Breadcrumbs

With RSA Key (CA Signed Certificate)

  1. Generate a keypair on Utimaco HSM with the help of keytool command.

›_ Console 

# keytool -genkeypair -alias utimacoRSAKey -keyalg RSA -keysize 2048 -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Provide information when prompted Here:

  • RSA is the key algorithm

  • 2048 is the key size

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • utimacoRSAKey is the key name that will be generated on Utimaco HSM

Provide the keystore password when prompted:

Screenshot 2026-04-02 162712.png

Key generation using keytool command

  1. Verify the entry with same alias name is generated using keytool command.

›_ Console 

keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider’s class

Provide the keystore password when prompted:

Screenshot 2026-04-02 162844.png

Listkeys output

  1. List the objects using p11tool2.

›_ Console 

#./p11tool2 Slot=0 LoginUser=ask ListObjects

Enter user PIN when prompted:

Screenshot 2026-04-02 162951.png


List keys output using p11tool2

  1. Generate a CSR using Keytool command.

›_ Console 

# keytool -certreq -alias utimacoRSAKey -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg -file utimacoRSA.csr

Here:

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • utimacoRSAKey is the key name

  • utimacoRSA.csr is the CSR file name that will be generated

Provide keystore password when prompted

  1. Get this CSR signed by CA.

›_ Console 

# openssl x509 -req -in utimacoRSA.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out serverRSA.crt -days 365 -sha256

  1. Copy the signed certificate and the root CA certificate and combine them into a single full-chain certificate file.

›_ Console 

# cat serverRSA.crt ca.crt > fullchainRSA.crt

  1. Import converted full chain certificate into HSM keystore.

›_ Console 

# keytool -importcert -alias utimacoRSAKey -file fullchainRSA.crt -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg


Import and Yes.png

Importing full chain certificate

  1. Sign any sample jar file with jarsigner command.

›_ Console 

# jarsigner -tsa http://timestamp.digicert.com -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/utimaco/pkcs11-java.cfg -signedjar HelloWorldRSASigned.jar HelloWorld.jar utimacoRSAKey

Here

  • http://timestamp.digicert.com is URL of timestamp server

  • NONE is the keystore for HSM

  • PKCS11 is the storetype

  • sun.security.pkcs11.SunPKCS11 is the provider class

  • HelloWorldRSASigned.jar is the new output signed jar file that will be generated

  • HelloWorld.jar is the jar file to be signed

  • utimacoRSAKey is the RSA key used for jar signing

Provide the keystore password when prompted:

Jar Signed.png

Signing the jar using jarsigner command

  1. Verify the signed jar.

›_ Console 

# jarsigner -verify HelloWorldRSASigned.jar

Here HelloWorldRSASigned.jar is the newly generated signed jar file:

Screenshot 2026-04-02 164233.png

Verifying signed jar