Nexus Certificate Manager
Nexus Certificate Manager
Breadcrumbs

Generate DSA/EC/RSA key pair

This article is valid from CM 8.1.

This article describes the syntax for how to generate a DSA/EC/RSA key pair used when setting up a hardware token. The hwsetup command line tool, included in  Smart ID Certificate Manager (CM), is used.

Syntax

Syntax: Generate DSA/EC/RSA key pair 
hwsetup -libname <pkcs11lib> [-slot <slot#>] [-pin <PIN>] [-nopinpad]
[-id <CKA_ID>|-noid] [-label <CKA_LABEL>] [-login user|so] [-extractable] [-force]
[-gendsa <key length>[:<subprime length>]]
[-genec <named curve>] [-derive] [-sign]
[-genrsa <key length>] [-exponent <#>] [-decrypt] [-sign] [-unwrap]

Options and arguments

Options and Arguments

Description

libname <pkcs11lib>

Use this option to identify the library to work with. Replace <pkcs11lib> with the name of the PKCS #11 library.

Note: Do not include the extension in the filename.

slot <slot#>

Use this option to specify the slot number to use. Replace <slot#> with the slot number. Default: First empty slot.

pin <PIN>

Use this option to enter the PIN for the slot. Replace <PIN> with the PIN that should be used for the given slot.

id <CKA_ID>

Use this option to specify the CKA_ID attribute for the key pair. This id is used to associate keys with certificate requests and certificates. Default: A generated id.

noid

Do not generate any CKA_ID.

label <CKA_LABEL>

Use this option to specify the CKA_LABEL attribute for the key pair. A default label is generated if not specified.

login user | so

Use this option to select how to login. so stands for “security officer”. Default: user 

gendsa <key
length>[:<subprime
length>]

Use this option to generate a DSA key pair. Replace <key length> with the DSA key and optional subprime lengths. Set subprime to :256 to use SHA-256 signatures.
Default: 1024:160

genec <curve name>

Use this option to generate an EC key pair. Replace <curve name> with the OID or name of the desired EC curve. Sets the CKA_SIGN/ CKA_VERIFY attributes if not any of the derive or sign options are set. Default: brainpoolP256r1

genrsa <key length>

Use this option to generate an RSA key pair. Replace <key length> with the desired length of the RSA key. Sets all operation attributes if not any of the decrypt, sign or unwrap options are set. Default: 2048

exponent <#>

Use this option to specify the RSA public key exponent. Default: 0x10001

decrypt

Sets the CKA_ENCRYPT and CKA_DECRYPT attributes for the generated RSA key pair. Default: Not flagged.

derive

Sets the CKA_DERIVE attribute for the generated EC key pair. Default: Not flagged.

sign

Sets the CKA_SIGN and CKA_VERIFY attributes for the generated EC/RSA key pair. Default: Not flagged.

unwrap

Sets the CKA_WRAP and CKA_UNWRAP attributes for the generated RSA key pair. Default: Not flagged.

extractable

Sets the attributes CKA_EXTRACTABLE=true and CKA_SENSITIVE=false for a private key. This is not possible for if HSM in FIPS mode (FIPS 140-2 level 3).
Default: CKA_EXTRACTABLE=false and CKA_SENSITIVE=true.

force

Use this option if you want the utility to replace an existing key with the same ID. Default: Not flagged.

nopinpad

If set, hwsetup will ignore reports from the PKCS#11 library that it has a pin pad, a smart card reader, or some other means of protecting the key objects, and sends the command line pin provided to the library anyway. This setting should not be needed other then in rare cases of HSM vendors with non-standard PKCS#11 implementations. Default: Not flagged.

Example

To generate an RSA key pair with the key length 2048 bits:

Example: Generate RSA key pair with key length 2048 bits 
hwsetup -libname crypto -slot 1 -pin abcd -id mykey -genrsa 2048