Versions Compared
compared with
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Comment:
Reverted from v. 1
This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.
SyntaxCommand
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad] [-id <CKA_ID>|-noid] [-label <CKA_LABEL>] [-login user|so] [-extractable] [-forcepin <PIN>] [-gendsa <key length>[:<subprime length>]]nopinpad] [-genecexponent <named curve><exp#>] [-derive] [-signforce] [-genrsa <key length>] [-exponent <#>] [-decrypt] [-sign] [-unwrap] |
Example
To generate an RSA key pair with the key length 2048 bits:
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048 |
Options and arguments
| Options and Arguments | Description |
|---|---|
| libname <pkcs11lib> | Use this option to identify the library to work with. Replace <pkcs11lib> with the name of the PKCS #11 library. Note: Do not include the extension in the filename. |
| slot <slot#> | Use this option to specify the slot number to use. Replace <slot#> with the slot number. Default: First empty slot. |
| pin <PIN> | Use this option to enter the PIN for the slot. Replace <PIN> with the PIN that should be used for the given slot. |
| id <CKA_ID> | Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id. |
| noid | Do not generate any CKA_ID. |
| label <CKA_LABEL> | Use this option to specify the CKA_LABEL attribute for the key pair. A default label is generated if not specified. |
| login user | so | Use this option to select how to loginto login. so stands so stands for “security officer”. Default: user |
| gendsa <key length>[:<subprime length>] | Use this option to generate a DSA key pair. Replace <key length> with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures. Default: 1024:160 |
| genec <curve name> | Use this option to generate an EC key pair. Replaceuser |
| genrsa <key length> | Use this option to generate an RSA key pair. Replace <key length> with the desired length of the RSA key. Sets all operation attributes if not any of the decrypt, sign or unwrap options are set. Default: 1024 |
| exponent <#> Use this option to specify the <exp#> | RSA public key exponent. Default: 0x10001 |
| decrypt | Sets the CKA_ENCRYPT and CKA_DECRYPT attributes for the generated RSA key pair. Default: Not flagged. |
| derive | Sets the CKA_DERIVE attribute for the generated EC key pair. Default: Not flagged. |
| sign | Sets the CKA_SIGN and CKA_VERIFY attributes for the generated EC/RSA key pair. Default: Not flagged. |
Sets the CKA_WRAP and CKA_UNWRAP attributes for the generated RSA key pair. Default: Not flagged. | |
| extractable | Sets the attributes CKA_EXTRACTABLE=true and CKA_SENSITIVE=false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3). Default: CKA_EXTRACTABLE=false and CKA_SENSITIVE=true. |
| force | Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged. |
| nopinpad | If set, hwsetup will ignore reports from the PKCS#11 library that it has a pin pad, a smart card reader, or some other means of protecting the key objects, and sends the command line pin provided to the library anyway. This setting should not be needed other then in rare cases of HSM vendors with non-standard PKCS#11 implementations. Default: Not flagged. |
Example
To generate an RSA key pair with the key length 2048 bits:
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048 |
This article is valid from CM 8.0