Generate Signing Key and Certificate on Utimaco Keystore | Utimaco Integration Guides

Generate a signing key and certificate using Java keytool utility. This will generate a key pair on Utimaco HSM.

›_ Console
`# keytool -genkeypair -alias utimacokey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore NONE -storetype PKCS11 -storepass 123456 - providername SunPKCS11-CryptoServer -dname "CN=Java Code Signing, OU=IT, O=Utimaco, L=Aachen, ST=NRW, C=DE"`

›_ Console

# keytool -genkeypair -alias utimacokey -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore NONE -storetype PKCS11 -storepass 123456 - providername SunPKCS11-CryptoServer -dname "CN=Java Code Signing, OU=IT, O=Utimaco, L=Aachen, ST=NRW, C=DE"

Verify the private keys onto the Utimaco HSM.

›_ Console
# keytool -list -v -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 123456 Keystore type: PKCS11 Keystore provider: SunPKCS11-CryptoServer Your keystore contains 1 entry Alias name: utimacokey Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C=DE Issuer: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C= DE Serial number: 1a81f667 Valid from: Fri Apr 08 05:28:28 UTC 2022 until: Thu Jul 07 05:28:28 UTC 2022 ... ...

›_ Console

# keytool -list -v -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 123456
Keystore type: PKCS11
Keystore provider: SunPKCS11-CryptoServer Your keystore contains 1 entry
Alias name: utimacokey Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]:
Owner: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C=DE
Issuer: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C= DE
Serial number: 1a81f667
Valid from: Fri Apr 08 05:28:28 UTC 2022 until: Thu Jul 07 05:28:28
UTC 2022
...
...

Generate a CSR.

›_ Console
`# keytool -certreq -alias utimacokey -keystore NONE -sigalg SHA256withRSA -storetype PKCS11 -storepass 123456 -providername SunPKCS11-CryptoServer -file certreq.csr`

Submit this CSR file to your Certificate Authority (CA). The CA will provide the signed certificate or certificate chain. Save the file onto the server, in an appropriate location.
Optionally import CA certificate into cacerts store.

›_ Console
`# keytool -trustcacerts -importcert -alias rootca -keystore <JDK_Installation_directory>/Jre/lib/Security/cacerts -file ROOTCA.cer Enter keystore password: Certificate already exists in keystore under alias <base> Do you still want to add it? [no]: yes Certificate was added to keystore`

›_ Console

# keytool -trustcacerts -importcert -alias rootca -keystore
<JDK_Installation_directory>/Jre/lib/Security/cacerts -file ROOTCA.cer
Enter keystore password:
Certificate already exists in keystore under alias <base> Do you still want to add it? [no]: yes
Certificate was added to keystore

For JDK8

›_ Console
`# keytool -trustcacerts -importcert -alias rootca -keystore <JDK_Installation_directory>/lib/Security/cacerts -file ROOTCA.cer Warning: use -cacerts option to access cacerts keystore Enter keystore password: Certificate already exists in keystore under alias <rootca> Do you still want to add it? [no]: yes Certificate was added to keystore`

›_ Console

# keytool -trustcacerts -importcert -alias rootca -keystore
<JDK_Installation_directory>/lib/Security/cacerts -file ROOTCA.cer
Warning: use -cacerts option to access cacerts keystore Enter keystore password:
Certificate already exists in keystore under alias <rootca> Do you still want to add it? [no]: yes
Certificate was added to keystore

For JDK11/17

Import the Signed Certificate reply.

›_ Console
# keytool -import -alias utimacokey -keystore NONE -storetype PKCS11 - providername SunPKCS11-CryptoServer -storepass 123456 -file Java_Code_Signing.p7b Top-level certificate in reply: Owner: CN=Utimaco-RootCA, DC=utimaco, DC=local Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local Serial number: 48064f50a86092854178e482a270b6d3 Valid from: Sun Oct 17 14:39:24 UTC 2021 until: Sat Oct 17 14:49:22 UTC 2026 ... ... ... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore

›_ Console

# keytool -import -alias utimacokey -keystore NONE -storetype PKCS11 - providername SunPKCS11-CryptoServer -storepass 123456 -file Java_Code_Signing.p7b
Top-level certificate in reply:
Owner: CN=Utimaco-RootCA, DC=utimaco, DC=local Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local Serial number: 48064f50a86092854178e482a270b6d3
Valid from: Sun Oct 17 14:39:24 UTC 2021 until: Sat Oct 17 14:49:22
UTC 2026
...
...
... is not trusted. Install reply anyway? [no]: yes Certificate reply was installed in keystore

Verify the keystore contents.

›_ Console
# keytool -list -v -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 123456 Keystore type: PKCS11 Keystore provider: SunPKCS11-CryptoServer Your keystore contains 1 entry Alias name: utimacokey Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C=DE Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local Serial number: 2d0000004aeb29a7a265cc264700000000004a Valid from: Fri Apr 08 05:29:43 UTC 2022 until: Sat Apr 08 05:29:43 UTC 2023 ... ... ...

›_ Console

# keytool -list -v -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 123456
Keystore type: PKCS11
Keystore provider: SunPKCS11-CryptoServer Your keystore contains 1 entry
Alias name: utimacokey Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]:
Owner: CN=Java Code Signing, OU=IT, O=Utimaco, L= Aachen, ST= NRW, C=DE
Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local Serial number: 2d0000004aeb29a7a265cc264700000000004a
Valid from: Fri Apr 08 05:29:43 UTC 2022 until: Sat Apr 08 05:29:43
UTC 2023
...
...
...