Create a PKI container and certificate with key pair on the KMES

this section demonstrates how to use {{k3}} to create a private key and a curity server transport layer security (tls) certificate for use with the java keystore the keytool utility will be used to list the signing certificate, confirming that both the private key and certificate were successfully imported into the keystore these steps ensure that the {{k3}} can be used to store private keys for curity identity server, as well as the self signed tls certificate in the next section perform the following tasks to create a ca for the android apk signing key pair create a new x 509 certificate container generate a new key pair for the tls server certificate create an approval group for tls signing add an issuance policy to the tls server certificate certificate create a certificate container perform the following steps to create a new x 509 certificate container open the kmes dashboard in a browser log in under dual control using the administrator identities select pki on the left hand side > certificate authorities select \[ add ca ] at the bottom of the page or right click anywhere in the window and select add ca in the pop up menu, specify the following information for the certificate container name enter curity host select none type select x 509 owner group in the drop down menu, select the curity role created in a previous section select \[ ok ] generate a certificate and a key pair perform the following steps to generate a new key pair for the android apk signing client right click the x 509 certificate container you created and select add certificate > new certificate in the subject dn tab of the certificate creation wizard, select the classic preset in the drop down menu and specify demo 1 as the common name for the certificate in the basic info tab, you can leave the values set to the defaults in the v3 extensions tab, select tls server certificate in the profile dropdown menu select \[ ok ] to finish creating the tls server certificate and the key pair create an approval group perform the following steps to create an approval group for pki signing select pki on the left hand side > signing workflow select \[ add approval group ] at the bottom of the page or right click anywhere in the window and select add approval group specify curity as the name for the approval group and select \[ ok ] right click the newly created approval group and select permission in the permission drop down list, next to the role created for curity, select use , and then select \[ ok ] add an issuance policy perform the following steps to add an issuance policy to the android apk signing client certificate select pki on the left hand side > certificate authorities expand the curity container view by selecting the plus ( + ) icon next to it right click the demo 1 certificate and select issuance policy > add in the basic info tab, configure the following settings approvals select 0 note the zero approval policy requires anonymous signing , which will be enabled in a future step allowed hashes select sha1 only in the x 509 tab, set the default approval group to curity in the object signing tab, select the allow object signing checkbox select \[ ok ] to apply the issuance policy to the demo 1 certificate right click the demo 1 certificate and select change security usage in the security usage drop down menu, select anonymous signing checkbox select \[ ok ] to apply the change verifying the private key entry linked to the tls server certificate is in the java keystore note the keytool application is included in the jdk installation, so you can run the keytool command in this section with no additional configuration in a terminal of the device that will be signing apks, run the following command keytool list keystore none storetype pkcs11 providerclass sun security pkcs11 sunpkcs11 providername sunpkcs11 futurex when prompted for the keystore password, enter the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file if the command succeeds, you should see an output similar to the following keystore type pkcs11 keystore provider sunpkcs11 futurex your keystore contains 1 entry curity demo 1, privatekeyentry, certificate fingerprint (sha 256) 00 7b 83 00\ ae 6a\ cf 64\ fa\ c0 3f\ b4 40 55\ e2 9c 12 26 43\ c7\ d4 92 4e\ da 20\ e2\ e5 96 4b 48 1f\ d3 warning if the name of the privatekeyentry contains colons, (e g , curity\ demo 1\ c), the private key cannot be used by curity since curity doesn't allow colons in the name refer to the bottom of the section edit the futurex pkcs #11 configuration file docid\ v9vofkmf0p3ovtn3cpqqx to add the needed line to the fxpkcs11 cfg file to fix this issue