Breadcrumbs

For OpenJDK8 with RSA Key

  1. Log in as root user, and generate a keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -alias weblkey -keyalg RSA -keysize 2048 -keystore NONE - storetype PKCS11 -storepass 12345678 -providername SunPKCS11-CryptoServer -v

Provide information when prompted.

Here:

  • RSA is the key algorithm.

  • 2048 is the key size.

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider name.

  • weblkey is the key name that will be generated on Utimaco HSM.

tmpgvqxv97o.jpg

Key generation using keytool command

Self-sign certificate doesn’t work with WebLogic server.

  1. Verify that the keys have been generated using the keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmp__uiwkaj.jpg

List keys output

  1. List the keys using p11tool2.

›_ Console 

# /opt/utimaco/bin/p11tool2 Slot=0 LoginUser=<slot_PIN> ListObjects
tmpqdya6668.png

List keys output using p11tool2

  1. Generate a CSR using the keytool command.

›_ Console 

# keytool -certreq -alias weblkey -file rsa.csr -storetype PKCS11 -keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • weblkey is the key name.

  • rsa.csr is the CSR file name that will be generated.

  1. Get this CSR signed by CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Copy the cacerts from <java_installation_path>/jdk1.8.0_361/jre/lib/security/ to /u01/app/oracle/config/domain/admindomain/.

  4. Import the signed certificate reply using the command below.

›_ Console 

# keytool -importcert -alias weblkey -file /home/rsa_demo.p7b -storetype PKCS11 -keystore NONE -providername SunPKCS11-CryptoServer -storepass 12345678
tmpiwbok0sw.jpg

Import user certificate into keystore

tmp4qbp20hy.png

Import user certificate into keystore

  1. Verify that the keytool command shows the signed certificate.

›_ Console 

# keytool -list -keystore NONE -storetype PKCS11 -providername SunPKCS11-CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • PKCS11 is the storetype.

  • 12345678 is the slot PIN.

  • SunPKCS11-CryptoServer is the provider’s name.

tmp_fg3fi58.jpg


Keytool list output

tmp0kbubf_0.png


Keytool list output