Breadcrumbs

For OpenJDK8 with RSA Key

  1. Log in as a root user and generate a keypair on Utimaco HSM.

›_ Console 

# keytool -genkey -keyalg RSA -keysize 2048 -keystore NONE -storetype CryptoServer -storepass 12345678 -providername CryptoServer -alias weblogicrsa

Provide information when prompted.

Here:

  • RSA is the key algorithm.

  • 2048 is the key size.

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider name.

  • weblogicrsa is the key name that will be generated on Utimaco HSM.

tmpwr3t16qu.png

Key generation using keytool command

Self-signed certificates do not work with the WebLogic server.

  1. Verify that the keys have been generated using keytool command.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -providername CryptoServer -storepass 12345678 -v

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • 12345678 is the slot PIN.

  • CryptoServer is the provider’s name.

tmpwtii279h.jpg

Listkeys output

  1. List the keys using cxitool.

›_ Console 

# /opt/utimaco/bin/cxitool Dev=3001@127.0.0.1 Logonpass=weblogic,12345678 Group=Cryptoserver Listkeys
tmpst765b8r.jpg

List Keys output using cxitool

  1. Generate a CSR using keytool command.

›_ Console 

# keytool -certreq -alias weblogicrsa -file rsa.csr -storetype CryptoServer -keystore NONE -v

Provide the keystore password when prompted.

Here:

  • NONE is the keystore for HSM.

  • CryptoServer is the storetype.

  • CryptoServer is the provider name.

  • weblogicrsa is the key name.

  • rsa.csr is the CSR file name that will be generated.

  1. Get this CSR signed by CA.

  2. Copy the signed certificate on the WebLogic server.

  3. Import the Root certificate into the HSM keystore.

›_ Console 

# keytool -importcert -alias RootCA -file /home/LAbCA-Root.crt -storetype CryptoServer -keystore NONE -providername CryptoServer -storepass 12345678
tmpkxcwgmtl.jpg

Importing root certificate

  1. Import the signed certificate reply using the command below.

›_ Console 

# keytool -importcert -alias weblogicrsa -file /home/rsa_demo.pem - storetype CryptoServer -keystore NONE -providername CryptoServer - storepass 12345678
tmpdnji2i_q.jpg

Import user certificate into keystore

  1. List the keystore entries.

›_ Console 

# keytool -list -keystore NONE -storetype CryptoServer -providername CryptoServer -storepass 12345678 -v
tmplu65xwx6.png
tmptnjfedf2.png

Listkeys output