This article describes the syntax for how to generate a PKCS #10 certificate request. Thehwsetupcommand line tool, included in Nexus Certificate Manager (CM), is used.
For a description of the options libname, slot, pin, nopinpad, and login and their arguments, see Generate RSA key pair.
Options and Arguments
Description
genreq <subject DN>
Use this option to create a request for issue of a certificate. Replace <subject DN> with the subject distinguished name in RFC2253 format, for the certificate. Use either the id or label option to specify the key pair for the certificate request.
id <CKA_ID>
Use the key pair with the specified CKA_ID value.
label <CKA_LABEL>
Use the key pair with the specified CKA_LABEL value.
file <filename>
Use this option to specify the file the request shall be written to. Default: certreq.txt
keyalg <algorithm>
Use this option to specify an OAEP or PSS algorithm for an RSA public key. For example, RSAES-OAEP, RSASSA-PSS or SHA256withRSAandMGF1. Default: RSA
keyusage [<names>]
Use this option to create a KeyUsage extension in the certificate request. If any <names> are not specified, the operation attributes of the public key are used to create the extension. The following, comma separated, names can be used: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly. Default: extension not created
signalg <algorithm>
Use this option to specify the signature algorithm, for example, SHA384withECDSA or SHA256withRSAandMGF1. Default: SHA256withDSA, -ECDSA, -RSA
Example
To generate a PKCS #10 certificate request and store it in the file certreq.txt:
Example: Generate PKCS #10 certificate request and store in file certreq.txt