the HSM

  • CryptoServer is the store type

  • 12345678 is the slot PIN

  • CryptoServer is the provider name

43e6f2d0-9787-4748-81fa-0f95ef36a0df.jpg

Keytool list output