Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

The Tomcat secure connections rely on you storing a server private key and certificate in the Java KeyStore saved on the HSM. The system presents this server certificate to clients when they connect to the Tomcat server. Typically, you create the KeyStore by using the keytool application bundled with Java (located in $JAVA_HOME/jre/bin/). The following sections outline these tasks:
  1. Generate a server key pair (which includes a self-signed certificate to be stored in the HSM)
  2. Generate and export a CSR to be signed by an external CA (if needed)
  3. Import the external CA root certificate
  4. Import server certificate signed by the external CA
To test that you created the self-signed certificate in the HSM and that the Tomcat server is presenting it to client connections, execute the Generate a server key pair and self-signed certificate section and then move on to server configuration.
If you need a connection using an external CA, go to Generate and export CSR, sign the CSR by using an external CA authority (which you can create with OpenSSL), and finally proceed with the Import CA root certificate and Import Server Certificate Signed by CA sections.

Generate a key pair and certificate

Perform the following steps to generate a server key pair and self-signed certificate:
1
Execute the following command:
-alias sets a name to identify the key pair and certificate to be generated. It can be any name (such as tomcatdemo1), but you must use the same name in the next section, Configure Tomcat and test the server.
Shell
keytool -genkeypair -keyalg EC -alias tomcatdemo1 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password. Be sure to save this password, which all subsequent keytool and jarsigner commands use:
None
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
The previous command generates a self-signed certificate. If you need a CA-signed certificate, continue with the remaining steps. Otherwise, proceed to server configuration.

Generate and export a CSR

Perform the following steps to generate and export a CSR:
1
To generate and export a CSR, run the following command:
Shell
keytool -certreq -alias tomcatdemo1 -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the KeyStore password.
3
Send the CSR to a CA, either third-party or internal, to be signed.
You should get a signed server certificate and a root CA certificate back.

Import the certificate

Perform the following steps to import the CA root certificate:
1
To import the CA root certificate, run the following command:
Shell
keytool -import -trustcacerts -alias tomcatdemo_ca -keystore NONE -file ca.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the KeyStore password.
3
When prompted to trust the certificate, enter yes as shown in the following example:
Shell
Trust this certificate?
[no]: yes

Certificate was added to keystore.

Import the signed certificate

Perform the following steps to import the server certificate signed by CA:
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias tomcatdemo1 -keystore NONE -file server.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
2
Enter the KeyStore password.
If the command succeeds, you should see an output similar to the following:
Shell
Certificate reply was installed in keystore.