Create new AWS CloudHSM keys with keytool

You can use keytool to generate RSA, AES, and DESede type of key supported by the AWS CloudHSM JCE SDK.

Important

A key generated through keytool is generated in software, and then imported into AWS CloudHSM as an extractable, persistent key.

We strongly recommend generating non-exportable keys outside of keytool, and then importing corresponding certificates to the key store. If you use extractable RSA or EC keys through keytool and Jarsigner, the providers export keys from the AWS CloudHSM and then use the key locally for signing operations.

If you have multiple client instances connected to your AWS CloudHSM cluster, be aware that importing a certificate on one client instance’s key store won't automatically make the certificates available on other client instances. To register the key and associated certificates on each client instance you need to run a Java application as described in Generate an AWS CloudHSM CSR using keytool. Alternatively, you can make the necessary changes on one client and copy the resulting key store file to every other client instance.

Example 1: To generate a symmetric AES-256 key and save it in a key store file named, "my_keystore.store", in the working directory. Replace <secret label> with a unique label.

Example 2: To generate an RSA 2048 key pair and save it in a key store file named, "my_keystore.store" in the working directory. Replace <RSA key pair label> with a unique label.

You can find a list of supported signature algorithms in the Java library.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Use key store with keytool

Delete a key using keytool