With EC Key (Self Signed Certificate)

1. Generate an EC keypair on Utimaco HSM.

keytool -genkeypair -alias utimacoECKey -keyalg EC -groupname secp256r1 -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Provide information when prompted Here:

• EC is the key algorithm

• NONE is the keystore for HSM

• PKCS11 is the storetype

• sun.security.pkcs11.SunPKCS11 is the provider class

• utimacoECKey is the key name that will be generated on Utimaco HSM

Provide the keystore password when prompted.

Keytool command to generate keys

2. Verify the entry with same alias name is generated.

# keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Here:

• NONE is the keystore for HSM

• PKCS11 is the storetype

• sun.security.pkcs11.SunPKCS11 is the provider class

Provide the keystore password when prompted.

Listkeys output

3. List the objects using p11tool2.

# ./p11tool2 Slot=0 LoginUser=ask ListObjects

Enter user PIN when prompted.

List keys output using p11tool2

4. Sign any sample jar file using jarsigner tool.

# jarsigner -tsa http://timestamp.digicert.com -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg -signedjar HelloWorldECSigned.jar HelloWorld.jar utimacoECKey

Here:

• http://timestamp.digicert.com is URL of timestamp server

• Here NONE is the keystore for HSM

• PKCS11 is the storetype

• sun.security.pkcs11.SunPKCS11 is the provider class

• HelloWorldECSigned.jar is the new output signed jar file that will be generated

• HelloWorld.jar is the jar file to be signed

Signing the jar using jarsigner command

5. Verify the signed jar.

# jarsigner -verify HelloWorldECSigned.jar

Here HelloWorldECSigned.jar is the newly generated signed jar file.

Verifying signed jar