Breadcrumbs

For OpenJDK 8 with RSA Key

1. Generate an RSA key pair on the Utimaco HSM.

›_ Console

# keytool -genkey -keyalg RSA -keysize 2048 -keystore NONE -storetype

CryptoServer -storepass 12345678 -providername CryptoServer -alias tomcatsslkey

Provide information when prompted.

Here:

  • RSA is the key algorithm

  • 2048 is the key size

  • NONE is the key store for HSM

  • CryptoServer is the store type

  • 12345678 is the PIN

  • CryptoServer is the provider name

  • tomcatsslkey is the key name that will be generated on the Utimaco HSM

5d37cb72-52f3-44f0-8085-de495627b0a7.jpg

Key generation using keytool command output

2. Verify that the keys have been generated with the keytool command.

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -providername

CryptoServer -storepass 12345678 -v

Here:

  • NONE is the key store for HSM

  • CryptoServer is the store type

  • 12345678 is the PIN

  • CryptoServer is the provider name

1d58b713-c290-4eda-a553-58f7e1a9aa11.jpg

Keytool list output

  1. List the keys using the cxitool.

›_ Console

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 Logonpass=tomcat,12345678 Group=JCE ListKeys
0a2f64ea-a826-4023-ae1a-a209112c0cab.jpg

List keys output using the cxitool

  1. Generate a CSR using the keytool command.

›_ Console

# keytool -certreq -alias tomcatsslkey -file test.csr -storetype CryptoServer -keystore NONE -v

Provide the user PIN when you’re prompted for the key store password.

Here:

  • tomcatsslkey is the key name

  • CryptoServer is the store type

  • test.csr is the CSR file name that will be generated

  • NONE is the keystore for HSM

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate along with the root CA certificate chain to the Tomcat server.

  3. Import the signed certificate chain reply using the command below.

›_ Console

# keytool -importcert -trustcacerts -alias tomcatsslkey -file

/root/test_test.pem -storetype CryptoServer -keystore NONE -providername CryptoServer -storepass 12345678

tmpoqsy_xpr.jpg
21fffe41-0cfc-4c44-932a-20d68f44d1b3.jpg

Import the user certificate into the key store

Signed certificates must also contain the certificate chain.

  1. Verify that the keytool command shows the signed certificate.

›_ Console

# keytool -list -keystore NONE -storetype CryptoServer -providername

CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for the HSM

  • CryptoServer is the store type

  • 12345678 is the PIN

  • CryptoServer is the provider name

1314d1c6-9806-43c8-a4e0-30fe2d7d6686.jpg

Keytool list output