Skip to main content
This section uses Java keytool to generate a new key pair on the CryptoHub, which you can use later to sign a JAR file with the Java jarsigner utility. On FXPKCS11 6.0 rev dc27 or later, this single command generates the key pair on the CryptoHub and produces a usable PrivateKeyEntry with no CryptoHub UI step.
The JDK installation includes the keytool application that enables you to run the keytool commands in this section with no additional configuration.

Generate a key pair

Perform the following steps to generate a key pair on the CryptoHub:
1
Export FXPKCS11_CFG so the Futurex PKCS #11 library can locate its configuration file (fxpkcs11.cfg). Point it at the fxpkcs11.cfg you configured in Install and configure Futurex PKCS #11:
Shell
On Windows, set FXPKCS11_CFG as a machine-wide variable with setx instead (see Configure SunPKCS11 to use the Futurex PKCS11 module). If you set fxpkcs11.cfg in its default location, this step is not required.
2
Execute the following command, passing the pkcs11.cfg file you created in the previous section with -providerArg. Set -alias and -dname to a value that identifies this signing key:
Text
The keytool application generates the key pair on the CryptoHub and self-signs a certificate for it. With no -storepass on the command line, keytool prompts for the KeyStore password.
3
When prompted for the KeyStore password, enter the CryptoHub identity password (PKCS #11 PIN) configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.

Verify the key pair

Run the following keytool command to confirm the key pair generated on the CryptoHub and lists a PrivateKeyEntry:
Shell
The response is similar to the following:
Shell
The CryptoHub assigns the on-token key its own alias in the form <alias>-<id>:<alias> (for example, jarsigner-demo-1784141140:jarsigner-demo), where <id> is generated per key. This alias, not the short -alias value you passed to keytool -genkeypair, is what jarsigner and other tools must reference. Copy the exact alias from this keytool -list output for the signing commands in Jarsigner command examples.