Assign the key pair to a certificate and apply an issuance policy
You must complete the tasks in this section in the CryptoHub UI to enable the PKCS #11 library to find the key pair generated by using Java keytool in the previous section. This process involves creating a certificate object from the key pair and assigning it an issuance policy.
Log in to the under dual control with your administrator identities.
Go to PKI and CA > PKI Signing Approvals.
Select [ Add Approval Group ] at the bottom of the page or right-click the window background and select Add Approval Group.
Enter a name for the approval group and select [ OK ].
Right-click the new approval group and select Permission.
Select the Java Jarsigner role in the drop-down menu and select [ Add ]. Then, grant the role the Use permission and select [ Save ].
Go to PKI and CA > Certificate Management.
Select [ Add CA ] at the bottom of the page or right-click the window background and select Add CA.
Enter a name for the X.509 certificate container and change the Owner group to the Java Jarsigner service role. Then, select [ OK ].
Right-click the new X.509 certificate container and select Add Certificate > From Private Key.
Select the private key you created by using Java keytool in the previous section and select [ OK ].
In the Subject DN tab, make the following changes:
- Preset: Select Classic.
- Common Name: Enter any name.
In the Basic Info tab:
- Leave set all default values.
In the V3 Extensions tab:
- Select the Code Signing Certificate Profile
Select [ OK ].
Right-click the Java Jarsigner code signing certificate and select Issuance Policy > Add.
In the Basic Info tab, make the following changes:
- Approvals: Select 0.
- Allowed hashes: Select SHA-384.
In the X.509 tab, make the following change:
- Default approval group: Select the approval group you created.
In the Object Signing tab, make the following change:
- Allow object signing: Select the checkbox to enable.
Select [ OK ].