Breadcrumbs

With EC Key (CA Signed Certificate)

  1. Generate an EC keypair on Utimaco HSM.

›_ Console 

# keytool -genkeypair -alias utimacoECKey -keyalg EC -groupname secp256r1 -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Provide information when prompted Here:

  • EC is the key algorithm

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • utimacoECKey is the key name that will be generated on Utimaco HSM

Provide the keystore password when prompted

Screenshot 2026-04-02 171114.png

Key generation using keytool command

  1. Verify the entry with same alias name is generated using keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • PKCS11-CryptoServer is the provider name

Provide the keystore password when prompted

Screenshot 2026-04-02 171239.png

Listkeys output

  1. List the objects using p11tool2.

›_ Console

# ./p11tool2 Slot=0 LoginUser=ask ListObjects

Enter user PIN when prompted

Screenshot 2026-04-02 171328.png


List keys output using p11tool2

  1. Generate a CSR using Keytool command.

›_ Console 

# keytool -certreq -alias utimacoECKey -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg -file utimacoEC.csr

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • Provide the keystore password when prompted

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • utimacoECKey is the key name

  • utimacoEC.csr is the CSR file name that will be generated

Provide the keystore password when prompted

  1. Get this CSR signed by CA.

›_ Console 

# openssl x509 -req -in utimacoEC.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out serverEC.crt -days 365 -sha256

  1. Copy the signed certificate and the root CA certificate and combine them into a single full-chain certificate file.

›_ Console 

# cat serverEC.crt ca.crt > fullchainEC.crt

  1. Import converted full chain certificate into HSM keystore.

›_ Console 

#  keytool -importcert -alias utimacoECKey -file fullchainEC.crt -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg
EC Key - IMport.png

Importing full chain certificate

  1. Sign any sample jar file using jarsigner tool.

›_ Console 

# jarsigner -tsa http://timestamp.digicert.com -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg -signedjar HelloWorldECSigned.jar HelloWorld.jar utimacoECKey

Here:

  • http://timestamp.digicert.com is URL of timestamp server

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • HelloWorldECSigned.jar is the new output signed jar file that will be generated

  • HelloWorld.jar is the Jar file to be signed

  • utimacoECKey is the key name that will be used for signing

Provide the keystore password when prompted

Screenshot 2026-04-02 171908.png

Signing the jar using jarsigner command

  1. Verify the signed jar.

›_ Console 

# jarsigner -verify HelloWorldECSigned.jar

Here sample_output.jar is the newly generated signed jar file

Screenshot 2026-04-02 171943.png


Verifying signed jar