Breadcrumbs

For OpenJDK11 with EC Key

  1. Generate an EC keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -alias weblogiceckey -keyalg EC -keystore NONE -storetype PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted.

Here:

  • EC is the key algorithm.

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider name.

  • weblogiceckey is the key name that will be generated on Utimaco HSM.

tmpz_5f4hif.png

Key generation using keytool command

  1. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmpgq4l5kek.jpg

List keys output

  1. List the keys using p11tool2.

›_ Console 

# p11tool2 Slot=0 LoginUser=<slot_PIN> ListObjects
tmp99fkz6f_.png

List keys output using p11tool2

  1. Generate a CSR using the keytool command.

›_ Console 

# keytool -certreq -alias weblogiceckey -file ec.csr -storetype PKCS11 - keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • weblogiceckey is the key name.

  • ec.csr is the CSR file name that will be generated.

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Copy the cacerts from <java_installation_path>/jdk-11.0.6/lib/security/ to /u01/app/oracle/config/domain/admindomain/.

  4. Import the signed certificate using the command below.

›_ Console 

# keytool -importcert -alias weblogiceckey -file /home/ec_demo.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-CryptoServer -storepass 12345678
tmpe7djdgy1.jpg


Import user certificate into keystore

tmpc6eo1th5.png


Import user certificate into keystore

  1. Verify that the keytool command shows the signed certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmp3xokaz78.jpg


Keytool list output

tmphzzfmh1g.jpg


Keytool list output