Breadcrumbs

For OpenJDK11 with RSA Key

  1. Generate an RSA Keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -alias webrsa -keyalg RSA -keysize 2048 -keystore NONE - storetype PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted.

Here:

  • RSA is the key algorithm.

  • 2048 is the key size.

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider name.

  • webrsa is the key name that will be generated on Utimaco HSM.

tmpn35s3_uo.jpg

Key generation using keytool command

  1. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmphppghqr_.jpg

List keys output

  1. List the keys using p11tool2.

›_ Console 

# p11tool2 Slot=0 LoginUser=<slot_PIN> ListObjects
tmpkrmpiqre.png

List keys output using p11tool2

  1. Generate a CSR using the keytool command.

›_ Console 

# keytool -certreq -alias webrsa -file rsa.csr -storetype PKCS11 -keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • SunPKCS11 is the storetype.

  • SunPKCS11-CryptoServer is the provider name.

  • webrsa is the key name.

  • rsa.csr is the CSR file name that will be generated.

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Copy the cacerts from <java_installation_path>/jdk-11.0.6/lib/security/ to /u01/app/oracle/config/domain/admindomain/.

  4. Import the signed certificate using the command below.

›_ Console 

# keytool -importcert -alias webrsa -file /home/rsa_demo.p7b -storetype PKCS11

-keystore NONE -providername SunPKCS11-CryptoServer -storepass 12345678
tmp40ir_n2r.jpg

Import user certificate into keystore

tmp7k18vgaj.png

Import user certificate into keystore

  1. Verify that the keytool command shows the signed certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmpz2d9915a.jpg


Keytool list output

tmphmdjnk_0.png


Keytool list output