Skip to main content
This section demonstrates how to use CryptoHub to create a private key and a Curity Server Transport Layer Security (TLS) certificate for use with the Java keystore. The keytool utility will be used to list the signing certificate, confirming that both the private key and certificate are accessible in the keystore. These steps ensure that the CryptoHub can be used to store private keys for Curity Identity Server, as well as the self-signed TLS certificate in the next section. Perform the following tasks:
  1. Create a new X.509 certificate container.
  2. Generate a new key pair for the TLS server certificate.
  3. Create an approval group for TLS signing.
  4. Add an issuance policy to the TLS server certificate certificate.

Create a certificate container

Perform the following steps to create a new X.509 certificate container:
1
Go to the CryptoHub web UI in a browser.
2
Log in under dual-control using the administrator identities.
3
Select PKI and CA on the left hand side > Certificate Management.
4
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA….
5
In the pop-up menu, specify the following information for the Certificate Container:
  • Name: Enter Curity.
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: In the drop-down menu, select the Curity role created in a previous section.
6
Select [ OK ].

Generate a certificate and a key pair

Perform the following steps to generate a new key pair for Curity Identity Server to use:
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify Demo_1 as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the values set to the defaults.
4
In the V3 Extensions tab, select TLS Server Certificate in the Profile dropdown menu.
5
Select [ OK ] to finish creating the TLS Server certificate and the key pair.

Create an approval group

Perform the following steps to create an approval group for PKI signing:
1
Select PKI and CA on the left hand side > PKI Signing Approvals.
2
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group….
3
Specify Curity as the Name for the approval group and select [ OK ].
4
Right-click the newly created approval group and select Permission….
5
In the Permission drop-down list, next to the role created for Curity, select Use, and then select [ OK ].

Add an issuance policy

Perform the following steps to add an issuance policy to the Curity certificate:
1
Select PKI on the left hand side > Certificate Authorities.
2
Expand the Curity container view by selecting the plus (+) icon next to it.
3
Right-click the Demo_1 certificate and select Issuance Policy > Add….
4
In the Basic Info tab, configure the following settings:
  • Approvals: Select 0. Note: The Zero approval policy requires Anonymous Signing, which will be enabled in a future step.
  • Allowed hashes: Select SHA1 only.
5
In the X.509 tab, set the Default approval group to Curity.
6
In the Object Signing tab, select the Allow object signing checkbox.
7
Select [ OK ] to apply the Issuance Policy to the Demo_1 certificate.
8
Right-click the Demo_1 certificate and select Change Security Usage….
9
In the Security Usage drop-down menu, select Anonymous Signing checkbox.
10
Select [ OK ] to apply the change.

Verifying the private key entry linked to the TLS server certificate is in the Java Keystore

Note: The keytool application is included in the JDK installation, so you can run the keytool command in this section with no additional configuration.
In a terminal of the device that will be signing APKs, run the following command:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
If the command succeeds, you should see an output similar to the following:
None
Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

CurityDemo1, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 00:7B:83:00:AE:6A:CF:64:FA:C0:3F:B4:40:55:E2:9C:12:26:43:C7:D4:92:4E:DA:20:E2:E5:96:4B:48:1F:D3