Versions Compared
compared with
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Comment:
Reverted from v. 2
Command
This article describes the syntax for how to generate a PKCS #10 certificate request. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.
Syntax
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad] [-id <CKA_ID>] [-label <CKA_LABEL>] [-login user|so] -genreq <subject DN>] [-file <filename>] |
Example
To generate a PKCS #10 certificate request and store it in the file certreq.txt:
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genreq "cn=Test, c=SE" |
Send certreq.txt to the CA so that the certificate can be issued.
[-keyalg <algorithm>]
[-keyusage [<names>]] [-signalg <algorithm>] |
Options and arguments
For a description of the options libname, slot, pin, id nopinpad, and login and their arguments, see Generate DSA/EC/ RSA key pair.
| Options and Arguments | Description | |
|---|---|---|
| genreq <subject DN> | Use this option to create a request for issue of a certificate. Replace <subject DN> with the subject distinguished name the CAshould use when issuing the certificate. Default: Nullin RFC2253 format, for the certificate. Use either the id or label option to specify the key pair for the certificate request. | |
| id <CKA_ID> | Use the key pair with the specified CKA_ID value. | |
| label <CKA_LABEL> | Use the key pair with the specified CKA_LABEL value. | |
| file <filename> | Use this option to select what specify the file the request shall be written to. Default: certreq.txt | |
| keyalg <algorithm> | Use this option to | . Replace <filename> with the name of the file. Default: certreq.txtspecify an OAEP or PSS algorithm for an RSA public key. For example, RSAES-OAEP, RSASSA-PSS or SHA256withRSAandMGF1. Default: RSA |
| keyusage [<names>] | Use this option to create a KeyUsage extension in the certificate request. If any <names> are not specified, the operation attributes of the public key are used to create the extension. The following, comma separated, names can be used: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly. Default: extension not created | |
| signalg <algorithm> | Use this option to specify the signature algorithm, for example, SHA384withECDSA or SHA256withRSAandMGF1. Default: SHA256withDSA, -ECDSA, -RSA |
Example
To generate a PKCS #10 certificate request and store it in the file certreq.txt:
| Code Block | ||||
|---|---|---|---|---|
| ||||
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genreq "cn=Test, o=Nexus" |
Send certreq.txt to the CA so that the certificate can be issued.
This article is valid from CM 8.0