Skip to main content
This section demonstrates how to use CryptoHub to create a private key and an Apache Tomcat Server TLS certificate for use with the Java keystore. Finally, the keytool utility will be used to list the TLS certificate, confirming that the private key and certificate were successfully imported into the keystore. These steps ensure that Apache Tomcat is configured to use the HSM-backed server certificate for TLS, allowing clients to verify the server during HTTPS connections. Perform the following tasks to create a server certificate and key pair:
  1. Create a new X.509 certificate container.
  2. Generate a new key pair for the Apache Tomcat TLS Server certificate.
  3. Create an approval group for the TLS server certificate.
  4. Add an issuance policy to the TLS server certificate.

Create a certificate container

Perform the following steps to create a new X.509 certificate container:
1
Open the CryptoHub web dashboard in a browser.
2
Log in under dual-control using the administrator identities.
3
Select PKI and CA on the left hand side > Certificate Management.
4
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.
5
In the pop-up menu, specify the following information for the Certificate Container:
  • Name: Enter Apache Tomcat.
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: In the drop-down menu, select the role automatically created for the Apache Tomcat service you deployed.
6
Select [ OK ].

Generate a key pair

Perform the following steps to generate a new key pair for the Apache Tomcat TLS server:
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify futurex-tomcat as the Common Name for the certificate.
3
In the Basic Info tab, select the Type as ECC, select the Curve as Prime 256 (or higher), and select Anonymous Signing for Security Usage.
4
In the V3 Extensions tab, in the Profile tab, select TLS Server Certificate.
5
Select [ OK ] to finish creating the Apache Tomcat TLS Server certificate key pair.

Create an approval group

Perform the following steps to create an approval group for PKI signing:
1
On the PKI and CA page, select PKI Signing Approvals at the top
2
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.
3
Specify Tomcat as the Name for the approval group and select [ OK ].
4
Right-click the newly created approval group and select Permission.
5
In the first drop-down list, select the role automatically created for the Apache Tomcat service you deployed, and select [ Add ].
6
In the Permission drop-down menu for the Apache Tomcat role, select the Use permission.
7
Select [ Save ].

Add an issuance policy

Perform the following steps to add an issuance policy to the Android APK Signing client certificate:
1
On the PKI and CA page, select Certificate Management at the top
2
Expand the Apache Tomcat certificate container view by selecting the plus (+) icon next to it.
3
Right-click the futurex-tomcat certificate and select Issuance Policy > Add.
4
In the Basic Info tab, configure the following settings:
  • Approvals: Select 0.
  • Allowed hashes: Select SHA-256, SHA-384, SHA-512, and SHA-224.
5
In the X.509 tab, set the Default approval group to Tomcat.
6
In the Object Signing tab, select the Allow object signing checkbox.
7
Select [ OK ] to apply the Issuance Policy to the futurex-tomcat certificate.

Verifying the Private Key and Certificate in the Java Keystore

The keytool application is included in the JDK installation, so you can run the keytool command in this section with no additional configuration.
In a terminal of the device that will be signing APKs, run the following command:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
If the command succeeds, you should see an output similar to the following:
None
Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

Apache Tomcat:futurex-tomcat:C, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 31:25:8E:83:D8:D9:DA:A3:03:33:E8:1B:27:29:B8:E4:B4:24:18:1E:17:7C:A0:CE:6A:3D:C0:E3:D1:97:71:0D
Important: Take note of the title (in this example, Apache Tomcat:futurex-tomcat:C) of the entry as that will be needed for the server.xml file in the next section.