Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor

This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.

Syntax

Code Block
languagetext
titleSyntax: Generate DSA/EC/RSA key pair
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>|-noid] [-label <CKA_LABEL>] [-login user|so] [-extractable] [-force]
[-gendsa <key length>[:<subprime length>]]
[-genec <named curve>] [-derive] [-sign]
[-genrsa <key length>] [-exponent <#>] [-decrypt] [-sign] [-unwrap]

Options and arguments

Options and Arguments

Description

libname <pkcs11lib>

Use this option to identify the library to work with. Replace <pkcs11lib> with the name of the PKCS #11 library.

Note: Do not include the extension in the filename.

slot <slot#>

Use this option to specify the slot number to use. Replace <slot#> with the slot number. Default: First empty slot.

pin <PIN>

Use this option to enter the PIN for the slot. Replace <PIN> with the PIN that should be used for the given slot.

id <CKA_ID>

Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id.

noidDo not generate any CKA_ID.

label <CKA_LABEL>

Use this option to specify the CKA_LABEL attribute for the key pair. A default label is generated if not specified.

login user | so

Use this option to select how to login. so stands for “security officer”. Default: user 

gendsa <key
length>[:<subprime
length>]
Use this option to generate a DSA key pair. Replace <key length> with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures.
Default: 1024:160
genec <curve name>Use this option to generate an EC key pair. Replace <curve name> with the OID or name of the desired EC curve. Sets the CKA_SIGN/ CKA_VERIFY attributes if not any of the derive or sign options are set. Default: brainpoolP256r1

genrsa <key length>

Use this option to generate an RSA key pair. Replace <key length> with the desired length of the RSA key. Sets all operation attributes if not any of the decrypt, sign or unwrap options are set. Default: 1024

exponent <#>

Use this option to specify the RSA public key exponent. Default: 0x10001

decryptSets the CKA_ENCRYPT and CKA_DECRYPT attributes for the generated RSA key pair. Default: Not flagged.
deriveSets the CKA_DERIVE attribute for the generated EC key pair. Default: Not flagged.
signSets the CKA_SIGN and CKA_VERIFY attributes for the generated EC/RSA key pair. Default: Not flagged.
unwrapSets the CKA_WRAP and CKA_UNWRAP attributes for the generated RSA key pair. Default: Not flagged.
extractableSets the attributes CKA_EXTRACTABLE=true and CKA_SENSITIVE=false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3).
Default: CKA_EXTRACTABLE=false and CKA_SENSITIVE=true.

force

Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged.

nopinpad

If set, hwsetup will ignore reports from the PKCS#11 library that it has a pin pad, a smart card reader, or some other means of protecting the key objects, and sends the command line pin provided to the library anyway. This setting should not be needed other then in rare cases of HSM vendors with non-standard PKCS#11 implementations. Default: Not flagged.

Example

To generate an RSA key pair with the key length 2048 bits:

Code Block
languagetext
titleExample: Generate RSA key pair with key length 2048 bits
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048


This article is valid from CM 8.0

Related information