This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in Smart ID Certificate Manager (CM), is used.
Use this option to identify the library to work with. Replace <pkcs11lib> with the name of the PKCS #11 library.
Note: Do not include the extension in the filename.
slot <slot#>
Use this option to specify the slot number to use. Replace <slot#> with the slot number. Default: First empty slot.
pin <PIN>
Use this option to enter the PIN for the slot. Replace <PIN> with the PIN that should be used for the given slot.
id <CKA_ID>
Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id.
noid
Do not generate any CKA_ID.
label <CKA_LABEL>
Use this option to specify the CKA_LABEL attribute for the key pair. A default label is generated if not specified.
login user | so
Use this option to select how to login. so stands for “security officer”. Default: user
gendsa <key length>[:<subprime length>]
Use this option to generate a DSA key pair. Replace <key length> with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures. Default: 1024:160
genec <curve name>
Use this option to generate an EC key pair. Replace <curve name> with the OID or name of the desired EC curve. Sets the CKA_SIGN/ CKA_VERIFY attributes if not any of the derive or sign options are set. Default: brainpoolP256r1
genrsa <key length>
Use this option to generate an RSA key pair. Replace <key length> with the desired length of the RSA key. Sets all operation attributes if not any of the decrypt, sign or unwrap options are set. Default: 2048
exponent <#>
Use this option to specify the RSA public key exponent. Default: 0x10001
decrypt
Sets the CKA_ENCRYPT and CKA_DECRYPT attributes for the generated RSA key pair. Default: Not flagged.
derive
Sets the CKA_DERIVE attribute for the generated EC key pair. Default: Not flagged.
sign
Sets the CKA_SIGN and CKA_VERIFY attributes for the generated EC/RSA key pair. Default: Not flagged.
unwrap
Sets the CKA_WRAP and CKA_UNWRAP attributes for the generated RSA key pair. Default: Not flagged.
extractable
Sets the attributes CKA_EXTRACTABLE=true and CKA_SENSITIVE=false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3). Default: CKA_EXTRACTABLE=false and CKA_SENSITIVE=true.
force
Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged.
nopinpad
If set, hwsetup will ignore reports from the PKCS#11 library that it has a pin pad, a smart card reader, or some other means of protecting the key objects, and sends the command line pin provided to the library anyway. This setting should not be needed other then in rare cases of HSM vendors with non-standard PKCS#11 implementations. Default: Not flagged.
Example
To generate an RSA key pair with the key length 2048 bits:
Example: Generate RSA key pair with key length 2048 bits