Breadcrumbs

For OpenJDK8 with EC Key

  1. Generate an EC keypair on the Utimaco HSM.

›_ Console 

# keytool -genkey -keyalg EC -keystore NONE -storetype CryptoServer - storepass 12345678 -providername CryptoServer -alias webleckey

Provide information when prompted.

Here:

  • EC is the key algorithm.

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider name.

  • webleckey is the key name that will be generated on Utimaco HSM.

tmprdna0343.jpg

Key Generation using keytool command output

  1. Verify that the keys have been generated.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -providername CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider’s name.

tmpazqs_4ti.png

Listkeys output

  1. List the keys using cxitool.

›_ Console 

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 Logonpass=weblogic,12345678 Group=Cryptoserver Listkeys
tmpsubatgp4.jpg

List keys output using cxitool

  1. Generate a CSR using keytool command.

›_ Console 

# keytool -certreq -alias webleckey -file webleckey.csr -storetype CryptoServer -keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • CryptoServer is the provider name.

  • webleckey is the key name.

  • webleckey.csr is the CSR file name that will be generated.

  1. Get this CSR signed by CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Import the Root certificate into the HSM keystore.

›_ Console 

# keytool -importcert -alias RootCA -file /home/rootca.crt -storetype CryptoServer -keystore NONE -providername CryptoServer -storepass 12345678
tmphknjd70d.jpg

Import root certificate into keystore

  1. Import the signed certificate reply using the command below.

›_ Console 

# keytool -importcert -alias webleckey -file /home/ec_demo.pem -storetype CryptoServer -keystore NONE -providername CryptoServer -storepass 12345678
tmp8ao7hopl.jpg

Import certificate reply into keystore

  1. List the keystore entries.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -providername CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider’s name.

tmpq5uw4m2s.png
tmpp7rkvjzo.png

Keytool list output