With RSA Key (CA Signed Certificate)

1. Generate a keypair on Utimaco HSM with the help of keytool command.

# keytool -genkey -alias ibmrsa -keyalg RSA -keysize 2048 -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer 

Provide information when prompted Here:

• RSA is the key algorithm

• 2048 is the key size

• NONE is the keystore for HSM

• PKCS11IMPLKS is the storetype

• IBMPKCS11Impl-CryptoServer is the provider name

• ibmrsa is the key name that will be generated on Utimaco HSM

Provide the keystore password when prompted:

Key generation using keytool command

2. Verify the entry with same alias name is generated using keytool command.

# keytool -list -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer  

Here:

• NONE is the keystore for HSM

• PKCS11IMPLKS is the storetype

• IBMPKCS11Impl-CryptoServer is the provider’s name

Provide the keystore password when prompted:

Listkeys output

3. List the objects using p11tool2.

# p11tool2 Slot=0 LoginUser=ask ListObjects 

Enter user PIN when prompted:

List keys output using p11tool2

4. Generate a CSR using Keytool command.

# keytool -certreq -alias ibmrsa -keystore NONE -storetype PKCS11IMPLKS providername IBMPKCS11Impl-CryptoServer -file ibm.csr 

Here:

• NONE is the keystore for HSM

• PKCS11IMPLKS is the storetype

• IBMPKCS11Impl-CryptoServer is the provider name

• ibmrsa is the key name

• ibm.csr is the CSR file name that will be generated

Provide keystore password when prompted

5. Get this CSR signed by CA.

6. Copy the signed certificate and root CA certificate on the IBMPKCS11 server.

7. Import Root CA certificate into HSM keystore.

#  keytool -importcert -alias rootca -file /home/LAbCA-Root.crt storetype PKCS11IMPLKS -keystore NONE -providername IBMPKCS11ImplCryptoServer

Importing root certificate into keystore

8. Import the signed certificate reply using the command below.

#  keytool -importcert -alias ibmrsa -file /home/test_demo.p7b -storetype PKCS11IMPLKS -keystore NONE -providername IBMPKCS11Impl-CryptoServer

Import user certificate into keystore

9. Verify that the keytool command shows the signed certificate as well as root CA certificate.

# keytool -list -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer  

Here:

• NONE is the keystore for HSM

• PKCS11IMPLKS is the storetype

• IBMPKCS11Impl-CryptoServer is the provider’s name

Provide the keystore password when prompted:

Listkeys output showing signed certificate as well as root CA

10. Sign any sample jar file with jarsigner command.

# jarsigner -tsa http://timestamp.digicert.com -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer -signedjar hello_worldoutput.jar HelloWorld-0.7.0.jar ibmrsa  

Here

• http://timestamp.digicert.com is URL of timestamp server

• NONE is the keystore for HSM

• PKCS11IMPLKS is the storetype

• IBMPKCS11Impl-CryptoServer is the provider’s name

• hello_worldoutput.jar is the new output signed jar file that will be generated

• HelloWorld-0.7.0.jar is the jar file to be signed

• ibmrsa is the RSA key used for jar signing

Provide the keystore password when prompted:

Signing the jar using jarsigner command

11. Verify the signed jar.

# jarsigner -verify hello_worldoutput.jar -keystore NONE -storetype PKCS11IMPLKS -storepass 12345678 -providername IBMPKCS11Impl-CryptoServer

Here hello_worldoutput.jar is the newly generated signed jar file:

Verifying signed jar