BlackVault HSM Java Configuration Guide
© Engage Black Version 1.1.0 9
3. Application Integration
3.1. Java Keytool and Jarsigner
To do code signing per industry best practices, along with storing the key inside a secure
BlackVault HSM, a code signing certificate associated with the key is required. For the Java
environment, if all the prerequisites have been competed (Java configured correctly, and
PKCS#11 library installed) complete the following steps:
1. Generate a key with keytool:
keytool -genkey -keyalg RSA -keysize 1024 -alias keyNameHere -keystore NONE -
storetype PKCS11 -storepass 2222
a. storetype is telling Java to use PKCS# 11 functions
b. alias is the name of the key
c. keyalg is the desired key algorithm
d. keysize is the desired key size
e. storepass is normally used for authenticating the keystore, but the BlackVault
HSM authenticates itself and does not use this password. Java requires it
anyways.
2. After entering the keytool command, Java will prompt for Identification information.
This is used for the self-signed certificate that is created at the same time the key is.
3. After creating the key, verify that it is on the BlackVault:
keytool -keystore NONE -storetype PKCS11 -storepass 2222 -list
4. Generate a certificate signing request (CSR) with the generated key:
keytool -certreq -alias keyNameHere -keyalg RSA -file CSRNameHere.csr -keystore NONE
-storetype PKCS11 -storepass 2222
5. Get the CSR signed by a Certificate Authority (i.e. BlackVault CA, Digicert, Verisign, etc)
6. After obtaining the certificate from a Certificate Authority it will need to be attached to
the key from which it is derived. To do this, it must be imported into the BlackVault. Use
the following bvtool command:
bvtool importcert -i caFileHere.pem -l certLabel
7. Verify the certificate is on the BlackVault. Run the command:
bvtool list -a
This should display keys on the BlackVault as well as the imported certificate
