Breadcrumbs

For OpenJDK8 with EC Key

  1. Generate an EC keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -keyalg EC -keystore NONE -storetype PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -alias webleckey

Provide information when prompted.

Here:

  • EC is the key algorithm.

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider name.

  • webleckey is the key name that will be generated on Utimaco HSM.

tmpn2o6zvm0.jpg

Key generation using keytool command output

  1. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmpyt_np47o.jpg

List keys output

  1. List the keys using p11tool2.

›_ Console 

# p11tool2 Slot=0 LoginUser=<slot_PIN> ListObjects
tmpus1fs9k7.jpg

List keys output using p11tool2

  1. Generate a CSR using the keytool command.

›_ Console 

# keytool -certreq -alias webleckey -file ec.csr -storetype PKCS11 -keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • webleckey is the key name.

  • ec.csr is the CSR file name that will be generated.

  1. Get this CSR signed by the CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Copy the cacerts from <java_installation_path>/jdk1.8.0_361/jre/lib/security/ to /u01/app/oracle/config/domain/admindomain/.

  4. Import the signed certificate using the command below.

›_ Console 

# keytool -importcert -alias webleckey -file /home/ec_demo.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-CryptoServer -storepass 12345678
tmph4o7jchd.jpg


Import user certificate into keystore

tmphpj6uzn1.jpg

Import user certificate into keystore

  1. Verify that the keytool command shows the signed certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmpatvh3_a7.jpg


Keytool list output

tmpzw70vgxv.jpg


Keytool list output