This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in Nexus Certificate Manager (CM), is used.

Syntax

Syntax: Generate DSA/EC/RSA key pair

hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>|-noid] [-label <CKA_LABEL>] [-login user|so] [-extractable] [-force]
[-gendsa <key length>[:<subprime length>]]
[-genec <named curve>] [-derive] [-sign]
[-genrsa <key length>] [-exponent <#>] [-decrypt] [-sign] [-unwrap]

Options and arguments

Options and Arguments	Description
libname <pkcs11lib>	Use this option to identify the library to work with. Replace `<pkcs11lib>` with the name of the PKCS #11 library. Note: Do not include the extension in the filename.
slot <slot#>	Use this option to specify the slot number to use. Replace `<slot#>` with the slot number. Default: First empty slot.
pin <PIN>	Use this option to enter the PIN for the slot. Replace `<PIN>` with the PIN that should be used for the given slot.
id <CKA_ID>	Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id.
noid	Do not generate any CKA_ID.
label <CKA_LABEL>	Use this option to specify the `CKA_LABEL` attribute for the key pair. A default label is generated if not specified.
login user \| so	Use this option to select how to login. so stands for “security officer”. Default: user
gendsa <key length>[:<subprime length>]	Use this option to generate a DSA key pair. Replace `<key length>` with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures. Default: 1024:160
genec <curve name>	Use this option to generate an EC key pair. Replace `<curve name>` with the OID or name of the desired EC curve. Sets the `CKA_SIGN`/ `CKA_VERIFY` attributes if not any of the derive or sign options are set. Default: brainpoolP256r1
genrsa <key length>	Use this option to generate an RSA key pair. Replace `<key length>` with the desired length of the RSA key. Sets all operation attributes if not any of the `decrypt`, `sign` or `unwrap` options are set. Default: 1024
exponent <#>	Use this option to specify the RSA public key exponent. Default: 0x10001
decrypt	Sets the `CKA_ENCRYPT` and `CKA_DECRYPT` attributes for the generated RSA key pair. Default: Not flagged.
derive	Sets the `CKA_DERIVE` attribute for the generated EC key pair. Default: Not flagged.
sign	Sets the `CKA_SIGN` and `CKA_VERIFY` attributes for the generated EC/RSA key pair. Default: Not flagged.
unwrap	Sets the `CKA_WRAP` and `CKA_UNWRAP` attributes for the generated RSA key pair. Default: Not flagged.
extractable	Sets the attributes `CKA_EXTRACTABLE`=true and `CKA_SENSITIVE`=false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3). Default: `CKA_EXTRACTABLE`=false and `CKA_SENSITIVE`=true.
force	Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged.
nopinpad	If set, `hwsetup` will ignore reports from the PKCS#11 library that it has a pin pad, a smart card reader, or some other means of protecting the key objects, and sends the command line pin provided to the library anyway. This setting should not be needed other then in rare cases of HSM vendors with non-standard PKCS#11 implementations. Default: Not flagged.

Example

To generate an RSA key pair with the key length 2048 bits:

Example: Generate RSA key pair with key length 2048 bits

hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048

This article is valid from CM 8.0

Generate DSA/EC/RSA key pair

Syntax

Options and arguments

Example

Related information