Skip to main content
This section demonstrates how to use KMES Series 3 to create a private key and a Curity Server Transport Layer Security (TLS) certificate for use with the Java keystore. The keytool utility will be used to list the signing certificate, confirming that both the private key and certificate were successfully imported into the keystore. These steps ensure that the KMES Series 3 can be used to store private keys for Curity Identity Server, as well as the self-signed TLS certificate in the next section. Perform the following tasks to create a CA for the Android APK Signing key pair:
  1. Create a new X.509 certificate container.
  2. Generate a new key pair for the TLS server certificate.
  3. Create an approval group for TLS signing.
  4. Add an issuance policy to the TLS server certificate certificate.

Create a certificate container

Perform the following steps to create a new X.509 certificate container:
1
Open the KMES dashboard in a browser.
2
Log in under dual-control using the administrator identities.
3
Select PKI on the left hand side > Certificate Authorities.
4
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA….
5
In the pop-up menu, specify the following information for the Certificate Container:
  • Name: Enter Curity.
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: In the drop-down menu, select the Curity role created in a previous section.
6
Select [ OK ].

Generate a certificate and a key pair

Perform the following steps to generate a new key pair for the Android APK signing client:
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic Preset in the drop-down menu and specify Demo_1 as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the values set to the defaults.
4
In the V3 Extensions tab, select TLS Server Certificate in the Profile dropdown menu.
5
Select [ OK ] to finish creating the TLS Server certificate and the key pair.

Create an approval group

Perform the following steps to create an approval group for PKI signing:
1
Select PKI on the left hand side > Signing Workflow.
2
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group….
3
Specify Curity as the Name for the approval group and select [ OK ].
4
Right-click the newly created approval group and select Permission….
5
In the Permission drop-down list, next to the role created for Curity, select Use, and then select [ OK ]*.

Add an issuance policy

Perform the following steps to add an issuance policy to the Android APK Signing client certificate:
1
Select PKI on the left hand side > Certificate Authorities.
2
Expand the Curity container view by selecting the plus (+) icon next to it.
3
Right-click the Demo_1 certificate and select Issuance Policy > Add….
4
In the Basic Info tab, configure the following settings:
  • Approvals: Select 0. Note: The Zero approval policy requires Anonymous Signing, which will be enabled in a future step.
  • Allowed hashes: Select SHA1 only.
5
In the X.509 tab, set the Default approval group to Curity.
6
In the Object Signing tab, select the Allow object signing checkbox.
7
Select [ OK ] to apply the Issuance Policy to the Demo_1 certificate.
8
Right-click the Demo_1 certificate and select Change Security Usage….
9
In the Security Usage drop-down menu, select Anonymous Signing checkbox.
10
Select [ OK ] to apply the change.

Verifying the private key entry linked to the TLS server certificate is in the Java Keystore

Note: The keytool application is included in the JDK installation, so you can run the keytool command in this section with no additional configuration.
In a terminal of the device that will be signing APKs, run the following command:
Shell
keytool -list -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
When prompted for the keystore password, enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
If the command succeeds, you should see an output similar to the following:
None
Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

CurityDemo1, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 00:7B:83:00:AE:6A:CF:64:FA:C0:3F:B4:40:55:E2:9C:12:26:43:C7:D4:92:4E:DA:20:E2:E5:96:4B:48:1F:D3
Warning:If the name of the PrivateKeyEntry contains colons, (e.g., Curity:Demo\1:c), the private key cannot be used by Curity since Curity doesn’t allow colons in the name.Refer to the bottom of the section Edit the Futurex PKCS #11 configuration file to add the needed line to the fxpkcs11.cfg file to fix this issue.