This document describes some of the common ways of dealing with encryption keys and certificates through the Java Cryptography Architecture (JCA). This document is aimed at the system administrators responsible for installing and setting up the Morphon T-o-M.
Before you can use the Morphon T-o-M, you will have to first make your keys and certificates available to the JCA.
In order to use a PKCS#11 key (a hardware token), you must configure your Java environment to include an instance of the SunPKCS11 security provider configured to use your hardware token. This is usually accomplished by adding a line to <JAVA_HOME>/jre/lib/security/java.security, along the lines of:
security.provider.7=sun.security.pkcs11.SunPKCS11 <path-to-config-file>
Your HSM vendor should be able to provide you with more information on how to configure your hardware key(s) for Java.
As an alternative to the separate config file, you may use the library and slot properties in the T-o-M confiration file.
See the "Configuring Cryptographic Keys for use with T-o-M" section in the "T-o-M Installation Guide" on how to configure hardware tokens for use with T-o-M.
The KeyTool software allows a system to store private keys and certificates in a keystore on disk. This guide assumes you have the KeyTool from the Java 6 distribution at your disposal.
KeyTool keeps keys and certificates in keystores, which is essentially a small, well protected, database. A keystore is typically a file on disk and can contain zero or more keys and certificates.
The first step to a successfull keystore setup is to create a new public/private key pair. This will also initialize your new keystore:
$ keytool -genkeypair -alias invoices -keystore morphon-tom.keystore
Your interaction should be similar to the execution below.
$ keytool -genkeypair -alias invoices -keystore morphon-tom.keystore Enter keystore password: [ ENTER PASSWORD ] Re-enter new password: [ ENTER PASSWORD ] What is your first and last name? [Unknown]: Invoicing Department What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Morphon Technologies What is the name of your City or Locality? [Unknown]: Amsterdam What is the name of your State or Province? [Unknown]: NH What is the two-letter country code for this unit? [Unknown]: NL Is CN=Invoicing Department, OU=Unknown, O=Morphon Technologies, L=Amsterdam, ST=NH, C=NL correct? [no]: yes Enter key password for <invoices> (RETURN if same as keystore password): $
If all went well you should have a keystore file called morphon-tom.keystore in your current directory.
The next step is to generate your Certificate Signing Request (CSR). This is what needs to be sent to the certificate authority (VeriSign, Thawte, GlobalSign, GeoTrust, etc) in order to get your key digitally signed.
$ keytool -certreq -alias invoices -file morphon-invoices.csr -keystore morphon-tom.keystore Enter keystore password: [ ENTER PASSWORD ] $
After this, you should have a file in your current working directory called morphon-invoices.csr, which contains the CSR. The contents of this file should look like this:
-----BEGIN NEW CERTIFICATE REQUEST----- MIICgzCCAkECAQAwfjELMAkGA1UEBhMCTkwxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlBbXN0ZXJk YW0xHTAbBgNVBAoTFE1vcnBob24gVGVjaG5vbG9naWVzMRAwDgYDVQQLEwdVbmtub3duMR0wGwYD VQQDExRJbnZvaWNpbmcgRGVwYXJ0bWVudDCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUS KVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3 a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/Ii Axmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrq gvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1 kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDo SXcIWjEe2DmQO83Yiw3ngZxtPrudA3IJq2Xi6EjxWu2CVMkeL4gSaOYRTmsJADS3T7TZwBlWFZMv AMskhIXYYJDAHx2uER5tjfVf4KNn3BR7nPI0ZHhE5erNYehEiPMLtCMpL/RF9qYCNiCSnOI+ONq6 B9uBipqiX7g1zjceZaAAMAsGByqGSM44BAMFAAMvADAsAhQUPw/8lNowePowOfB73pE9Ro+s3wIU MWoF512PcCI1I61t3wx68A76is0= -----END NEW CERTIFICATE REQUEST-----
When requesting a certificate, your certificate authority will ask for this.
In case you already have a private key (generated using OpenSSL for instance) and already received a certificate, you can import these into an existing (or new) keystore using KeyTool. This requires a bit more work than when you just use KeyTool, but it is possible.