By Ye Julia Li on Jan 12, 2010
Request an Object Signing certificate from SunPKI Store with an Aladdin eToken Pro on Windows OS
Security Module(HSM): Aladdin eToken Pro 72K
Software environment: Windows XP SP2 + eToken PKI Client 5.1 + JDK 1.6
Part 1: select Aladdin eToken Pro as the HSM deviceAn Object Signing certificate request can only be approved if the request was submitted using an HSM device. A HSM device is a specialized hardware cryptographic component that is used to generate and protect the private keys during any operations that involve that key.
For object signing, especially for signing objects in the form of JAR files (using jarsigner), the cryptographic hardware devices of choice are:
(ii) SafeNet/Aladdin eToken (USB connected cryptographic device).
Considering the first one is too expensive (about $1300), we choose the Aladdin eToken Pro 72K (about $60).
Part 2: Prepare the Aladdin eToken Pro
2.1 Install Aladdin eToken PKI Client which could be downloaded from Aladdin web site or just require it from your Aladdin agent.
2.2 Plug the eToken into the USB slot of the system and select the "Initialization" function of the PKI Client to initialize the eToken.
2.3 Input a personal password (referred as <pin> as below) for the eToken.
Part 3: Request an Object Signing Certificate from SunPKI Store
3.1 Create (in current dir) file 'eToken-pkcs11.cfg' with the two lines
library = c:\\WINDOWS\\system32\\eTPKCS11.dll
3.2 Generate the key pair with following command
keytool -genkey -alias <alias> -validity 365 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
Unknown: <your object name & version> (e.g. Sun Device Detection Tool)
What is the name of your organizational unit?
Unknown: <whatever> (e.g. Sun Microsystems Inc System)
What is the name of your organization?
Unknown: Sun Microsystems Inc (e.g. Sun Microsystems Inc)
What is the name of your City or Locality?
Unknown: <whatever> (e.g. Menlo Park)
What is the name of your State or Province?
Unknown: <whatever> (e.g. California)
What is the two-letter country code for this unit?
Is CN=..., OU=..., O="Sun Microsystems Inc", L=..., ST=..., C=US correct?
 Make sure JDK 1.6 is installed.
 In Special Publication SP 800-57 Part 1 [SP800-57], NIST recommends using at least 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). So we use the '-keysize 2048' to generate the key pair.
 The country code must be "US". Otherwise the next step would fail.
 The generated key pair could be checked with following command:
3.3 Generate the CSR with following command
keytool -certreq -alias <alias> -file ./certreq.csr -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.4 Submit CSR
Reference to https://wikis.sun.com/display/SunPKIstore/Corp+Object+Signing
3.5 Receive the certificateYou would receive an email from firstname.lastname@example.org containing the certificate chain. The email will contain the certificates in two forms, ASCII/Base64 encoded and a binary PKCS7 attachment. You should import the ASCII/Base64 encoded form (not the PKCS7) because the import of the PKCS7 chain may not work due to bug 6731685 (fixed in JDK 7, but not earlier releases).
The ASCII/Base64 encoded form is a paragraph ascii characters embraced with
Copy the ASCII/Base64 encoded form certificate (those ascii characters including the two lines of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and paste them into a single text file to save as 'cert.ascii'.
3.6 Import the certificate with following command
keytool -importcert -v -trustcacerts -file cert.ascii -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.7 Verify the installed certificate chain with following command
keytool -list -v -alias <alias> -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin>
3.8 Signed jar files with following command
jarsigner -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken-pkcs11.cfg -storepass <pin> <a jarfile name> <alias>
In step 2, 3, 6, 7 and 8, the eToken must be pluged in.
Reference:PKI Store for Object Signing certificates
PKI Store FAQs