Create a Java KeyStore

6min
The Tomcat secure connections rely on you storing a server private key and certificate in the Java KeyStore saved on the HSM. The system presents this server certificate to clients when they connect to the Tomcat server. 
Typically, you create the KeyStore by using the keytool application bundled with Java (located in $JAVA_HOME/jre/bin/). The following sections outline these tasks:
Generate a server key pair (which includes a self-signed certificate to be stored in the HSM)
Generate and export a CSR to be signed by an external CA (if needed)
Import the external CA root certificate 
Import server certificate signed by the external CA
To test that you created the self-signed certificate in the HSM and that the Tomcat server is presenting it to client connections, execute the Generate a server key pair and self-signed certificate section and then move on to server configuration.
If you need a connection using an external CA, go to Generate and export CSR, sign the CSR by using an external CA authority (which you can create with OpenSSL), and finally proceed with the Import CA root certificate and Import Server Certificate Signed by CA sections.
1 | Generate a server key pair and self-signed certificate
1
Execute the following command:
-alias sets a name to identify the key pair and certificate to be generated. It can be any name (such as tomcatdemo1), but you must use the same name in the next section, Configure Tomcat and test the server.
Shell
keytool -genkeypair -keyalg EC -alias tomcatdemo1 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -genkeypair -keyalg EC -alias tomcatdemo1 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password. Be sure to save this password, which all subsequent keytool and jarsigner commands use: 
Text
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
﻿
The previous command generates a self-signed certificate. If you need a CA-signed certificate, continue with the remaining steps. Otherwise, proceed to server configuration.
2 | Generate and export a CSR
1
To generate and export a CSR, run the following command:
Shell
keytool -certreq -alias tomcatdemo1 -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -certreq -alias tomcatdemo1 -file example.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
Send the CSR to a CA, either third-party or internal, to be signed.
You should get a signed server certificate and a root CA certificate back.
3 | Import the CA root certificate
1
To import the CA root certificate, run the following command:
Shell
keytool -import -trustcacerts -alias tomcatdemo_ca -keystore NONE -file ca.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -import -trustcacerts -alias tomcatdemo_ca -keystore NONE -file ca.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
When prompted to trust the certificate, enter yes as shown in the following example:
Shell
Trust this certificate?
[no]: yes

Certificate was added to keystore.
Trust this certificate?
[no]: yes

Certificate was added to keystore.
﻿
4 | Import the server certificate signed by CA
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias tomcatdemo1 -keystore NONE -file server.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -importcert -alias tomcatdemo1 -keystore NONE -file server.crt -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
If the command succeeds, you should see an output similar to the following:
Shell
Certificate reply was installed in keystore.
Certificate reply was installed in keystore.
﻿
﻿
﻿
﻿
Updated 19 Sep 2024
Did this page help you?
Edit the Futurex PKCS #11 Configuration file
Configure Tomcat and test the server