Breadcrumbs

Generating SSL Key and Certificate on Windows for RSA Key and Certificate Generation

1. Generate a keypair on Utimaco HSM with the help of keytool command.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool.exe -genkey 
-alias ibmrsa -keyalg RSA -keysize 2048 -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer

Provide information when prompted.

Here:

  • RSA is the key algorithm

  • 2048 is the key size

  • NONE is the keystore for HSM

  • PKCS11IMPLKS is the storetype

  • IBMPKCS11Impl-CryptoServer is the provider name

  • ibmrsa is the key name that will be generated on Utimaco HSM

Provide the keystore password when prompted.

tmpc4o1pqwl.jpg

Key generation using keytool command

2. Verify the entry with same alias name is generated using keytool command.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool -list keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer

Here:

  • NONE is the keystore for HSM

  • PKCS11IMPLKS is the storetype

  • IBMPKCS11Impl-CryptoServer is the provider’s name

Provide the keystore password when prompted.

tmpfq4ji464.jpg

Keytool list output

  1. List the objects using p11tool2.

›_ Console 

C:\Program Files\Utimaco\SecurityServer\Administration>p11tool2.exe slot=0 Loginuser=ask ListObjects

Enter user PIN when prompted.

tmpamxjwzk5.jpg
tmpi9ai7n19.jpg

ListObjects output using p11tool2

  1. Generate a CSR using Keytool command.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool.exe -certreq 
-alias ibmrsa -keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer -file ibm.csr
tmpryq4apmr.jpg

Generate CSR command output

Here:

  • NONE is the keystore for HSM

  • PKCS11IMPLKS is the storetype

  • IBMPKCS11Impl-CryptoServer is the provider name

  • ibmrsa is the key name

  • ibm.csr is the CSR file name that will be generated

Provide keystore password when prompted.

  1. Get this CSR signed by CA.

  2. Copy the signed certificate and root CA certificate on the IBM WebSphere application server.

  3. Import Root CA certificate into HSM keystore.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool.exe importcert -alias rootca -file C:\Users\Downloads\RootCA.crt -storetype PKCS11IMPLKS -keystore NONE -providername IBMPKCS11Impl-CryptoServer
tmpbwfha0g5.jpg
tmp2k9od7ua.jpg

Importing root CA certificate into keystore

  1. Import the signed certificate reply using the command below.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool.exe importcert -alias ibmrsa -file C:\Users\Downloads\rsa_demo.p7b -storetype PKCS11IMPLKS -keystore NONE -providername IBMPKCS11Impl-CryptoServer
tmpxkh2rfza.jpg

Importing user certificate into keystore

  1. Verify that the keytool command shows the signed certificate as well as root CA certificate.

›_ Console 

C:\Program Files\IBM\WebSphere\AppServer\java\8.0\jre\bin>keytool -list keystore NONE -storetype PKCS11IMPLKS -providername IBMPKCS11Impl-CryptoServer

Here:

  • NONE is the keystore for HSM

  • PKCS11IMPLKS is the storetype

  • IBMPKCS11Impl-CryptoServer is the provider’s name

Provide the keystore password when prompted.

tmpl1_smj1z.jpg

Keytool list output showing signed certificate as well as root CA certificate