Create a Java KeyStore

5min
Secure connections in Curity rely on you storing a server private key and certificate in the Java KeyStore saved on the HSM. The system presents this server certificate to clients when they connect to the Tomcat server. Typically, you create the KeyStore by using the keytool application bundled with Java (usually located in $JAVA_HOME/jre/bin/). 
Perform the following tasks to create a Java KeyStore:
Generate a server key pair and self-signed certificate.
Generate and export a CSR.
Import a CA root certificate.
Import the server certificate signed by the CA.
Because the JDK 17 installation includes keytool, you can run the commands without additional configuration.
The following sections show how to perform these tasks:
1 | Generate a server key pair and self-signed certificate
1
Execute the following command:
-alias sets a name to identify the key pair and certificate to be generated. It can be any name (for example, CurityDemo). You use this name when configuring the key in Curity.
Shell
keytool -genkeypair -keyalg RSA -keysize 2048 -alias CurityDemo -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -genkeypair -keyalg RSA -keysize 2048 -alias CurityDemo -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted, enter the following information for the server certificate you want to generate and provide a new KeyStore password, which all subsequent keytool and jarsigner commands: 
Text
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
﻿
2 | Generate and export a CSR
1
To generate and export a CSR, run the following command:
Shell
keytool -certreq -alias CurityDemo -file example.csr -keystore NONE -storetype PKCS11 keytool -genkeypair -keyalg RSA -keysize 2048 -alias CurityDemo -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -certreq -alias CurityDemo -file example.csr -keystore NONE -storetype PKCS11 keytool -genkeypair -keyalg RSA -keysize 2048 -alias CurityDemo -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
Send the CSR to a third-party or internal CA to get it signed.
 The CA returns the server certificate and CA certificate for you to import.
3 | Import a CA root certificate
1
To import the CA root certificate, run the following command:
Shell
keytool -import -trustcacerts -alias CurityDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providername SunPKCS11-Futurex
keytool -import -trustcacerts -alias CurityDemoCA -keystore NONE -file ssl-ca-cert.pem -storetype PKCS11 -providername SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
When prompted to trust the certificate, enter Yes as shown in the following example:
Shell
Trust this certificate?
[no]: yes

Certificate was added to keystore.
Trust this certificate?
[no]: yes

Certificate was added to keystore.
﻿
4 | Import the server certificate signed by the CA
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias CurityDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providername SunPKCS11-Futurex
keytool -importcert -alias CurityDemo -keystore NONE -file signed-example-cert.pem -storetype PKCS11 -providername SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
If the command was successful, you should see an output similar to the following example:
Shell
Certificate reply was installed in keystore.
Certificate reply was installed in keystore.
﻿
﻿
Updated 17 Sep 2024
Did this page help you?
Edit the Futurex PKCS #11 configuration file
Configure the Futurex PKCS #11 library in Curity