PrivateKeyEntry with no CryptoHub UI step.
The JDK installation includes the
keytool application that enables you to run the keytool commands in this section with no additional configuration.Generate a key pair
Perform the following steps to generate a key pair on the CryptoHub:1
Export FXPKCS11_CFG so the Futurex PKCS #11 library can locate its configuration file (
fxpkcs11.cfg). Point it at the fxpkcs11.cfg you configured in Install and configure Futurex PKCS #11:Shell
On Windows, set
FXPKCS11_CFG as a machine-wide variable with setx instead (see Configure SunPKCS11 to use the Futurex PKCS11 module). If you set fxpkcs11.cfg in its default location, this step is not required.2
Execute the following command, passing the
pkcs11.cfg file you created in the previous section with -providerArg. Set -alias and -dname to a value that identifies this signing key:Text
The keytool application generates the key pair on the CryptoHub and self-signs a certificate for it. With no
-storepass on the command line, keytool prompts for the KeyStore password.3
When prompted for the KeyStore password, enter the CryptoHub identity password (PKCS #11 PIN) configured inside the
<CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.Verify the key pair
Run the following keytool command to confirm the key pair generated on the CryptoHub and lists aPrivateKeyEntry:
Shell
The response is similar to the following:
Shell

